libclamav: Add support for Y-type signatures in wdb files.

There are some cases where it is desired to allow a single domain to
have any displayed address and not count that as phishing. An example of
this would be the domain for outlook URL checker, or Google safe
browsing. If a wdb file contains a Y type entry only the real domain
will be matched, not the real and displayed domain.

CLAM-2426

Author: jhumlick

libclamav/CMakeLists.txt

@@ -340,14 +340,15 @@ set(LIBCLAMAV_SOURCES
     # mail & phishing
     iana_cctld.h
     iana_tld.h
-    line.c              line.h
-    mbox.c              mbox.h
-    message.c           message.h
-    phish_domaincheck_db.c phish_domaincheck_db.h
-    phish_allow_list.c  phish_allow_list.h
-    phishcheck.c        phishcheck.h
-    regex_list.c        regex_list.h
-    regex_suffix.c      regex_suffix.h
+    line.c                          line.h
+    mbox.c                          mbox.h
+    message.c                       message.h
+    phish_domaincheck_db.c          phish_domaincheck_db.h
+    phish_allow_real_and_display.c  phish_allow_real_and_display.h
+    phish_allow_real_only.c         phish_allow_real_only.h
+    phishcheck.c                    phishcheck.h
+    regex_list.c                    regex_list.h
+    regex_suffix.c                  regex_suffix.h
     # sis
     sis.c               sis.h
     # tnef

libclamav/filtering.c

@@ -156,9 +156,12 @@ static inline int filter_isset(const struct filter *m, unsigned pos, uint16_t va
 
 static inline void filter_set_atpos(struct filter *m, unsigned pos, uint16_t val)
 {
+    cli_dbgmsg("filter_set_atpos: Setting filter value 0x%04x at pos %u (before: B[val]=0x%02x)\n",
+               val, pos, m->B[val]);
     if (!filter_isset(m, pos, val)) {
         cli_perf_log_count(FILTER_LOAD, pos);
         m->B[val] &= ~(1 << pos);
+        cli_dbgmsg("  After setting: B[0x%04x] = 0x%02x\n", val, m->B[val]);
     }
 }
 
@@ -756,6 +759,7 @@ long filter_search(const struct filter *m, const unsigned char *data, unsigned l
     for (j = 0; j < len - 1; j++) {
         const uint16_t q0 = cli_readint16(&data[j]);
         uint8_t match_end;
+
         state = (state << 1) | B[q0];
         /* state marks with a 0 bit all active states
          * End[q0] marks with a 0 bit all states where the q-gram 'q' can end a pattern

libclamav/others.h

@@ -340,8 +340,9 @@ struct cl_engine {
     struct cli_cdb *cdb;
 
     /* Phishing .pdb and .wdb databases*/
-    struct regex_matcher *allow_list_matcher;
-    struct regex_matcher *domain_list_matcher;
+    struct regex_matcher *phish_allow_real_and_display_matcher;
+    struct regex_matcher *phish_allow_real_only_matcher;
+    struct regex_matcher *phish_protected_domain_matcher;
     struct phishcheck *phishcheck;
 
     /* Dynamic configuration */
@@ -575,16 +576,16 @@ extern LIBCLAMAV_EXPORT int have_rar;
 
 /* based on macros from A. Melnikoff */
 #define cbswap16(v) (((v & 0xff) << 8) | (((v) >> 8) & 0xff))
-#define cbswap32(v) ((((v) & 0x000000ff) << 24) | (((v) & 0x0000ff00) << 8) | \
-                     (((v) & 0x00ff0000) >> 8) | (((v) & 0xff000000) >> 24))
-#define cbswap64(v) ((((v) & 0x00000000000000ffULL) << 56) | \
-                     (((v) & 0x000000000000ff00ULL) << 40) | \
-                     (((v) & 0x0000000000ff0000ULL) << 24) | \
-                     (((v) & 0x00000000ff000000ULL) << 8) |  \
-                     (((v) & 0x000000ff00000000ULL) >> 8) |  \
-                     (((v) & 0x0000ff0000000000ULL) >> 24) | \
-                     (((v) & 0x00ff000000000000ULL) >> 40) | \
-                     (((v) & 0xff00000000000000ULL) >> 56))
+#define cbswap32(v) ((((v)&0x000000ff) << 24) | (((v)&0x0000ff00) << 8) | \
+                     (((v)&0x00ff0000) >> 8) | (((v)&0xff000000) >> 24))
+#define cbswap64(v) ((((v)&0x00000000000000ffULL) << 56) | \
+                     (((v)&0x000000000000ff00ULL) << 40) | \
+                     (((v)&0x0000000000ff0000ULL) << 24) | \
+                     (((v)&0x00000000ff000000ULL) << 8) |  \
+                     (((v)&0x000000ff00000000ULL) >> 8) |  \
+                     (((v)&0x0000ff0000000000ULL) >> 24) | \
+                     (((v)&0x00ff000000000000ULL) >> 40) | \
+                     (((v)&0xff00000000000000ULL) >> 56))
 
