Switch file patch.

Author: Maikuolan

Changelog.md

@@ -152,3 +152,4 @@ __*Why "v3.0.0" instead of "v1.0.0?"*__ Prior to phpMussel v3, the "phpMussel Co
 - [2024.10.15]: Added support to optionally disable adding new hash cache entries when a specific instance cache flag is used.
 - [2024.10.15]: Added support to inform the user via an optional instance cache flag which flags were set by the switch file during the scan when scanning via CLI.
 - [2024.10.15]: Added MP4 file type detection and modified PHP file type detection to reduce the risk of false positives (e.g., see phpMussel/phpMussel#241).
+- [2024.10.15]: Improved the phpMussel switch file.

assets/switch.dat

@@ -1,47 +1,69 @@
-Switch file for phpMussel.
-
-== Sets flags for ignoring some certain ClamAV signature files ==
-FD-RX:377f068[23]002de218:A:8;infectable=false
-FD:252150532d41646f62652d:A:11;infectable=false
-FD:28546869732066696c65206d75737420626520636f6e76657274656420776974682042696e48657820342e3029:A:45;infectable=false
-FD:2e524d46:A:4;infectable=false
-FD:2f5247420a49440affffffffffffffffffffffffffffffffffffffffffffffff:0:128;infectable=false
-FD:494433:A:3;infectable=false
-FD:4f676753:A:4;infectable=false
-FD:5349502d48495420285349502f48:A:14;infectable=false
-FD:53514c69746520666f726d6174203300:A:16;infectable=false
-FD:53594d430100:A:6;infectable=false
-FD:d9d505f920a163d7:A:8;infectable=false
-FD:fffb90:A:3;infectable=false
-
-== Assists with determining potential file content ==
-$fileswitch:unassigned;FN:\.[Mm][Pp]?4.?$;FD-RX:63(686170|6c6970|72676e|746162)|66726565|66747970|696d6170|6a7032|6b6d6174|6c6f6164|6d(617474|646174|6f6f66|6f6f76)|70696374|706e6f74|73(637074|6b6970|737263|796e63)|746d6364|75647461|75756964|77696465:4:4;fileswitch=mp4
-$fileswitch:unassigned;FD:4d5a:A:2;fileswitch=pefile
-$fileswitch:unassigned;FD-RX:(cafebabe|cafed00d|cefaedfe|cffaedfe|feedface|feedfacf):A:4;fileswitch=java
-$fileswitch:unassigned;FD-RX:494433|fffb90:A:3;fileswitch=mp3
-$fileswitch:unassigned;FD-NORM-RX:23212f7573722f(6c6f63616c2f)?62696e2f(656e76)?7065726c:A:24;fileswitch=perl
-$fileswitch:unassigned;FD:43723234:A:4;fileswitch=chrome
-$fileswitch:unassigned;FD:4c00000001140200:A:8;fileswitch=lnk
-$fileswitch:unassigned;FD:d0cf11:A:3;fileswitch=docfile
-$fileswitch:unassigned;FD-NORM-RX:23212f7573722f(6c6f63616c2f)?62696e2f(656e76)?707974686f6e:A:26;fileswitch=py
-$fileswitch:unassigned;FD-NORM:6372656174656f626a656374;fileswitch=vb
-$fileswitch:unassigned;FD-NORM:406563686f;fileswitch=bat
-$fileswitch:unassigned;FD-NORM-RX:3c736372697074.{0,128}(6c616e67756167653d2[27]76627363726970742[27]|747970653d2[27]746578742f76627363726970742[27]);fileswitch=vb
-$fileswitch:unassigned;FD-NORM-RX:3c736372697074.{0,128}(6c616e67756167653d2[27]6a6176617363726970742[27]|747970653d2[27]746578742f6a6176617363726970742[27]);fileswitch=js
