Bug #5185: MIME URL extraction missing. - Suricata - Open Information Security Foundation

Actions

Copy link

#1

Updated by Eric Leblond over 2 years ago

Assignee deleted (~~Eric Leblond~~)

Actions

Copy link

#2

Updated by chen dy over 2 years ago

chen dy wrote:

MIME URL extraction missing when the body like this.
From: testa <testa@lalala.com>
To: testb <testb@lalala.com>
Message-ID: <63f2666aa88643e7a165c7a507422e84@lalala.com>
Subject: nnnnn
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64

IDxkaXY+IDxkaXY+IDxkaXY+IDxkaXY+PGRpdj5odHRwOi8vY29kYXNob3AtZnJlZTAxLmR1Y2tk
bnMub3JnLzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9InNpZ24iPjxkaXYgY2xhc3M9Im0t
YWNjb3VudCI+NTU1NTU1NTU1NTU1NTU1PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9k
aXY+

.

The result of Base64 decoding is " <div> <div> <div> <div><div>http://codashop-free01.duckdns.org/</div><div><br></div><div id="sign"><div class="m-account">555555555555555</div></div></div></div></div></div>", which doesn't end with CR/LF.
I found there are following comment in src/util-decode-mime.c ProcessDecodedDataChunk function:
“If last token found without CR/LF delimiter, then save and reconstruct with next chunk”.
So in this case, is there a problem with the mail body or the code？

Actions

Copy link

#3