[Forensics-changes] [yara] 60/368: Escape special characters when printing metadata strings

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:30:11 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit c3e7487738489939213ef82d488c628430bf828e
Author: Victor Manuel Alvarez <vmalvarez at virustotal.com>
Date:   Tue Sep 22 12:06:03 2015 +0200

    Escape special characters when printing metadata strings
---
 yara.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

diff --git a/yara.c b/yara.c
index 890e7a0..1f353cc 100644
--- a/yara.c
+++ b/yara.c
@@ -402,6 +402,45 @@ void print_string(
 }
 
 
+static char cescapes[] = 
+{
+  0  , 0  , 0  , 0  , 0  , 0  , 0  , 'a',
+  'b', 't', 'n', 'v', 'f', 'r', 0  , 0  ,
+  0  , 0  , 0  , 0  , 0  , 0  , 0  , 0  ,
+  0  , 0  , 0  , 0  , 0  , 0  , 0  , 0  ,
+};
+
+
+void print_escaped(
+    uint8_t* data,
+    int length)
+{
+  int i;
+
+  for (i = 0; i < length; i++)
+  {
+    switch (data[i])
+    {
+      case '\"':
+      case '\'':
+      case '\\':
+        printf("\\%c", data[i]);
+        break;
+  
+      default:
+        if (data[i] >= 127) 
+          printf("\\%03o", data[i]);
+        else if (data[i] >= 32)
+          putchar(data[i]);
+        else if (cescapes[data[i]] != 0) 
+          printf("\\%c", cescapes[data[i]]);
+        else 
+          printf("\\%03o", data[i]);
+    }
+  }
+}
+
+
 void print_hex_string(
     uint8_t* data,
     int length)
@@ -551,11 +590,19 @@ int handle_message(int message, YR_RULE* rule, void* data)
           printf(",");
 
         if (meta->type == META_TYPE_INTEGER)
+        {
           printf("%s=%" PRId64, meta->identifier, meta->integer);
+        }
         else if (meta->type == META_TYPE_BOOLEAN)
+        {
           printf("%s=%s", meta->identifier, meta->integer ? "true" : "false");
-        else
-          printf("%s=\"%s\"", meta->identifier, meta->string);
+        }
+        else 
+        {
+          printf("%s=\"", meta->identifier);
+          print_escaped((uint8_t*) (meta->string), strlen(meta->string));
+          putchar('"');
+        }
       }
 
       printf("] ");

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list