From 7d67af661a466dde4416c0583bbfa0250b14560f Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Wed, 21 Jun 2017 17:34:30 -0400
Subject: Make "matches" case-insensitive.

Make the "matches" operator case-insensitive by default. Case
sensitivity can be switched back on using "(?-i)".

It might be nice to make "contains" case-insensitive as well, but we'd
need a caseless version of epan_memmem.

Change-Id: I5e39a52c148477c30c808152bcace08348df815a
Reviewed-on: https://code.wireshark.org/review/22330
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Anders Broman <a.broman58@gmail.com>
---
 doc/wireshark-filter.pod                    | 24 +++++++++++++++---------
 docbook/release-notes.asciidoc              |  3 ++-
 docbook/wsug_src/WSUG_chapter_work.asciidoc |  4 ++--
 epan/ftypes/ftype-pcre.c                    |  4 ++--
 4 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/doc/wireshark-filter.pod b/doc/wireshark-filter.pod
index 0b8613de4c..a6ef64f58a 100644
--- a/doc/wireshark-filter.pod
+++ b/doc/wireshark-filter.pod
@@ -56,8 +56,8 @@ C-like symbols:
 Additional operators exist expressed only in English, not C-like syntax:
 
     contains     Does the protocol, field or slice contain a value
-    matches, ~   Does the protocol or text string match the given Perl
-                 regular expression
+    matches, ~   Does the protocol or text string match the given
+                 case-insensitive Perl-compatible regular expression
 
 The "contains" operator allows a filter to search for a sequence of
 characters, expressed as a string (quoted or unquoted), or bytes,
@@ -73,15 +73,21 @@ such as numbers or IP addresses.
 The "matches"  or "~" operator allows a filter to apply to a specified
 Perl-compatible regular expression (PCRE).  The "matches" operator is only
 implemented for protocols and for protocol fields with a text string
-representation.  For example, to search for a given WAP WSP User-Agent,
-you can write:
+representation. Matches are case-insensitive by default.  For example,
+to search for a given WAP WSP User-Agent, you can write:
 
-    wsp.user_agent matches "(?i)cldc"
+    wsp.user_agent matches "cldc"
 
-This example shows an interesting PCRE feature: pattern match options have to
-be specified with the B<(?>optionB<)> construct. For instance, B<(?i)> performs
-a case-insensitive pattern match. More information on PCRE can be found in the
-pcrepattern(3) man page (Perl Regular Expressions are explained in
+This would match "cldc", "CLDC", "cLdC" or any other combination of upper
+and lower case letters.
+
+You can force case sensitivity using
+
+    wsp.user_agent matches "(?-i)cldc"
+
+This is an example of PCRE's B<(?>optionB<)> construct. B<(?-i)> performs a
+case-sensitive pattern match but other options can be specified as well. More
+information can be found in the pcrepattern(3) man page at
 L<http://perldoc.perl.org/perlre.html>).
 
 =head2 Functions
diff --git a/docbook/release-notes.asciidoc b/docbook/release-notes.asciidoc
index f5e88a2b5c..2b361f30f8 100644
--- a/docbook/release-notes.asciidoc
+++ b/docbook/release-notes.asciidoc
@@ -28,8 +28,9 @@ used for troubleshooting, analysis, development and education.
 
 The following features are new (or have been significantly updated)
 since version 2.4.0:
- * Add color support for TShark with --color option (non-Windows only)
+* Add color support for TShark with --color option (non-Windows only)
 * TCP Analysis will detect and flag more spurious retransmissions.
+* The "matches" display filter operator is now case-insensitive.
 
 //=== Removed Dissectors
 
diff --git a/docbook/wsug_src/WSUG_chapter_work.asciidoc b/docbook/wsug_src/WSUG_chapter_work.asciidoc
index 6047e2ad45..819d7601b5 100644
--- a/docbook/wsug_src/WSUG_chapter_work.asciidoc
+++ b/docbook/wsug_src/WSUG_chapter_work.asciidoc
@@ -367,8 +367,8 @@ anywhere in the header.
 http.host matches "acme\.(org|com|net)"
 ----
 The example above match HTTP packets where the HOST header contains acme.org or acme.com
-or acme.net. Note: Wireshark needs to be built with libpcre in order to be able to use the
-+matches+ resp. +~+ operator.
+or acme.net. Comparisons are case-insensitive. Note: Wireshark needs to be built with
+libpcre in order to be able to use the +matches+ resp. +~+ operator.
 ----
 tcp.flags & 0x02
 ----
diff --git a/epan/ftypes/ftype-pcre.c b/epan/ftypes/ftype-pcre.c
index 5de0746bcd..05ad14a1ad 100644
--- a/epan/ftypes/ftype-pcre.c
+++ b/epan/ftypes/ftype-pcre.c
@@ -74,13 +74,13 @@ static gboolean
 val_from_string(fvalue_t *fv, const char *pattern, gchar **err_msg)
 {
     GError *regex_error = NULL;
-    GRegexCompileFlags cflags = G_REGEX_OPTIMIZE;
+    GRegexCompileFlags cflags = (GRegexCompileFlags)(G_REGEX_CASELESS | G_REGEX_OPTIMIZE);
 
     /* Set RAW flag only if pattern requires matching raw byte
        sequences. Otherwise, omit it so that GRegex treats its
        input as UTF8-encoded string. */
     if (raw_flag_needed(pattern)) {
-        cflags = (GRegexCompileFlags)(G_REGEX_OPTIMIZE | G_REGEX_RAW);
+        cflags = (GRegexCompileFlags)(cflags | G_REGEX_RAW);
     }
 
     /* Free up the old value, if we have one */
-- 
cgit v1.2.1