[Mimedefang] Minor web attachment privacy problem.
Steffen Kaiser
skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Mon Jun 30 08:50:01 EDT 2003
On Thu, 26 Jun 2003, David F. Skoll wrote:
> On Thu, 26 Jun 2003, Jeffrey Goldberg wrote:
>
> > E can conclude that someone at A's site sent the document (or that someone
> > at B's site was an intended recipient).
>
> No; E can conclude only that someone, somewhere sent the document to someone
> at B's site. (The sender might not have been at A's site.)
>
> However, you're right; this does leak a little bit of information.
>
> > Solution: Instead of taking the SHA hash of the document itself, take the
> > SHA hash of the document concatenated with some secret (but constant)
> > server key.
>
> This is a good solution. I'll implement it for 2.35.
Hmm, I was thinking about this, but found no real gain by adding a
constant key.
a) How probable is it that "E" has never recieved or seen an URL with
that constant key _and_ has access to the web spool area?
b) When you restart the server, the key is generated anew, I guess.
How about keeping the action_replace_with_url () function as it is now,
but let the filter hook into the file generation process, like
defang_warning(); e.g. with url_rename () like so:
(Using the example of man mimedefang-filter)
return action_replace_with_url("/home/httpd/html/mail_parts_cache",
"http://mailserver.company.com/mail_parts",
"The attachment was larger than 1,000,000 bytes.\n" .
"It was removed, but may be accessed at this URL:\n\n" .
"\t_URL_\n");
# In: 1. filename generated by MIMEDefang (SHA1)
# 2. (optional) proposed file extension (incl. leading dot)
# 3. (optional) 1st parameter of action_replace_with_url
# 4. (optional) 2nd parameter of action_replace_with_url
# Out: filename to construct the URL of
sub url_rename ($;$$$$) {
my ($mimedefangName, $ext, $localPath, $urlBase) = @_;
my $fname = substr("" . rand, 2) . $ext;
link("$localPath/$mimedefangName", "/home/httpd/html/mail_parts/$fname")
or return undef; # arrgh, in case of error let handle
# replace_with_url() this?
return $fname;
}
So, because MIMEDefang saves the file into a directory, which is _not_
available through the webserver, you do not leak information, but you
can avoid to cache the same document twice - just like now;
because the "filename" in the public web space is a random one now,
you do not leak information here as well. (If one is concerned about
that two or recipients get the same random number, use stream_by_recipient).
To clean out one could just add the cache directory to the find, like:
CRON: find /home/httpd/html/mail_parts /home/httpd/html/mail_parts_cache \
-mtime +30 -exec rm '{}' \;
I do prefer hard links over symlinks, but that's my url_rename(), everybody
can implement a more individual setup.
If the filter does not implement url_rename (or whatsoever), the
replace_with_url function behaves exactly like now.
Maybe, it would be useful to pass other information along, like
the original MIME type, filename a.s.o.
Bye,
--
Steffen Kaiser
More information about the MIMEDefang
mailing list