[Mimedefang] Bad, bad_filename filtering ?

James B. Huber jbh at genesis-net.net
Thu Oct 9 07:01:01 EDT 2003 

Thank You Alan,
 Changing the $re line as you suggested does indeed work,
many thanks. The new correct line is:
$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,])$';
However, I still need to

Steffen Kaiser explained (or pointed out) reasons
for this "broken" behavior:
On Thu, 2003-10-09 at 03:08, Steffen Kaiser wrote: 
> On Wed, 8 Oct 2003, James B. Huber wrote:
> 
> > First question, why are we checking anything of a
> > "path" component in the bad_filename check ? Or perhaps
> > better asked, why are we NOT calling the filename
> 
> The reasons had been explained in the past, see e.g.:
> http://lists.roaringpenguin.com/pipermail/mimedefang/2003-September/008021.html
> http://lists.roaringpenguin.com/pipermail/mimedefang/2003-March/004636.html
> 
In particular David Skoll said:
>That's a feature, not a bug. :-)  Consider these two malformed MIME
>headers:
>
>Content-Disposition: attachment; filename=test.com example.txt
>Content-Disposition: attachment; filename=example.txt test.com
>
>Consider the myriad ways buggy MUA's might handle that, and then you
>understand the reason behind the excessively-conservative regular
>expression.

David/Steffan, 
  I don't understand what "bad" thing you believe some buggy MUA's
might do in the above example. But...I do not see it is relevant to
my question:
>First question, why are we checking anything of a
>"path" component in the bad_filename check ? Or perhaps
>better asked, why are we NOT calling the filename
>what comes after DIRSEP (either "/" or "\" depending
>upon your *NIX/Dos) ?

Shouldn't we actually be parsing out the filename stripping
any "path" component so we actually only get the filename 
portion ? This would not effect either of the 2 examples
David points out....

Am I missing something ?


Regards,
Jim
--

On Wed, 2003-10-08 at 21:31, alan premselaar wrote:
> On 10/9/03 10:15 AM, "James B. Huber" <jbh at genesis-net.net> wrote:
> 
> > Thanks Alan,
> > However that is what the both the "default" recommended
> > and linux.org mimedefang-filter modules do. The code
> > looks like this (Pardon the long line):
> >   $bad_exts =
> > '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|
> > inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|s
> > ct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|¥{[^¥}]+¥})';
> >   # Do not allow:
> >   # - CLSIDs  {foobarbaz}
> >   # - bad extensions (possibly with trailing dots) at end or
> >   #   followed by non-alphanum
> >   $re = '¥.' . $bad_exts . '¥.*([^-A-Za-z0-9_.,]|$)';
> 
> try removing the | from the line above just before the $, and put the $ on
> the outside of the () grouping.  i'm not sure off the top of my head, but i
> suspect that will do what you expect it to do.
> 
> 
> also, if your intention is to say (in your grouping) "any character that is
> not a = A-z 0-9 _ . ,     then you might need to escape the - (i.e. ¥-) as
> it has obvious special meaning (as seen in A-Za-z0-9) and also might be
> getting confused.  although again, that's off the top of my head and i'm not
> sure if i'm right about that.
> 
> hope this helps
> 
> alan
> 
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
-- 
======================================================================
James B. Huber                                     jbh at genesis-net.net
Genesis NETwork Services, Inc.                          (407) 678-7510
======================================================================

More information about the MIMEDefang mailing list