-$fileswitch:unassigned;FD-NORM-RX:3c25406c616e67756167653d(2[27])?76627363726970742e656e636f6465;fileswitch=vb
-$fileswitch:unassigned;FD-NORM-RX:23212f7573722f(6c6f63616c2f)?62696e2f(656e76)?72756279:A:24;fileswitch=ruby
-$fileswitch:unassigned;FN:\.([Bb][Aa][Tt]|[Cc][Mm][Dd]|[Bb][Tt][Mm])$;fileswitch=bat
-$fileswitch:unassigned;FN:\.([Vv][Bb].{0,3}|[Ww][Ss][CcFf]|[Hh][Tt][Aa]?[Mm]?[Ll]?)$;fileswitch=vb
-$fileswitch:unassigned;FN:\.[Mm][Pp].$;fileswitch=mp3
-$fileswitch:unassigned;FD:3c25:A:2;fileswitch=asp
-$fileswitch:unassigned;FN:\.([Aa][Uu][Tt][Oo][Rr][Uu][Nn]|[Ii][Nn][Ff]|[Ii][Nn][Ii]|[Cc][Ff][Gg])$;fileswitch=inf
-$fileswitch:unassigned;FN:\.[Aa][Ss][Pp].?$;fileswitch=asp
-$fileswitch:unassigned;FN:\.[Jj][Ss]([Pp][Xx]?|[Oo][Nn])?$;fileswitch=js
-$fileswitch:unassigned;FN:\.[Pp][Yy].?$;fileswitch=py
-$fileswitch:unassigned;FN:\.[Jj][Aa]([Vv][Aa]|[Rr])$;fileswitch=java
-$fileswitch:unassigned;FN:\.[Pp]([Ee][Rr])?[Ll]$;fileswitch=perl
-$fileswitch:unassigned;FN:\.[Cc][Gg][Ii]$;fileswitch=cgi
-$fileswitch:unassigned;FN:\.([Rr][Uu]?[Bb][WwYy]?|[Gg][Ee][Mm])$;fileswitch=ruby
-$fileswitch:unassigned;FN:\.([Cc][Vv][Dd]|[Ii][Nn][Cc]|[Mm][Dd]|[Tt][Xx][Tt])$;fileswitch=ignore
-$fileswitch:unassigned;FD-RX:(1f8b|425a68|504b|52617221|7f454c46):A:4;fileswitch=vt_interest
-$fileswitch:unassigned;FD:7801:A:2;FD:6b6f6c79:-512;fileswitch=vt_interest
+# Switch file for phpMussel.
+
+
+
+# Used by the ClamAV General and the ClamAV ASCII signature files to ignore certain signatures
+# ---
+!ISSET:infectable;FD-RX:377f068[23]002de218:A:8;infectable=false
+!ISSET:infectable;FD:252150532d41646f62652d:A:11;infectable=false
+!ISSET:infectable;FD:28546869732066696c65206d75737420626520636f6e76657274656420776974682042696e48657820342e3029:A:45;infectable=false
+!ISSET:infectable;FD:2e524d46:A:4;infectable=false
+!ISSET:infectable;FD:2f5247420a49440affffffffffffffffffffffffffffffffffffffffffffffff:0:128;infectable=false
+!ISSET:infectable;FD:494433:A:3;infectable=false
+!ISSET:infectable;FD:4f676753:A:4;infectable=false
+!ISSET:infectable;FD:5349502d48495420285349502f48:A:14;infectable=false
+!ISSET:infectable;FD:53514c69746520666f726d6174203300:A:16;infectable=false
+!ISSET:infectable;FD:53594d430100:A:6;infectable=false
+!ISSET:infectable;FD:d9d505f920a163d7:A:8;infectable=false
+!ISSET:infectable;FD:fffb90:A:3;infectable=false
+!ISSET:infectable;infectable=true
+
+
+
+# Assists with determining most probably file format, and thus, probable types of content.
+# ---
+FD-RX:435753|465753|5a5753:A:3;is_swf=true
+!ISSET:is_swf;FN:\.[Ss][Ww][FfTt]$;is_swf=true
+!ISSET:is_swf;is_swf=false
+
+FD:25504446:A:4;pdf_magic=true
+!ISSET:pdf_magic;pdf_magic=false
+$pdf_magic:true;is_pdf=true
+FN:\.[Pp][Dd][Ff]$;is_pdf=true
+!ISSET:is_pdf;is_pdf=false
