From: Bhagya Tholpady (bbantwal) <bbantwal@cisco.com>
Date: Fri, 11 Dec 2020 15:30:38 +0000 (+0000)
Subject: Merge pull request #2646 in SNORT/snort3 from ~OSERHIIE/snort3:bug_CSCvw42309 to... 
X-Git-Tag: 3.0.3-6~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f5a6e5763eeda39cd919113e304845733c835e5;p=thirdparty%2Fsnort3.git

Merge pull request #2646 in SNORT/snort3 from ~OSERHIIE/snort3:bug_CSCvw42309 to master

Squashed commit of the following:

commit 35252f9f1f00e0d9a637ff3c39374d1c1b9c37e7
Author: Oleksandr Serhiienko <oserhiie@cisco.com>
Date:   Mon Nov 30 11:46:59 2020 +0200

    parser: add escaping for double quotes and special chars in a rule body
---

diff --git a/src/parser/parse_rule.cc b/src/parser/parse_rule.cc
index 05aa3a8b6..93dd904f6 100644
--- a/src/parser/parse_rule.cc
+++ b/src/parser/parse_rule.cc
@@ -1074,6 +1074,36 @@ void parse_rule_dir(SnortConfig*, const char* s, RuleTreeNode& rtn, bool elided)
         ParseError("illegal direction specifier: %s", s);
 }
 
+// Values of the rule options "pcre", "regex" and "sd_pattern" are already escaped
+// They are not unescaped during the rule parsing
+static bool is_already_escaped(const std::string& opt_key)
+{ return opt_key == "pcre" or opt_key == "regex" or opt_key == "sd_pattern"; }
+
+static std::string escape(const std::string& s)
+{
+    std::string res;
+
+    for ( auto it = s.begin(); it != s.end(); ++it )
+    {
+        switch ( *it )
+        {
+        case '"': res += ( it > s.begin() and it < s.end() - 1 ) ? "\\\"" : "\""; continue;
+        case '\\': res += "\\\\"; continue;
+        case '\a': res += "\\a"; continue;
+        case '\b': res += "\\b"; continue;
+        case '\f': res += "\\f"; continue;
+        case '\n': res += "\\n"; continue;
+        case '\r': res += "\\r"; continue;
+        case '\t': res += "\\t"; continue;
+        case '\v': res += "\\v"; continue;
+        }
+
+        res += *it;
+    }
+
+    return res;
+}
+
 void parse_rule_opt_begin(SnortConfig* sc, const char* key)
 {
     if ( s_ignore )
@@ -1094,10 +1124,11 @@ void parse_rule_opt_set(
     if ( s_ignore )
         return;
 
+    assert(opt);
     assert(val);
     if ( s_capture )
     {
-        s_body += opt;
+        s_body +=  is_already_escaped(key) ? opt : escape(opt);
         if ( *val )
         {
             s_body += " ";