[Mimedefang] Minor web attachment privacy problem.

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Mon Jun 30 08:50:01 EDT 2003 

On Thu, 26 Jun 2003, David F. Skoll wrote:

> On Thu, 26 Jun 2003, Jeffrey Goldberg wrote:
>
> > E can conclude that someone at A's site sent the document (or that someone
> > at B's site was an intended recipient).
>
> No; E can conclude only that someone, somewhere sent the document to someone
> at B's site.  (The sender might not have been at A's site.)
>
> However, you're right; this does leak a little bit of information.
>
> > Solution:  Instead of taking the SHA hash of the document itself, take the
> > SHA hash of the document concatenated with some secret (but constant)
> > server key.
>
> This is a good solution.  I'll implement it for 2.35.

Hmm, I was thinking about this, but found no real gain by adding a
constant key.

a) How probable is it that "E" has never recieved or seen an URL with
that constant key _and_ has access to the web spool area?
b) When you restart the server, the key is generated anew, I guess.

How about keeping the action_replace_with_url () function as it is now,
but let the filter hook into the file generation process, like
defang_warning(); e.g. with url_rename () like so:
(Using the example of man mimedefang-filter)

	return action_replace_with_url("/home/httpd/html/mail_parts_cache",
		"http://mailserver.company.com/mail_parts",
        "The attachment was larger than 1,000,000 bytes.\n" .
        "It was removed, but may be accessed at this URL:\n\n" .
        "\t_URL_\n");


# In: 1. filename generated by MIMEDefang (SHA1)
#	2. (optional) proposed file extension (incl. leading dot)
#	3. (optional) 1st parameter of action_replace_with_url
#	4. (optional) 2nd parameter of action_replace_with_url
# Out: filename to construct the URL of
sub url_rename ($;$$$$) {
	my ($mimedefangName, $ext, $localPath, $urlBase) = @_;

	my $fname = substr("" . rand, 2) . $ext;

	link("$localPath/$mimedefangName", "/home/httpd/html/mail_parts/$fname")
		or return undef;	# arrgh, in case of error let handle
							# replace_with_url() this?

	return $fname;
}

So, because MIMEDefang saves the file into a directory, which is _not_
available through the webserver, you do not leak information, but you
can avoid to cache the same document twice - just like now;
because the "filename" in the public web space is a random one now,
you do not leak information here as well. (If one is concerned about
that two or recipients get the same random number, use stream_by_recipient).

To clean out one could just add the cache directory to the find, like:

CRON: find /home/httpd/html/mail_parts /home/httpd/html/mail_parts_cache	\
	-mtime +30 -exec rm '{}' \;

I do prefer hard links over symlinks, but that's my url_rename(), everybody
can implement a more individual setup.

If the filter does not implement url_rename (or whatsoever), the
replace_with_url function behaves exactly like now.

Maybe, it would be useful to pass other information along, like
the original MIME type, filename a.s.o.

Bye,

-- 
Steffen Kaiser

More information about the MIMEDefang mailing list