 #ifndef HAVE_ATTRIB_PACKED
 #define __attribute__(x)
@@ -833,8 +834,8 @@ cl_error_t cli_dispatch_scan_callback(cli_ctx *ctx, cl_scan_callback_t location)
 /* used by: spin, yc (C) aCaB */
 #define __SHIFTBITS(a) (sizeof(a) << 3)
 #define __SHIFTMASK(a) (__SHIFTBITS(a) - 1)
-#define CLI_ROL(a, b) a = (a << ((b) & __SHIFTMASK(a))) | (a >> ((__SHIFTBITS(a) - (b)) & __SHIFTMASK(a)))
-#define CLI_ROR(a, b) a = (a >> ((b) & __SHIFTMASK(a))) | (a << ((__SHIFTBITS(a) - (b)) & __SHIFTMASK(a)))
+#define CLI_ROL(a, b) a = (a << ((b)&__SHIFTMASK(a))) | (a >> ((__SHIFTBITS(a) - (b)) & __SHIFTMASK(a)))
+#define CLI_ROR(a, b) a = (a >> ((b)&__SHIFTMASK(a))) | (a << ((__SHIFTBITS(a) - (b)) & __SHIFTMASK(a)))
 
 /* Implementation independent sign-extended signed right shift */
 #ifdef HAVE_SAR

libclamav/phish_allow_real_and_display.c

@@ -0,0 +1,80 @@
+/*
+ *  Phishing module: allow list implementation.
+ *
+ *  Copyright (C) 2013-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ *  Copyright (C) 2007-2013 Sourcefire, Inc.
+ *
+ *  Authors: Török Edvin
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#if HAVE_CONFIG_H
+#include "clamav-config.h"
+#endif
+
+#ifdef CL_THREAD_SAFE
+#ifndef _REENTRANT
+#define _REENTRANT
+#endif
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "clamav.h"
+#include "others.h"
+#include "phish_allow_real_and_display.h"
+#include "regex_list.h"
+
+#include "mpool.h"
+
+cl_error_t phish_allow_real_and_display_match(const struct cl_engine* engine, char* real_url, const char* display_url, int hostOnly)
+{
+    const char* info; /*unused*/
+    cli_dbgmsg("Phishing: looking up in real and display allow list: %s:%s; host-only:%d\n", real_url, display_url, hostOnly);
+    return engine->phish_allow_real_and_display_matcher ? regex_list_match(engine->phish_allow_real_and_display_matcher, real_url, display_url, NULL, hostOnly, &info, 1) : 0;
+}
+
+cl_error_t phish_allow_real_and_display_init(struct cl_engine* engine)
+{
+    if (engine) {
+        engine->phish_allow_real_and_display_matcher = (struct regex_matcher*)MPOOL_MALLOC(engine->mempool, sizeof(struct regex_matcher));
+        if (!engine->phish_allow_real_and_display_matcher) {
+            cli_errmsg("Phish_allow_list: Unable to allocate memory for allow_list_match\n");
+            return CL_EMEM;
+        }
+#ifdef USE_MPOOL
+        ((struct regex_matcher*)(engine->phish_allow_real_and_display_matcher))->mempool = engine->mempool;
+#endif
+        return init_regex_list(engine->phish_allow_real_and_display_matcher, engine->dconf->other & OTHER_CONF_PREFILTERING);
+    } else
+        return CL_ENULLARG;
+}
+
+int phish_is_allow_real_and_display_ok(const struct cl_engine* engine)
+{
+    return (engine && engine->phish_allow_real_and_display_matcher) ? is_regex_ok(engine->phish_allow_real_and_display_matcher) : 1;
+}
+
+void phish_allow_real_and_display_done(struct cl_engine* engine)
+{
+    if (engine && engine->phish_allow_real_and_display_matcher) {
+        regex_list_done(engine->phish_allow_real_and_display_matcher);
+        MPOOL_FREE(engine->mempool, engine->phish_allow_real_and_display_matcher);
+        engine->phish_allow_real_and_display_matcher = NULL;
+    }
+}