+
+!ISSET:fileswitch;FN:\.[Mm][Pp]?4.?$;FD-RX:63(?:686170|6c6970|72676e|746162)|66726565|66747970|696d6170|6a7032|6b6d6174|6c6f6164|6d(?:617474|646174|6f6f66|6f6f76)|70696374|706e6f74|73(?:637074|6b6970|737263|796e63)|746d6364|75647461|75756964|77696465:4:4;fileswitch=mp4
+!ISSET:fileswitch;FD:4d5a:A:2;fileswitch=pefile
+FD-RX:cafe(?:babe|d00d)|c[ef]faedfe|feedfac[ef]:A:4;is_macho=true
+!ISSET:is_macho;is_macho=false
+!ISSET:fileswitch;$is_macho:true;fileswitch=java
+!ISSET:fileswitch;FD-RX:494433|fffb90:A:3;fileswitch=mp3
+!ISSET:fileswitch;FD-NORM-RX:23212f7573722f(?:6c6f63616c2f)?62696e2f(?:656e76)?7065726c:A:24;fileswitch=perl
+!ISSET:fileswitch;FD:43723234:A:4;fileswitch=chrome
+!ISSET:fileswitch;FD:4c00000001140200:A:8;fileswitch=lnk
+!ISSET:fileswitch;FD:d0cf11:A:3;fileswitch=docfile
+!ISSET:fileswitch;FD-NORM-RX:23212f7573722f(?:6c6f63616c2f)?62696e2f(?:656e76)?707974686f6e:A:26;fileswitch=py
+!ISSET:fileswitch;FD-NORM:6372656174656f626a656374;fileswitch=vb
+!ISSET:fileswitch;FD-NORM:406563686f;fileswitch=bat
+!ISSET:fileswitch;FD-NORM-RX:3c736372697074.{0,128}(?:6c616e67756167653d2[27]76627363726970742[27]|747970653d2[27]746578742f76627363726970742[27]);fileswitch=vb
+!ISSET:fileswitch;FD-NORM-RX:3c736372697074.{0,128}(?:6c616e67756167653d2[27]6a6176617363726970742[27]|747970653d2[27]746578742f6a6176617363726970742[27]);fileswitch=js
+!ISSET:fileswitch;FD-NORM-RX:3c25406c616e67756167653d(?:2[27])?76627363726970742e656e636f6465;fileswitch=vb
+!ISSET:fileswitch;FD-NORM-RX:23212f7573722f(?:6c6f63616c2f)?62696e2f(?:656e76)?72756279:A:24;fileswitch=ruby
+!ISSET:fileswitch;FN:\.(?:[Bb][Aa][Tt]|[Cc][Mm][Dd]|[Bb][Tt][Mm])$;fileswitch=bat
+!ISSET:fileswitch;FN:\.(?:[Vv][Bb].{0,3}|[Ww][Ss][CcFf]|[Hh][Tt][Aa]?[Mm]?[Ll]?)$;fileswitch=vb
+!ISSET:fileswitch;FN:\.[Mm][Pp].$;fileswitch=mp3
+!ISSET:fileswitch;FD:3c25:A:2;fileswitch=asp
+!ISSET:fileswitch;FN:\.(?:[Aa][Uu][Tt][Oo][Rr][Uu][Nn]|[Ii][Nn][Ff]|[Ii][Nn][Ii]|[Cc][Ff][Gg])$;fileswitch=inf
+!ISSET:fileswitch;FN:\.[Aa][Ss][Pp].?$;fileswitch=asp
+!ISSET:fileswitch;FN:\.[Jj][Ss](?:[Pp][Xx]?|[Oo][Nn])?$;fileswitch=js
+!ISSET:fileswitch;FN:\.[Pp][Yy].?$;fileswitch=py
+!ISSET:fileswitch;FN:\.[Jj][Aa](?:[Vv][Aa]|[Rr])$;fileswitch=java
+!ISSET:fileswitch;FN:\.[Pp](?:[Ee][Rr])?[Ll]$;fileswitch=perl
+!ISSET:fileswitch;FN:\.[Cc][Gg][Ii]$;fileswitch=cgi
+!ISSET:fileswitch;FN:\.(?:[Rr][Uu]?[Bb][WwYy]?|[Gg][Ee][Mm])$;fileswitch=ruby
+!ISSET:fileswitch;$is_swf:true;fileswitch=swf
+!ISSET:fileswitch;$is_pdf:true;fileswitch=pdf
+!ISSET:fileswitch;FN:\.(?:[Cc][Vv][Dd]|[Ii][Nn][Cc]|[Mm][Dd]|[Tt][Xx][Tt])$;fileswitch=ignore
+!ISSET:fileswitch;FD-RX:(?:1f8b|425a68|504b|52617221|7f454c46):A:4;fileswitch=vt_interest
+!ISSET:fileswitch;FD:7801:A:2;FD:6b6f6c79:-512;fileswitch=vt_interest
+!ISSET:fileswitch;fileswitch=unassigned

