Skip to content

Commit

Permalink
ClamD: Disable VirusEvent '%f' feature, use environment var instead
Browse files Browse the repository at this point in the history
The '%f' filename format character has been disabled and will no longer
be replaced with the file name, due to command injection security concerns.
Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.

For the same reason, you should NOT use the environment variables in the
command directly, but should use it carefully from your executed script.
  • Loading branch information
micahsnyder committed Jan 22, 2024
1 parent 03ac366 commit 9ca550b
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 20 deletions.
8 changes: 5 additions & 3 deletions clamd/clamd_others.c
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ void virusaction(const char *filename, const char *virname,
#define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME"
#define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME"

#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead."

void virusaction(const char *filename, const char *virname,
const struct optstruct *opts)
{
Expand Down Expand Up @@ -145,7 +147,7 @@ void virusaction(const char *filename, const char *virname,
}
len = strlen(opt->strarg);
buffer_cmd =
(char *)calloc(len + v * strlen(virname) + f * strlen(filename) + 1, sizeof(char));
(char *)calloc(len + v * strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char));
if (!buffer_cmd) {
if (path)
xfree(env[0]);
Expand All @@ -160,8 +162,8 @@ void virusaction(const char *filename, const char *virname,
j += strlen(virname);
i++;
} else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') {
strcat(buffer_cmd, filename);
j += strlen(filename);
strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE);
j += strlen(FILENAME_DISABLED_MESSAGE);
i++;
} else {
buffer_cmd[j++] = opt->strarg[i];
Expand Down
2 changes: 1 addition & 1 deletion common/optparser.c
Original file line number Diff line number Diff line change
Expand Up @@ -337,7 +337,7 @@ const struct clam_option __clam_options[] = {

{"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"},

{"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"},
{"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"},

{"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"},

Expand Down
14 changes: 10 additions & 4 deletions docs/man/clamd.conf.5.in
Original file line number Diff line number Diff line change
Expand Up @@ -245,10 +245,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w
Default: yes
.TP
\fBVirusEvent COMMAND\fR
Execute a command when a virus is found. In the command string %v will be
replaced with the virus name and %f will be replaced with the file name.
Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
and $CLAM_VIRUSEVENT_VIRUSNAME.
Execute a command when virus is found.
Use the following environment variables to identify the file and virus names:
- $CLAM_VIRUSEVENT_FILENAME
- $CLAM_VIRUSEVENT_VIRUSNAME
In the command string, '%v' will also be replaced with the virus name.
Note: The '%f' filename format character has been disabled and will no longer
be replaced with the file name, due to command injection security concerns.
Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
For the same reason, you should NOT use the environment variables in the
command directly, but should use it carefully from your executed script.
\fR
.br
Default: disabled
Expand Down
18 changes: 12 additions & 6 deletions etc/clamd.conf.sample
Original file line number Diff line number Diff line change
Expand Up @@ -215,12 +215,18 @@ Example
# Default: yes
#ConcurrentDatabaseReload no

# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name and %f will be replaced with the file name.
# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
# and $CLAM_VIRUSEVENT_VIRUSNAME.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
# Execute a command when virus is found.
# Use the following environment variables to identify the file and virus names:
# - $CLAM_VIRUSEVENT_FILENAME
# - $CLAM_VIRUSEVENT_VIRUSNAME
# In the command string, '%v' will also be replaced with the virus name.
# Note: The '%f' filename format character has been disabled and will no longer
# be replaced with the file name, due to command injection security concerns.
# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
# For the same reason, you should NOT use the environment variables in the
# command directly, but should use it carefully from your executed script.
# Default: no
#VirusEvent /opt/send_virus_alert_sms.sh

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
Expand Down
18 changes: 12 additions & 6 deletions win32/conf_examples/clamd.conf.sample
Original file line number Diff line number Diff line change
Expand Up @@ -187,12 +187,18 @@ TCPAddr localhost
# Default: yes
#ConcurrentDatabaseReload no

# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name and %f will be replaced with the file name.
# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
# and $CLAM_VIRUSEVENT_VIRUSNAME.
# Default: no
#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f"
# Execute a command when virus is found.
# Use the following environment variables to identify the file and virus names:
# - $CLAM_VIRUSEVENT_FILENAME
# - $CLAM_VIRUSEVENT_VIRUSNAME
# In the command string, '%v' will also be replaced with the virus name.
# Note: The '%f' filename format character has been disabled and will no longer
# be replaced with the file name, due to command injection security concerns.
# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
# For the same reason, you should NOT use the environment variables in the
# command directly, but should use it carefully from your executed script.
# Default: no
#VirusEvent "C:\example\SendVirusAlertEmail.ps1"

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
Expand Down

0 comments on commit 9ca550b

Please sign in to comment.