From: Maurizio Abba <mabba@lastline.com>
Date: Tue, 31 Jul 2018 06:08:10 +0000 (+0100)
Subject: detect: fix fileext and filename negated match
X-Git-Tag: suricata-4.0.6~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ec005afd6da5e88afdf7165647e1419abc08308;p=thirdparty%2Fsuricata.git

detect: fix fileext and filename negated match

fix bug in fileext and filename preventing negated match to work
correctly. Previously, negated fileext (such as !"php") would cause a
match anyway on files that have extension php, as the last if would not
be accessed.

Using the same workflow as detect-filemagic we remove the final
isolated if and set it as a branch of the previous if.
---

diff --git a/src/detect-fileext.c b/src/detect-fileext.c
index 223ebfc216..817a5fe859 100644
--- a/src/detect-fileext.c
+++ b/src/detect-fileext.c
@@ -116,9 +116,7 @@ static int DetectFileextMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
             ret = 1;
             SCLogDebug("File ext found");
         }
-    }
-
-    if (ret == 0 && (fileext->flags & DETECT_CONTENT_NEGATED)) {
+    } else if (fileext->flags & DETECT_CONTENT_NEGATED) {
         SCLogDebug("negated match");
         ret = 1;
     }
diff --git a/src/detect-filename.c b/src/detect-filename.c
index 27e8dd2b10..190096e593 100644
--- a/src/detect-filename.c
+++ b/src/detect-filename.c
@@ -141,7 +141,7 @@ static int DetectFilenameMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx,
         }
     }
 
-    if (ret == 0 && (filename->flags & DETECT_CONTENT_NEGATED)) {
+    else if (filename->flags & DETECT_CONTENT_NEGATED) {
         SCLogDebug("negated match");
         ret = 1;
     }