From: Jason Ish <ish@unx.ca>
Date: Mon, 19 Sep 2016 16:43:00 +0000 (-0600)
Subject: rule parsing: check for balanced double quotes
X-Git-Tag: suricata-3.2beta1~304
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04da43d65d4ba812a0595f6018d48344d1f155ef;p=thirdparty%2Fsuricata.git

rule parsing: check for balanced double quotes

If a rule option value starts with a double quote, ensure it
ends with a double quote, exclusive of white space which gets
trimmed anyways.

Catches errors like 'filemagic:"picture" sid:5555555;' reporting
that a missing semicolon may be the error.
---

diff --git a/src/detect-parse.c b/src/detect-parse.c
index 1427565ecf..c9373c21d6 100644
--- a/src/detect-parse.c
+++ b/src/detect-parse.c
@@ -608,6 +608,26 @@ static int SigParseOptions(DetectEngineCtx *de_ctx, Signature *s, char *optstr,
         }
     }
 
+    /* Validate double quoting, trimming trailing white space along the way. */
+    if (strlen(optvalue) > 0) {
+        size_t ovlen = strlen(optvalue);
+        if (ovlen && optvalue[0] == '"') {
+            for (; ovlen > 0; ovlen--) {
+                if (isblank(optvalue[ovlen - 1])) {
+                    optvalue[ovlen - 1] = '\0';
+                } else {
+                    break;
+                }
+            }
+            if (ovlen && optvalue[ovlen - 1] != '"') {
+                SCLogError(SC_ERR_INVALID_SIGNATURE,
+                    "bad option value formatting (possible missing semicolon) "
+                    "for keyword %s: \'%s\'", optname, optvalue);
+                goto error;
+            }
+        }
+    }
+
     /* setup may or may not add a new SigMatch to the list */
     if (st->Setup(de_ctx, s, strlen(optvalue) ? optvalue : NULL) < 0) {
         SCLogDebug("\"%s\" failed to setup", st->name);
@@ -3585,6 +3605,21 @@ end:
     return result;
 }
 
+static int SigParseTestUnblanacedQuotes01(void)
+{
+    DetectEngineCtx *de_ctx;
+    Signature *s;
+
+    de_ctx = DetectEngineCtxInit();
+    FAIL_IF_NULL(de_ctx);
+    de_ctx->flags |= DE_QUIET;
+
+    s = SigInit(de_ctx, "alert http any any -> any any (msg:\"SigParseTestUnblanacedQuotes01\"; pcre:\"/\\/[a-z]+\\.php\\?[a-z]+?=\\d{7}&[a-z]+?=\\d{7,8}$/U\" flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:5;)");
+    FAIL_IF_NOT_NULL(s);
+
+    PASS;
+}
+
 #endif /* UNITTESTS */
 
 void SigParseRegisterTests(void)
@@ -3639,5 +3674,7 @@ void SigParseRegisterTests(void)
     UtRegisterTest("SigParseTestAppLayerTLS01", SigParseTestAppLayerTLS01);
     UtRegisterTest("SigParseTestAppLayerTLS02", SigParseTestAppLayerTLS02);
     UtRegisterTest("SigParseTestAppLayerTLS03", SigParseTestAppLayerTLS03);
+    UtRegisterTest("SigParseTestUnblanacedQuotes01",
+        SigParseTestUnblanacedQuotes01);
 #endif /* UNITTESTS */
 }