[Mimedefang] Malformed MIME: A warning

David F. Skoll dfs at roaringpenguin.com
Wed Apr 24 18:58:30 EDT 2002


Hi,

Just a warning about trying to be too clever with bad MIME.

Consider this header:

Content-type: application/octet-stream; name=foo bar.pif

Most people would want MIMEDefang to interpret the name as "foo bar.pif"
and filter it out.

How about:

Content-type: application/octet-stream; name=foo.exe blat.txt

Do you want the name to be "foo.exe blat.txt"?  A correctly-written
Windows MUA (assuming such a beast even exists) will interepret the
name as "foo.exe", although MIMEDefang interprets it as a ".txt"
extension.

OK, so we check for two dots in filenames in MIMEDefang and disallow them.
Then innocuous things like "report-2002.04.01.txt" get stopped.

So we check for ".exe", etc anywhere in the filename.  That works,
but again, "test.exe.txt" is innocuous, but would get stopped.

The bottom line is that if your MUA misinterprets malformed MIME, then
it's an MUA bug which is very difficult to fix with server-based
scanners.

I think the most practical solution is in fact to greedily interpret
the name, and have a function similar to re_match_ext which looks for
an extension anywhere in the filename (to catch the "foo.exe blat.txt"
case).  This will be in the next release.

Regards,

David.




More information about the MIMEDefang mailing list