[Mimedefang] double extension

[Rick Mallett]

Marco Berizzi writes:
> 
> Hi,
> 
> I have found a strange behaviour with an attach with double extension.
> This is the message source:
> 
[preamable deleted]

> ------=_NextPart_000_0051_01C2913E.3B316D10
> Content-Type: image/gif;
>  name="prova.it - blabl molla.gif"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: attachment;
>  filename="prova.it - blabl molla.gif"
> 
> 
> ------=_NextPart_000_0051_01C2913E.3B316D10--
> 
> MIMEDefang is dropping the attach. I'm using the suggested-min-filter
> from MD 2.25 (a little modified).
> I have added to the bad ext also ".it".
> Is this correct?
> 

It seems to be intentional, but I'm not sure its correct. 
The regexp that is used to catch bad filenames, specifically

  $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';

will match anywhere that there is a "." followed by one of the
bad extensions followed by a character not in the acceptable set
shown above. Hence a filename like the following 

  blotto.com - picture of a whale.jpg

will match and the recipient will receive the message 

  An attachment named blotto.com - picture of a whale.jpg was removed 
  from this document as it constituted a security hazard.  If you require 
  this document, please contact the sender and arrange an alternate means 
  of receiving it.

Given the deplorable, but widespread, habit of using blanks in
filenames it would seem that the test is a bit over zealous, or does
it realy constitute a security hazard. If not, then either the regexp
should be modified to allow the filename, or, alternatively, there
could be a different message

  An attachment named blotto.com - picture of a whale.jpg was removed 
  from this document because it had a really stupid name.  If you require 
  this document, please contact the sender and have them change the name
  to something reasonable. -:)

- rick --