[25657] in bugtraq
Re: MIME::Tools Perl module and virus scanners
daemon@ATHENA.MIT.EDU (David F. Skoll)
Tue Jun 4 16:03:07 2002
Date: Tue, 4 Jun 2002 14:16:11 -0400 (EDT)
From: "David F. Skoll" <dfs@roaringpenguin.com>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.44.0206041414020.4149-100000@shishi.roaringpenguin.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Bennett Todd wrote:
> Do MIME::Tools and/or MIMEDefang know about the punctuation marks
> that some Windows MUAs silently ignore in filename extensions?
MIMEDefang itself doesn't "know" anything, but the sample filter which
comes with it will correctly (?!) reject ".exe." as well as ".exe"
I've appended the Perl code. The rules are convoluted, but I think
they catch most things. Tuning the Perl rules to catch probable
viruses while leaving legitimate attachments alone took a fair bit of
time.
> How
> about charset canonicalization, non-default (incorrect but commonly
> accepted) UTF-8 encodings?
I'm not sure about this; I'd have to check the MIME::Tools source.
MIMEDefang itself tries to decode encoded words into a default charset
if none is supplied, but it might not do the same thing as an MUA.
Canonicalizing the MIME before handing it to the MUA is the best bet.
--
David.
--- Sample filter snippet ---
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
$bad_exts = '(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|vxd|wsc|wsf|wsh)';
# Do not allow:
# - curlies
# - bad extensions (possibly with trailing dots) at end or
# followed by non-alphanum
$re = '(\{)|(\})|(\.' . $bad_exts . ')\.*([^-A-Za-z0-9_.]|$)';
return re_match($entity, $re);
}
