VirusTotal · wxsBSD · May 2, 2024 · May 8, 2024
diff --git a/docs/writingrules.rst b/docs/writingrules.rst
@@ -1610,6 +1610,12 @@ identifier/value pairs like in the following example:
             my_identifier_1 = "Some string data"
             my_identifier_2 = 24
             my_identifier_3 = true
+            my_identifier_4 = """
+    I am a multiline string literal.
+    I will be stored in your rule directly as is. If you have
+    escape sequences like \x41 those will be converted to their
+    raw byte value. When done, just add the closing quotes.
+    """
 
         strings:
             $my_text_string = "text here"
@@ -1626,6 +1632,8 @@ Note that identifier/value pairs defined in the metadata section cannot be used
 in the condition section, their only purpose is to store additional information
 about the rule.
 
+NOTE: Multiline string literals are supported starting in YARA 4.6.0.
+
 .. _using-modules:
 
 Using modules

diff --git a/libyara/grammar.c b/libyara/grammar.c
diff --git a/libyara/grammar.h b/libyara/grammar.h
@@ -72,49 +72,50 @@ extern int yara_yydebug;
     _DOUBLE_ = 273,                /* "floating point number"  */
     _INTEGER_FUNCTION_ = 274,      /* "integer function"  */
     _TEXT_STRING_ = 275,           /* "text string"  */
-    _HEX_STRING_ = 276,            /* "hex string"  */
-    _REGEXP_ = 277,                /* "regular expression"  */
-    _ASCII_ = 278,                 /* "<ascii>"  */
-    _WIDE_ = 279,                  /* "<wide>"  */
-    _XOR_ = 280,                   /* "<xor>"  */
-    _BASE64_ = 281,                /* "<base64>"  */
-    _BASE64_WIDE_ = 282,           /* "<base64wide>"  */
-    _NOCASE_ = 283,                /* "<nocase>"  */
-    _FULLWORD_ = 284,              /* "<fullword>"  */
-    _AT_ = 285,                    /* "<at>"  */
-    _FILESIZE_ = 286,              /* "<filesize>"  */
-    _ENTRYPOINT_ = 287,            /* "<entrypoint>"  */
-    _ALL_ = 288,                   /* "<all>"  */
-    _ANY_ = 289,                   /* "<any>"  */
-    _NONE_ = 290,                  /* "<none>"  */
-    _IN_ = 291,                    /* "<in>"  */
-    _OF_ = 292,                    /* "<of>"  */
-    _FOR_ = 293,                   /* "<for>"  */
-    _THEM_ = 294,                  /* "<them>"  */
-    _MATCHES_ = 295,               /* "<matches>"  */
-    _CONTAINS_ = 296,              /* "<contains>"  */
-    _STARTSWITH_ = 297,            /* "<startswith>"  */
-    _ENDSWITH_ = 298,              /* "<endswith>"  */
-    _ICONTAINS_ = 299,             /* "<icontains>"  */
-    _ISTARTSWITH_ = 300,           /* "<istartswith>"  */
-    _IENDSWITH_ = 301,             /* "<iendswith>"  */
-    _IEQUALS_ = 302,               /* "<iequals>"  */
-    _IMPORT_ = 303,                /* "<import>"  */
-    _TRUE_ = 304,                  /* "<true>"  */
-    _FALSE_ = 305,                 /* "<false>"  */
-    _OR_ = 306,                    /* "<or>"  */
-    _AND_ = 307,                   /* "<and>"  */
-    _NOT_ = 308,                   /* "<not>"  */
-    _DEFINED_ = 309,               /* "<defined>"  */
-    _EQ_ = 310,                    /* "=="  */
-    _NEQ_ = 311,                   /* "!="  */
-    _LT_ = 312,                    /* "<"  */
-    _LE_ = 313,                    /* "<="  */
-    _GT_ = 314,                    /* ">"  */
-    _GE_ = 315,                    /* ">="  */
-    _SHIFT_LEFT_ = 316,            /* "<<"  */
-    _SHIFT_RIGHT_ = 317,           /* ">>"  */
-    UNARY_MINUS = 318              /* UNARY_MINUS  */
+    _MULTILINE_STRING_ = 276,      /* "multiline text string"  */
+    _HEX_STRING_ = 277,            /* "hex string"  */
+    _REGEXP_ = 278,                /* "regular expression"  */
+    _ASCII_ = 279,                 /* "<ascii>"  */
+    _WIDE_ = 280,                  /* "<wide>"  */
+    _XOR_ = 281,                   /* "<xor>"  */
+    _BASE64_ = 282,                /* "<base64>"  */
+    _BASE64_WIDE_ = 283,           /* "<base64wide>"  */
+    _NOCASE_ = 284,                /* "<nocase>"  */