libclamav/phish_allow_real_and_display.h

@@ -0,0 +1,35 @@
+/*
+ *  Phishing module: Allow list implementation.
+ *
+ *  Copyright (C) 2013-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ *  Copyright (C) 2007-2013 Sourcefire, Inc.
+ *
+ *  Authors: Török Edvin
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ *  MA 02110-1301, USA.
+ */
+
+#ifndef _PHISH_ALLOW_REAL_AND_DISPLAY_H
+#define _PHISH_ALLOW_REAL_AND_DISPLAY_H
+
+#include "clamav.h"
+
+cl_error_t phish_allow_real_and_display_init(struct cl_engine* engine);
+void phish_allow_real_and_display_done(struct cl_engine* engine);
+void allow_list_cleanup(const struct cl_engine* engine);
+int phish_is_allow_real_and_display_ok(const struct cl_engine* engine);
+cl_error_t phish_allow_real_and_display_match(const struct cl_engine* engine, char* real_url, const char* display_url, int hostOnly);
+
+#endif

libclamav/phish_allow_list.c renamed to libclamav/phish_allow_real_only.c

@@ -37,44 +37,44 @@
 
 #include "clamav.h"
 #include "others.h"
-#include "phish_allow_list.h"
+#include "phish_allow_real_only.h"
 #include "regex_list.h"
 
 #include "mpool.h"
 
-cl_error_t allow_list_match(const struct cl_engine* engine, char* real_url, const char* display_url, int hostOnly)
+cl_error_t phish_allow_real_only_match(const struct cl_engine* engine, char* real_url, const char* display_url, int hostOnly)
 {
     const char* info; /*unused*/
-    cli_dbgmsg("Phishing: looking up in allow list: %s:%s; host-only:%d\n", real_url, display_url, hostOnly);
-    return engine->allow_list_matcher ? regex_list_match(engine->allow_list_matcher, real_url, display_url, NULL, hostOnly, &info, 1) : 0;
+    cli_dbgmsg("Phishing: looking up in real only allow list: %s:%s; host-only:%d\n", real_url, "", hostOnly);
+    return engine->phish_allow_real_only_matcher ? regex_list_match(engine->phish_allow_real_only_matcher, real_url, "", NULL, hostOnly, &info, 2) : 0;
 }
 
-cl_error_t init_allow_list(struct cl_engine* engine)
+cl_error_t phish_allow_real_only_init(struct cl_engine* engine)
 {
     if (engine) {
-        engine->allow_list_matcher = (struct regex_matcher*)MPOOL_MALLOC(engine->mempool, sizeof(struct regex_matcher));
-        if (!engine->allow_list_matcher) {
+        engine->phish_allow_real_only_matcher = (struct regex_matcher*)MPOOL_MALLOC(engine->mempool, sizeof(struct regex_matcher));
+        if (!engine->phish_allow_real_only_matcher) {
             cli_errmsg("Phish_allow_list: Unable to allocate memory for allow_list_match\n");
             return CL_EMEM;
         }
 #ifdef USE_MPOOL
-        ((struct regex_matcher*)(engine->allow_list_matcher))->mempool = engine->mempool;
+        ((struct regex_matcher*)(engine->phish_allow_real_only_matcher))->mempool = engine->mempool;
 #endif
-        return init_regex_list(engine->allow_list_matcher, engine->dconf->other & OTHER_CONF_PREFILTERING);
+        return init_regex_list(engine->phish_allow_real_only_matcher, engine->dconf->other & OTHER_CONF_PREFILTERING);
     } else
         return CL_ENULLARG;
 }
 
-int is_allow_list_ok(const struct cl_engine* engine)
+int phish_is_allow_real_only_ok(const struct cl_engine* engine)
 {
-    return (engine && engine->allow_list_matcher) ? is_regex_ok(engine->allow_list_matcher) : 1;
+    return (engine && engine->phish_allow_real_only_matcher) ? is_regex_ok(engine->phish_allow_real_only_matcher) : 1;
 }
 
-void allow_list_done(struct cl_engine* engine)
+void phish_allow_real_only_done(struct cl_engine* engine)
 {
-    if (engine && engine->allow_list_matcher) {
-        regex_list_done(engine->allow_list_matcher);
-        MPOOL_FREE(engine->mempool, engine->allow_list_matcher);
-        engine->allow_list_matcher = NULL;
+    if (engine && engine->phish_allow_real_only_matcher) {
+        regex_list_done(engine->phish_allow_real_only_matcher);
+        MPOOL_FREE(engine->mempool, engine->phish_allow_real_only_matcher);
+        engine->phish_allow_real_only_matcher = NULL;
     }
 }

libclamav/phish_allow_list.h renamed to libclamav/phish_allow_real_only.h

@@ -21,15 +21,14 @@
  *  MA 02110-1301, USA.
  */
 
-#ifndef _PHISH_ALLOW_LIST_H
-#define _PHISH_ALLOW_LIST_H
+#ifndef _PHISH_ALLOW_REAL_ONLY_H
+#define _PHISH_ALLOW_REAL_ONLY_H
 
