added feature to extract filename from http attachment (#2037)

* added feature to extract filename from http attachment * fixed some issues * added check for filename format * added check for filename format * remove an unnecessary print * changed the size from 952 to 960 * modified some test result files * small changes string size * comment removed and mallocs checked
author: Chiara Maggi <83759140+ChiaraMaggi@users.noreply.github.com> 2023-07-11 22:45:19 +0200
committer: GitHub <noreply@github.com> 2023-07-11 22:45:19 +0200
commit: 0b0f255cc2b4ef18b9c1b51cf71e86de5b2c462b (patch)
tree: 38ac6f5ad37af500d0618109cae75bbb3a87f827 /src/lib/protocols
parent: 950f5cc4e3ddd9bc0f8881950082283aa381c805 (diff)
1 files changed, 31 insertions, 1 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index f1fe04723..f54c3e077 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -276,7 +276,6 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
 		ndpi_set_binary_application_transfer(ndpi_struct, flow, str);
 		NDPI_LOG_INFO(ndpi_struct, "Found executable HTTP transfer");
-		return(flow->category);
 	      }
 	    }
 	  }
@@ -291,6 +290,33 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
       if(packet->content_disposition_line.len > attachment_len) {
 	u_int8_t filename_len = packet->content_disposition_line.len - attachment_len;
 	int i;
+  
+  if(packet->content_disposition_line.ptr[attachment_len] == '\"'){
+    if(packet->content_disposition_line.ptr[packet->content_disposition_line.len-1] != '\"'){
+      //case: filename="file_name
+      flow->http.filename = ndpi_malloc(filename_len);
+      if(flow->http.filename != NULL){
+        flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1);
+        flow->http.filename[filename_len-1] = '\0';
+      }
+    }
+    else{
+      //case: filename="file_name"
+      flow->http.filename = ndpi_malloc(filename_len-1);   
+      if(flow->http.filename != NULL){ 
+        flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-2);
+        flow->http.filename[filename_len-2] = '\0';
+      }
+    }
+  }
+  else{
+    //case: filename=file_name
+    flow->http.filename = ndpi_malloc(filename_len+1);
+    if(flow->http.filename != NULL){
+      flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len, filename_len);
+      flow->http.filename[filename_len] = '\0';
+    }
+  }
 
 	if(filename_len > ATTACHMENT_LEN) {
 	  attachment_len += filename_len-ATTACHMENT_LEN-1;
@@ -1292,6 +1318,10 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct,
     ndpi_free(flow->http.nat_ip);
     flow->http.nat_ip = NULL;
   }
+  if(flow->http.filename) {
+    ndpi_free(flow->http.filename);
+    flow->http.filename = NULL;
+  }
 
   /* Reset flow risks. We should reset only those risks triggered by
      the previous HTTP response... */
author	Chiara Maggi <83759140+ChiaraMaggi@users.noreply.github.com>	2023-07-11 22:45:19 +0200
committer	GitHub <noreply@github.com>	2023-07-11 22:45:19 +0200
commit	0b0f255cc2b4ef18b9c1b51cf71e86de5b2c462b (patch)
tree	38ac6f5ad37af500d0618109cae75bbb3a87f827 /src/lib/protocols
parent	950f5cc4e3ddd9bc0f8881950082283aa381c805 (diff)