+    _FULLWORD_ = 285,              /* "<fullword>"  */
+    _AT_ = 286,                    /* "<at>"  */
+    _FILESIZE_ = 287,              /* "<filesize>"  */
+    _ENTRYPOINT_ = 288,            /* "<entrypoint>"  */
+    _ALL_ = 289,                   /* "<all>"  */
+    _ANY_ = 290,                   /* "<any>"  */
+    _NONE_ = 291,                  /* "<none>"  */
+    _IN_ = 292,                    /* "<in>"  */
+    _OF_ = 293,                    /* "<of>"  */
+    _FOR_ = 294,                   /* "<for>"  */
+    _THEM_ = 295,                  /* "<them>"  */
+    _MATCHES_ = 296,               /* "<matches>"  */
+    _CONTAINS_ = 297,              /* "<contains>"  */
+    _STARTSWITH_ = 298,            /* "<startswith>"  */
+    _ENDSWITH_ = 299,              /* "<endswith>"  */
+    _ICONTAINS_ = 300,             /* "<icontains>"  */
+    _ISTARTSWITH_ = 301,           /* "<istartswith>"  */
+    _IENDSWITH_ = 302,             /* "<iendswith>"  */
+    _IEQUALS_ = 303,               /* "<iequals>"  */
+    _IMPORT_ = 304,                /* "<import>"  */
+    _TRUE_ = 305,                  /* "<true>"  */
+    _FALSE_ = 306,                 /* "<false>"  */
+    _OR_ = 307,                    /* "<or>"  */
+    _AND_ = 308,                   /* "<and>"  */
+    _NOT_ = 309,                   /* "<not>"  */
+    _DEFINED_ = 310,               /* "<defined>"  */
+    _EQ_ = 311,                    /* "=="  */
+    _NEQ_ = 312,                   /* "!="  */
+    _LT_ = 313,                    /* "<"  */
+    _LE_ = 314,                    /* "<="  */
+    _GT_ = 315,                    /* ">"  */
+    _GE_ = 316,                    /* ">="  */
+    _SHIFT_LEFT_ = 317,            /* "<<"  */
+    _SHIFT_RIGHT_ = 318,           /* ">>"  */
+    UNARY_MINUS = 319              /* UNARY_MINUS  */
   };
   typedef enum yytokentype yytoken_kind_t;
 #endif
@@ -141,55 +142,56 @@ extern int yara_yydebug;
 #define _DOUBLE_ 273
 #define _INTEGER_FUNCTION_ 274
 #define _TEXT_STRING_ 275
-#define _HEX_STRING_ 276
-#define _REGEXP_ 277
-#define _ASCII_ 278
-#define _WIDE_ 279
-#define _XOR_ 280
-#define _BASE64_ 281
-#define _BASE64_WIDE_ 282
-#define _NOCASE_ 283
-#define _FULLWORD_ 284
-#define _AT_ 285
-#define _FILESIZE_ 286
-#define _ENTRYPOINT_ 287
-#define _ALL_ 288
-#define _ANY_ 289
-#define _NONE_ 290
-#define _IN_ 291
-#define _OF_ 292
-#define _FOR_ 293
-#define _THEM_ 294
-#define _MATCHES_ 295
-#define _CONTAINS_ 296
-#define _STARTSWITH_ 297
-#define _ENDSWITH_ 298
-#define _ICONTAINS_ 299
-#define _ISTARTSWITH_ 300
-#define _IENDSWITH_ 301
-#define _IEQUALS_ 302
-#define _IMPORT_ 303
-#define _TRUE_ 304
-#define _FALSE_ 305
-#define _OR_ 306
-#define _AND_ 307
-#define _NOT_ 308
-#define _DEFINED_ 309
-#define _EQ_ 310
-#define _NEQ_ 311
-#define _LT_ 312
-#define _LE_ 313
-#define _GT_ 314
-#define _GE_ 315
-#define _SHIFT_LEFT_ 316
-#define _SHIFT_RIGHT_ 317
-#define UNARY_MINUS 318
+#define _MULTILINE_STRING_ 276
+#define _HEX_STRING_ 277
+#define _REGEXP_ 278
+#define _ASCII_ 279
+#define _WIDE_ 280
+#define _XOR_ 281
+#define _BASE64_ 282
+#define _BASE64_WIDE_ 283
+#define _NOCASE_ 284
+#define _FULLWORD_ 285
+#define _AT_ 286
+#define _FILESIZE_ 287
+#define _ENTRYPOINT_ 288
+#define _ALL_ 289
+#define _ANY_ 290
+#define _NONE_ 291
+#define _IN_ 292
+#define _OF_ 293
+#define _FOR_ 294
+#define _THEM_ 295
+#define _MATCHES_ 296
+#define _CONTAINS_ 297
+#define _STARTSWITH_ 298
+#define _ENDSWITH_ 299
+#define _ICONTAINS_ 300
+#define _ISTARTSWITH_ 301
+#define _IENDSWITH_ 302
+#define _IEQUALS_ 303
+#define _IMPORT_ 304
+#define _TRUE_ 305
+#define _FALSE_ 306
+#define _OR_ 307
+#define _AND_ 308
+#define _NOT_ 309
+#define _DEFINED_ 310
+#define _EQ_ 311
+#define _NEQ_ 312
+#define _LT_ 313
+#define _LE_ 314
+#define _GT_ 315
+#define _GE_ 316
+#define _SHIFT_LEFT_ 317
+#define _SHIFT_RIGHT_ 318
+#define UNARY_MINUS 319
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 union YYSTYPE
 {
-#line 343 "libyara/grammar.y"
+#line 344 "libyara/grammar.y"
 
