From ce77a7acc3a9642f70afdcf20a1d5d22ce6d37d5 Mon Sep 17 00:00:00 2001
From: Dirk Wetter <dirk@testssl.sh>
Date: Mon, 2 Mar 2020 18:09:28 +0100
Subject: [PATCH] Make it work / modernize script

Thanks for the script.

I made the script more usable:
  *  clamdscan maybe isn't installed)
  * lockfile wasn't installed under Debian. You can as well remove that line as it is not used in the script
  * tmpdir generation maybe had a race condition = security problem due to foreseeable filename.

Under bash one can use [[ ]] instead of []. One should use POSX notation $(expression) instead of `expression`.

It works for me. You might want to double check though.
---
 clamav.sh | 46 ++++++++++++++++++++++++----------------------
 1 file changed, 24 insertions(+), 22 deletions(-)

diff --git a/clamav.sh b/clamav.sh
index 0af138a..8d41185 100644
--- a/clamav.sh
+++ b/clamav.sh
@@ -14,37 +14,39 @@ CLAMGROUP="clamav"
 
 RELOAD=0
 
-lockfile -r 0 /tmp/local.the.lock 2>/dev/null || exit 1
-
-rm -rf /tmp/urlhaus
-mkdir /tmp/urlhaus
-
-curl -s https://urlhaus.abuse.ch/downloads/urlhaus.ndb -o /tmp/urlhaus/urlhaus.ndb
-
-if [ $? -eq 0 ]; then
-  clamscan --quiet -d /tmp/urlhaus /tmp/urlhaus 2>&1 >/dev/null
-  if [ $? -eq 0 ]; then
-    if [ -f "$CLAMDIR"/urlhaus.ndb ]; then
-      MD5old=`md5sum "$CLAMDIR"/urlhaus.ndb`
-      MD5new=`md5sum /tmp/urlhaus/urlhaus.ndb`
-      if ! [ "$MD5old" = "$MD5new" ]; then
+TMPDIR=$(mktemp -d /tmp/urlhaus.XXXXXX) || exit 1
+touch $TMPDIR/local.the.lock 2>/dev/null || exit 1
+
+curl -s https://urlhaus.abuse.ch/downloads/urlhaus.ndb -o $TMPDIR/urlhaus.ndb
+
+if [[ $? -eq 0 ]]; then
+  clamscan --quiet -d $TMPDIR $TMPDIR 2>&1 >/dev/null
+  if [[ $? -ne 0 ]]; then
+    echo "downloaded file is not sane" >&2
+    exit 1
+  else
+    if [[ -f "$CLAMDIR"/urlhaus.ndb ]]; then
+      MD5old=$(md5sum "$CLAMDIR"/urlhaus.ndb)
+      MD5new=$(md5sum $TMPDIR/urlhaus.ndb)
+      if [[ "$MD5old" != "$MD5new" ]]; then
         # Updated file
-        cp /tmp/urlhaus/urlhaus.ndb $CLAMDIR
+        cp $TMPDIR/urlhaus.ndb $CLAMDIR
         chown $CLAMUSER.$CLAMGROUP "$CLAMDIR"/urlhaus.ndb
         RELOAD=1
       fi
     else
       # Looks like it's the first run
-      cp /tmp/urlhaus/urlhaus.ndb $CLAMDIR
+      cp $TMPDIR/urlhaus.ndb $CLAMDIR
       chown $CLAMUSER.$CLAMGROUP "$CLAMDIR"/urlhaus.ndb
       RELOAD=1
     fi
   fi
-fi
+ fi
 
-if [ $RELOAD -eq 1 ]; then
-  clamdscan --reload
-fi
+rm -rf /$TMPDIR 
 
-rm -rf /tmp/urlhaus
-rm -f /tmp/local.the.lock
+if [[ $RELOAD -eq 1 ]]; then
+  if type -a clamdscan >/dev/null 2>&1; then
+     clamdscan --reload
+  fi
+fi