[Mimedefang] Possible new filename exploit?
Steffen Kaiser
skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Tue Oct 8 04:10:01 EDT 2002
On Mon, 7 Oct 2002, David F. Skoll wrote:
> > Content-Type: audio/x-midi;
> > name=SURVEY-ap stat;sportsvsgpa.doc.exe
>
> > Still, if MD doesn't recognize this sort of bogus filename, it'll probably
> > need to.
>
> Content-Type: audio/x-midi;
> name=a-dumb-filename.wav;otherattr=funny-chars-in-the-middle.exe
How about this:
All _unquoted_ semicolons are replaced by ";\n\t", e.g.
s/\;\s*(\S)/\;\n\t\1/g;
name=SURVEY-ap stat;sportsvsgpa.doc.exe
--> becomes
name=SURVEY-ap stat;
sportsvsgpa.doc.exe
name=a-dumb-filename.wav;otherattr=funny-chars-in-the-middle.exe
--> becomes
name=a-dumb-filename.wav;
otherattr=funny-chars-in-the-middle.exe
Latter should still be MIME compliant, first reduces the possibility to
mis-interprete the filename.
What about throughing away MIME-Attribute components without equal sign?
Bye,
--
Steffen Kaiser
More information about the MIMEDefang
mailing list