   YR_EXPRESSION   expression;
   SIZED_STRING*   sized_string;
@@ -204,7 +206,7 @@ union YYSTYPE
   YR_ARENA_REF meta;
   YR_ARENA_REF string;
 
-#line 208 "libyara/grammar.h"
+#line 210 "libyara/grammar.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

diff --git a/libyara/grammar.y b/libyara/grammar.y
@@ -205,6 +205,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 %token <double_> _DOUBLE_                              "floating point number"
 %token <integer> _INTEGER_FUNCTION_                    "integer function"
 %token <sized_string> _TEXT_STRING_                    "text string"
+%token <sized_string> _MULTILINE_STRING_               "multiline text string"
 %token <sized_string> _HEX_STRING_                     "hex string"
 %token <sized_string> _REGEXP_                         "regular expression"
 %token _ASCII_                                         "<ascii>"
@@ -573,6 +574,23 @@ meta_declaration
 
         fail_if_error(result);
       }
+    | _IDENTIFIER_ '=' _MULTILINE_STRING_
+      {
+        SIZED_STRING* sized_string = $3;
+
+        int result = yr_parser_reduce_meta_declaration(
+            yyscanner,
+            META_TYPE_STRING,
+            $1,
+            sized_string->c_string,
+            0,
+            &$<meta>$);
+
+        yr_free($1);
+        yr_free($3);
+
+        fail_if_error(result);
+      }
     | _IDENTIFIER_ '=' _NUMBER_
       {
         int result = yr_parser_reduce_meta_declaration(