src/Scanner.php

@@ -1269,7 +1269,6 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
         $len_hgb = ($StringLength > 536870912) ? 1 : 0;
         $phase = $this->Loader->InstanceCache['phase'];
         $container = $this->Loader->InstanceCache['container'];
-        $pdf_magic = ($fourcc === '25504446');
 
         /** CoEx flags for configuration directives related to signatures. */
         foreach ([
@@ -1341,21 +1340,6 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
             $str_hex
         ) || preg_match('/0a2d2d.{32}(?:2d2d)?(?:0d)?0a/i', $str_hex));
 
-        /** Look for potential Mach-O indicators. */
-        $is_macho = preg_match('/^(?:cafe(?:babe|d00d)|c[ef]faedfe|feedfac[ef])$/', $fourcc);
-
-        /** Look for potential PDF indicators. */
-        $is_pdf = ($pdf_magic || $xt === 'pdf');
-
-        /** Look for potential Shockwave/SWF indicators. */
-        $is_swf = (
-            strpos(',435753,465753,5a5753,', ',' . substr($str_hex, 0, 6) . ',') !== false ||
-            strpos(',swf,swt,', ',' . $xt . ',') !== false
-        );
-
-        /** "Infectable"? Used by ClamAV General and ClamAV ASCII signatures. */
-        $infectable = true;
-
         /** "Asciiable"? Used by all ASCII signatures. */
         $asciiable = (bool)$str_hex_norm_len;
 
@@ -1365,33 +1349,36 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
             strpos(',bin,ole,xml,rels,', ',' . $xt . ',') !== false
         );
 
