[Mimedefang] double extension

Thu Nov 21 18:47:01 EST 2002

On Thu, Nov 21, 2002 at 09:48:21AM -0500, Rick Mallett wrote:
> It seems to be intentional, but I'm not sure its correct. 
> The regexp that is used to catch bad filenames, specifically
> 
>   $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
> 
> will match anywhere that there is a "." followed by one of the
> bad extensions followed by a character not in the acceptable set
> shown above. Hence a filename like the following 
> 
>   blotto.com - picture of a whale.jpg
> 
> will match and the recipient will receive the message 
I believe it's trying to catch the the following with one regexp:
- bad extensions
- more than one dot
- the dot-space outlook bug (see "messy space handling" at
  http://lists.netsys.com/pipermail/full-disclosure/2002-July/000583.html
  for an example)
- bad characters in the filename

I think it's reasonable to try to catch these things individually, or at
least not in one regexp. The code I wrote to do similar checks goes
something like:

- reject if we've got a bad filename or extension
- reject if we've got a suspicious filename and a suspicious extension,
  where

$bad_exts = '(?:\{[-0-9A-Za-z\}]*)'; # catches clsid stuff
$bad_filenames = '(?:^|[:\/\\\])(?:\$MMXXXX0|AUX|CAS\d*|CLOCK\$|COM\d*|CON|CONFIG\$|DBLBUFF\$|DBLSBIN\$|EMMXXXX0|HLP\$|IFS\$|IFS\$HLP\$|IPC\$|LPT\d*|MAILSLOT|MS\$MOUSE|MSCD\d+|NUL|PIPE|PRN|SCSIMGR\$|SETVERXX|UNC|XMSXXXX0)($|[\.\/\\\])'; 

$susp_exts ='(?:ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|doc|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)';

$invalidchars = '[^\w\s\^\&\'\@\{\}\[\]\,\$\=\!\-\#\(\)\%\.\+\!]';
$susp_filenames = '[\.\s]$|\.\s|\.{2,}|'.$invalidchars;

In case anyone finds that useful.
(I actually mangle the filename if it's suspicious, to help buggy
windows clients, and also conform to win32 fs naming rules)