[Mimedefang] Possible new filename exploit?

David F. Skoll dfs at roaringpenguin.com
Mon Oct 7 21:12:01 EDT 2002


On Mon, 7 Oct 2002, Kelson Vibber wrote:

> Content-Type: audio/x-midi;
>          name=SURVEY-ap stat;sportsvsgpa.doc.exe

> Still, if MD doesn't recognize this sort of bogus filename, it'll probably 
> need to.

I think I posted on this topic sometime earlier.  There is no way to
handle this case in the "obvious" way without seriously breaking MIME
parsing.  By the same token (:-)), any MUA which interprests the name
as "SURVEY-ap stat;sportsvsgpa.doc.exe" is terminally broken.  RFC2045
is pretty clear; if MUA implementers can't follow it, well...

My position is as follows: I will make MIME::Tools handle sloppy MIME
to protect broken MUA's as long as that does not break the
interpretation of correct MIME.  Fixing this case would either break
interpretation of correct MIME messages, or make the MIME::Tools code
completely messy and unmaintainable.

Test this message on your mail reader.  If it thinks the filename is
"SURVEY-ap stat;sportsvsgpa.doc.exe", then it's time to throw
out your mail reader.

What should we do with:

Content-Type: audio/x-midi;
	name=a-dumb-filename.wav;otherattr=funny-chars-in-the-middle.exe

?

Regards,

David.




More information about the MIMEDefang mailing list