Bug #5185
openMIME URL extraction missing.
Description
MIME URL extraction missing when the body like this.
@From: testa <testa@lalala.com>
To: testb <testb@lalala.com>
Message-ID: <63f2666aa88643e7a165c7a507422e84@lalala.com>
Subject: nnnnn
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64
IDxkaXY+IDxkaXY+IDxkaXY+IDxkaXY+PGRpdj5odHRwOi8vY29kYXNob3AtZnJlZTAxLmR1Y2tk
bnMub3JnLzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9InNpZ24iPjxkaXYgY2xhc3M9Im0t
YWNjb3VudCI+NTU1NTU1NTU1NTU1NTU1PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9k
aXY+
.@
Updated by chen dy about 2 years ago
chen dy wrote:
MIME URL extraction missing when the body like this.
From: testa <testa@lalala.com>
To: testb <testb@lalala.com>
Message-ID: <63f2666aa88643e7a165c7a507422e84@lalala.com>
Subject: nnnnn
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: base64IDxkaXY+IDxkaXY+IDxkaXY+IDxkaXY+PGRpdj5odHRwOi8vY29kYXNob3AtZnJlZTAxLmR1Y2tk
bnMub3JnLzwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXYgaWQ9InNpZ24iPjxkaXYgY2xhc3M9Im0t
YWNjb3VudCI+NTU1NTU1NTU1NTU1NTU1PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9kaXY+PC9k
aXY+.
The result of Base64 decoding is " <div> <div> <div> <div><div>http://codashop-free01.duckdns.org/</div><div><br></div><div id="sign"><div class="m-account">555555555555555</div></div></div></div></div></div>", which doesn't end with CR/LF.
I found there are following comment in src/util-decode-mime.c ProcessDecodedDataChunk function:
“If last token found without CR/LF delimiter, then save and reconstruct with next chunk”.
So in this case, is there a problem with the mail body or the code?
Updated by Victor Julien about 2 years ago
- Assignee deleted (
Victor Julien)
Please leave setting the assignee to the team, thank you.
Updated by Philippe Antoine 5 months ago
Could you share as a pcap or even better, a suricata-verify test ?