[Mimedefang] hi, and question about mimedefang-filter (filter_bad_filename)

Mitch at 0Bits.COM Mitch at 0Bits.COM
Tue Jul 29 18:37:02 EDT 2003 

Alternatively, my take on this is that since mozilla/netscape does
use filenames as the actual link when sending a link and does this
as a non url-encoded name, then i've changed this in my filter() from

   if (filter_bad_filename($entity)) {

to

   if (($type ne "text/html") and filter_bad_filename($entity)) {

This way "real" attachments still get checked for "bad" filenames,
but embedded attachments from browsers don't have their filenames being
checked since it's pretty useless to do as since most mail clients will
display this inline anyway.

I've tries this with your test case (Use "Send Page" in mozilla/netscape)
and it works fine.

Cheers
Mitch

-------- Original Message --------
Subject: Re: [Mimedefang] hi, and question about mimedefang-filter (filter_bad_filename)
Date: Tue, 29 Jul 2003 18:06:09 -0400
From: Kevin A. McGrail <kmcgrail at pccc.com>
Reply-To: mimedefang at lists.roaringpenguin.com
To: <mimedefang at lists.roaringpenguin.com>
References: <03072917211106.20269d94.66840252 at PSFC.MIT.EDU>

Mark,

I can't disagree that the problem will exist in other browsers/email
clients, etc and Netscape 7.1 was based on Mozilla 1.4 so what you are
saying makes sense.  For all intents, I consider Mozilla and Netscape as
oneentity though I should be more specific.

However, if your users are windows based, my opinion is that these
attachments should be blocked.  If this is seriously problematic, you
could probably remove it from the bad_extensions list and then add a
routine to do an if re_match for .com that then check if the attachment is
an HTML file attached and not an exe.

This is just theoretical but I think that should be fundamentally simple.
The problem is whether confirming the MIME type is enough.  Anyway, the
default filter calls filter_bad_filename in two places but the following
better-than-pseudo-code might get your started:

if (filter_bad_filename($entity)) {
        md_graphdefang_log('bad_filename', $fname, $type);
        return action_quarantine($entity, "An attachment named $fname was
removed from this document as it\nconstituted a security hazard.  If you
require this document, please contact\nthe sender and arrange an alternate
means of receiving it.\n");
} elsif (re_match($entity, '\.com\.*([^-A-Za-z0-9_.,]|$)' ) and $type ne
"text/html") {
        md_graphdefang_log('bad_filename', $fname, $type);
        return action_quarantine($entity, "An attachment named $fname was
removed from this document as it\nconstituted a security hazard.  If you
require this document, please contact\nthe sender and arrange an alternate
means of receiving it.\n");
}

Regards,

KAM
----- Original Message -----
From: "Mark London" <mrl at PSFC.MIT.EDU>

> The problem is also present in the latest version of Mozilla. If you do
a
> "Send Page", to mail a web page to someone, you get the URL as the
filename:
>

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list