use the following changed
<<<(?:ht|f)tps?\:\/\/(?:\w[\w\.\-]*\.\w\w+|\[[\d\.]*\.\d+\])\/[\x21-\x3F\x41-\x7E]+?\.(?:scr|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zap)>>>
this will not detect the string if an '@' (\x40) is anywhere found -
assuming its an email address - this is not perfect but should solve the
problem for now
>Thomas, can you see any simple way to have it disqualify anything in
>the URI following a & or ? character?
Hm... see the following URL:
http://www.domain.com/download.php?file=virus.com
the changed regex will detect this - but:
http://www.domain.com/[email protected]&file=virus.com
or
http://www.domain.com/[email protected]&file=virus.com&anyhive=165743...@!vb-g
will be hard to detect - for such things we'll need a separate regex -
let's wait until it is time for this - otherwise it would be a shot in to
the dark.
Thomas
Von: Scott MacLean <[email protected]>
An: ASSP development mailing list <[email protected]>
Datum: 19.10.2010 18:33
Betreff: [Assp-test] False positive BombDataRE
I'm getting a lot of complaints about false positives recently, and
have discovered the cause. It's this line, which I believe is one
that Thomas wrote:
<<<(?:ht|f)tps?\:\/\/(?:\w[\w\.\-]*\.\w\w+|\[[\d\.]*\.\d+\])\/[\x21-\x7E]+?\.(?:scr|ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|zap)>>>
The problem is that emails that have unsubscribe links such as this:
http://whatever.domain.com/unsubscribe.php?othervar=something&[email protected]
are triggering this regex, because it's seeing the ".com" at the end
of the email address and assuming it's a link to an executable.
Obviously I can fix it easily by removing the "com" from the list of
executables, but then I don't catch links to .com files.
Thomas, can you see any simple way to have it disqualify anything in
the URI following a & or ? character?
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