-        /** Worked by the switch file. */
-        $fileswitch = 'unassigned';
         if (!empty($this->Loader->InstanceCache['sf'])) {
             if (!isset($this->Loader->InstanceCache['Print after CLI scan'])) {
                 $this->Loader->InstanceCache['Print after CLI scan'] = '';
             }
             $this->Loader->InstanceCache['Print after CLI scan'] .= sprintf($this->Loader->L10N->getString('label.Flags set by the switch file while scanning %s'), $OriginalFilename) . "\n";
         }
+
+        /** Process the switch file. */
         if (!isset($this->Loader->InstanceCache['switch.dat'])) {
             $this->Loader->InstanceCache['switch.dat'] = $this->Loader->readFileAsArray($this->AssetsPath . 'switch.dat', FILE_IGNORE_NEW_LINES);
         }
         foreach ($this->Loader->InstanceCache['switch.dat'] as $ThisRule) {
+            if ($ThisRule === '' || substr($ThisRule, 0, 1) === '#') {
+                continue;
+            }
             $Switch = (strpos($ThisRule, ';') === false) ? $ThisRule : $this->Loader->substrAfterLast($ThisRule, ';');
             if (strpos($Switch, '=') === false) {
                 continue;
             }
-            $Switch = explode('=', preg_replace('/[^\x20-\xFF]/', '', $Switch));
+            $Switch = explode('=', preg_replace('/[^\x20-\xFF]/', '', $Switch), 2);
             if (empty($Switch[0])) {
                 continue;
             }
             if (empty($Switch[1])) {
                 $Switch[1] = false;
             }
             $theSwitch = $Switch[0];
-            $ThisRule = (strpos($ThisRule, ';') === false) ? [$ThisRule] : explode(';', $this->Loader->substrBeforeLast($ThisRule, ';'));
+            $ThisRule = (strpos($ThisRule, ';') === false) ? [] : explode(';', $this->Loader->substrBeforeLast($ThisRule, ';'));
             foreach ($ThisRule as $Fragment) {
-                $Fragment = (strpos($Fragment, ':') === false) ? false : $this->splitSigParts($Fragment, 7);
+                $Fragment = (strpos($Fragment, ':') === false) ? [] : $this->splitSigParts($Fragment, 7);
                 if (empty($Fragment[0])) {
                     continue 2;
                 }
@@ -1489,15 +1476,17 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
                             continue 2;
                         }
                     }
-                } elseif (
+                } elseif (isset($Fragment[1]) && (
                     ($Fragment[0] === 'FN' && !preg_match('/(?:' . $Fragment[1] . ')/i', $OriginalFilename)) ||
                     ($Fragment[0] === 'FS-MIN' && $StringLength < $Fragment[1]) ||
                     ($Fragment[0] === 'FS-MAX' && $StringLength > $Fragment[1]) ||
                     ($Fragment[0] === 'FD' && strpos($str_hex, $Fragment[1]) === false) ||
                     ($Fragment[0] === 'FD-RX' && !preg_match('/(?:' . $Fragment[1] . ')/i', $str_hex)) ||
                     ($Fragment[0] === 'FD-NORM' && strpos($str_hex_norm, $Fragment[1]) === false) ||
-                    ($Fragment[0] === 'FD-NORM-RX' && !preg_match('/(?:' . $Fragment[1] . ')/i', $str_hex_norm))
-                ) {
+                    ($Fragment[0] === 'FD-NORM-RX' && !preg_match('/(?:' . $Fragment[1] . ')/i', $str_hex_norm)) ||
+                    ($Fragment[0] === 'ISSET' && !isset(${$Fragment[1]})) ||
+                    ($Fragment[0] === '!ISSET' && isset(${$Fragment[1]}))
+                )) {
                     continue 2;
                 } elseif (substr($Fragment[0], 0, 1) === '$') {
                     $VarInSigFile = substr($Fragment[0], 1);
@@ -1506,10 +1495,10 @@ private function dataHandler(string $str = '', int $Depth = 0, string $OriginalF
                     }
                 } elseif (substr($Fragment[0], 0, 2) === '!$') {
                     $VarInSigFile = substr($Fragment[0], 2);
-                    if (!isset($$VarInSigFile) || is_array($$VarInSigFile) || $$VarInSigFile == $Fragment[1]) {
+                    if (isset($$VarInSigFile) && !is_array($$VarInSigFile) && $$VarInSigFile == $Fragment[1]) {
                         continue 2;
                     }
-                } elseif (strpos(',FN,FS-MIN,FS-MAX,FD,FD-RX,FD-NORM,FD-NORM-RX,', ',' . $Fragment[0] . ',') === false) {
+                } elseif (strpos(',FN,FS-MIN,FS-MAX,FD,FD-RX,FD-NORM,FD-NORM-RX,ISSET,!ISSET,', ',' . $Fragment[0] . ',') === false) {
                     continue 2;
                 }
             }