added feature to extract filename from http attachment (#2037)

* added feature to extract filename from http attachment * fixed some issues * added check for filename format * added check for filename format * remove an unnecessary print * changed the size from 952 to 960 * modified some test result files * small changes string size * comment removed and mallocs checked
author: Chiara Maggi <83759140+ChiaraMaggi@users.noreply.github.com> 2023-07-11 22:45:19 +0200
committer: GitHub <noreply@github.com> 2023-07-11 22:45:19 +0200
commit: 0b0f255cc2b4ef18b9c1b51cf71e86de5b2c462b (patch)
tree: 38ac6f5ad37af500d0618109cae75bbb3a87f827 /src
parent: 950f5cc4e3ddd9bc0f8881950082283aa381c805 (diff)
3 files changed, 36 insertions, 2 deletions
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index a7f034a74..9bcdfad87 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -1450,6 +1450,7 @@ struct ndpi_flow_struct {
     char *url, *content_type /* response */, *request_content_type /* e.g. for POST */, *user_agent, *server;
     char *detected_os; /* Via HTTP/QUIC User-Agent */
     char *nat_ip; /* Via HTTP X-Forwarded-For */
+    char *filename; /* Via HTTP Content-Disposition */
   } http;
 
   ndpi_multimedia_flow_type flow_multimedia_type;
@@ -1677,7 +1678,7 @@ struct ndpi_flow_struct {
 _Static_assert(sizeof(((struct ndpi_flow_struct *)0)->protos) <= 210,
                "Size of the struct member protocols increased to more than 210 bytes, "
                "please check if this change is necessary.");
-_Static_assert(sizeof(struct ndpi_flow_struct) <= 952,
+_Static_assert(sizeof(struct ndpi_flow_struct) <= 960,
                "Size of the flow struct increased to more than 952 bytes, "
                "please check if this change is necessary.");
 #endif
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 1d2d728d4..10bbb4095 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -5356,6 +5356,9 @@ void ndpi_free_flow_data(struct ndpi_flow_struct* flow) {
     if(flow->http.server)
       ndpi_free(flow->http.server);
 
+    if(flow->http.filename)
+      ndpi_free(flow->http.filename);
+
     if(flow->kerberos_buf.pktbuf)
       ndpi_free(flow->kerberos_buf.pktbuf);
 
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index f1fe04723..f54c3e077 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -276,7 +276,6 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
 		ndpi_set_binary_application_transfer(ndpi_struct, flow, str);
 		NDPI_LOG_INFO(ndpi_struct, "Found executable HTTP transfer");
-		return(flow->category);
 	      }
 	    }
 	  }
@@ -291,6 +290,33 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
       if(packet->content_disposition_line.len > attachment_len) {
 	u_int8_t filename_len = packet->content_disposition_line.len - attachment_len;
 	int i;
+  
+  if(packet->content_disposition_line.ptr[attachment_len] == '\"'){
+    if(packet->content_disposition_line.ptr[packet->content_disposition_line.len-1] != '\"'){
+      //case: filename="file_name
+      flow->http.filename = ndpi_malloc(filename_len);
+      if(flow->http.filename != NULL){
+        flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-1);
+        flow->http.filename[filename_len-1] = '\0';
+      }
+    }
+    else{
+      //case: filename="file_name"
+      flow->http.filename = ndpi_malloc(filename_len-1);   
+      if(flow->http.filename != NULL){ 
+        flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len+1, filename_len-2);
+        flow->http.filename[filename_len-2] = '\0';
+      }
+    }
+  }
+  else{
+    //case: filename=file_name
+    flow->http.filename = ndpi_malloc(filename_len+1);
+    if(flow->http.filename != NULL){
+      flow->http.filename = strncpy(flow->http.filename, (char*)packet->content_disposition_line.ptr+attachment_len, filename_len);
+      flow->http.filename[filename_len] = '\0';
+    }
+  }
 
 	if(filename_len > ATTACHMENT_LEN) {
 	  attachment_len += filename_len-ATTACHMENT_LEN-1;
@@ -1292,6 +1318,10 @@ static void reset(struct ndpi_detection_module_struct *ndpi_struct,
     ndpi_free(flow->http.nat_ip);
     flow->http.nat_ip = NULL;
   }
+  if(flow->http.filename) {
+    ndpi_free(flow->http.filename);
+    flow->http.filename = NULL;
+  }
 
   /* Reset flow risks. We should reset only those risks triggered by
      the previous HTTP response... */
author	Chiara Maggi <83759140+ChiaraMaggi@users.noreply.github.com>	2023-07-11 22:45:19 +0200
committer	GitHub <noreply@github.com>	2023-07-11 22:45:19 +0200
commit	0b0f255cc2b4ef18b9c1b51cf71e86de5b2c462b (patch)
tree	38ac6f5ad37af500d0618109cae75bbb3a87f827 /src
parent	950f5cc4e3ddd9bc0f8881950082283aa381c805 (diff)