 #include "clamav.h"
 
-cl_error_t init_allow_list(struct cl_engine* engine);
-void allow_list_done(struct cl_engine* engine);
-void allow_list_cleanup(const struct cl_engine* engine);
-int is_allow_list_ok(const struct cl_engine* engine);
-cl_error_t allow_list_match(const struct cl_engine* engine, char* real_url, const char* display_url, int hostOnly);
+cl_error_t phish_allow_real_only_init(struct cl_engine* engine);
+void phish_allow_real_only_done(struct cl_engine* engine);
+int phish_is_allow_real_only_ok(const struct cl_engine* engine);
+cl_error_t phish_allow_real_only_match(const struct cl_engine* engine, char* real_url, const char* display_url, int hostOnly);
 
 #endif

libclamav/phish_domaincheck_db.c

@@ -41,38 +41,38 @@
 #include "phish_domaincheck_db.h"
 #include "regex_list.h"
 
-int domain_list_match(const struct cl_engine* engine, char* real_url, const char* display_url, const struct pre_fixup_info* pre_fixup, int hostOnly)
+int phish_protected_domain_match(const struct cl_engine* engine, char* real_url, const char* display_url, const struct pre_fixup_info* pre_fixup, int hostOnly)
 {
     const char* info;
-    int rc = engine->domain_list_matcher ? regex_list_match(engine->domain_list_matcher, real_url, display_url, hostOnly ? pre_fixup : NULL, hostOnly, &info, 0) : 0;
+    int rc = engine->phish_protected_domain_matcher ? regex_list_match(engine->phish_protected_domain_matcher, real_url, display_url, hostOnly ? pre_fixup : NULL, hostOnly, &info, 0) : 0;
     return rc;
 }
 
-int init_domain_list(struct cl_engine* engine)
+int phish_protected_domain_init(struct cl_engine* engine)
 {
     if (engine) {
-        engine->domain_list_matcher = (struct regex_matcher*)malloc(sizeof(struct regex_matcher));
-        if (!engine->domain_list_matcher) {
+        engine->phish_protected_domain_matcher = (struct regex_matcher*)malloc(sizeof(struct regex_matcher));
+        if (!engine->phish_protected_domain_matcher) {
             cli_errmsg("Phishcheck: Unable to allocate memory for init_domain_list\n");
             return CL_EMEM;
         }
 #ifdef USE_MPOOL
-        ((struct regex_matcher*)engine->domain_list_matcher)->mempool = engine->mempool;
+        ((struct regex_matcher*)engine->phish_protected_domain_matcher)->mempool = engine->mempool;
 #endif
-        return init_regex_list(engine->domain_list_matcher, engine->dconf->other & OTHER_CONF_PREFILTERING);
+        return init_regex_list(engine->phish_protected_domain_matcher, engine->dconf->other & OTHER_CONF_PREFILTERING);
     } else
         return CL_ENULLARG;
 }
 
-int is_domain_list_ok(const struct cl_engine* engine)
+int phish_is_protected_domain_ok(const struct cl_engine* engine)
 {
-    return (engine && engine->domain_list_matcher) ? is_regex_ok(engine->domain_list_matcher) : 1;
+    return (engine && engine->phish_protected_domain_matcher) ? is_regex_ok(engine->phish_protected_domain_matcher) : 1;
 }
 
-void domain_list_done(struct cl_engine* engine)
+void phish_protected_domain_done(struct cl_engine* engine)
 {
-    if (engine && engine->domain_list_matcher) {
-        regex_list_done(engine->domain_list_matcher);
-        free(engine->domain_list_matcher);
+    if (engine && engine->phish_protected_domain_matcher) {
+        regex_list_done(engine->phish_protected_domain_matcher);
+        free(engine->phish_protected_domain_matcher);
     }
 }

libclamav/phish_domaincheck_db.h

@@ -25,10 +25,9 @@
 #define _PHISH_DOMAINCHECK_DB_H
 #include "clamav.h"
 
-int init_domain_list(struct cl_engine* engine);
-void domain_list_done(struct cl_engine* engine);
-void domain_list_cleanup(const struct cl_engine* engine);
-int is_domain_list_ok(const struct cl_engine* engine);
-int domain_list_match(const struct cl_engine* engine, char* real_url, const char* display_url, const struct pre_fixup_info* pre_fixup, int hostOnly);
+int phish_protected_domain_init(struct cl_engine* engine);
+void phish_protected_domain_done(struct cl_engine* engine);
+int phish_is_protected_domain_ok(const struct cl_engine* engine);
+int phish_protected_domain_match(const struct cl_engine* engine, char* real_url, const char* display_url, const struct pre_fixup_info* pre_fixup, int hostOnly);
 
 #endif