From 313d489694d4330a31d0f03c699e09b46b63bca0 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Tue, 23 Feb 2016 17:47:05 +0100
Subject: Refactor the basedir_bypass function

---
 php-malware-finder/malwares.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 45100c5..d07c057 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -102,7 +102,7 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
     strings:
-        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
+        $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
         $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
         $double_encoding = /(base64_decode\s*\(\s*){2}/
         $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
-- 
cgit v1.3