[Mimedefang] Executables != MS Office documents
John Barton
jbarton at technicalworks.net
Wed Aug 18 15:43:35 EDT 2004
Jonas posted this code a few months ago, and I waited to see what the
response from the list was, but it never seemed to come back up. Has
anyone else implemented this code with good results? Have any changes been
made to this code, or is this ready to use as it stands?
Thanks,
-John
jbarton at technicalworks.net
>I'm not sure if it's ever been exploited or not, but considering that on
>at least one machine here MS Office helpfully executes any DOS/Win binary
>executable files with a .doc or .xls extensions, I've put the following in
> $office_exts =
>'(doc|xml|dot|rtf|wps|xls|xlt|csv|xlw|wk4|wk3|wk1|wks|xla|mdb|adp|dbf|ppt|pot|pps|ppa|wmf|emf|mpp|mpt|mpd|pub)';
> [...]
> use File::Type;
> $filetype = File::Type->new();
> [...]
> sub filter ($$$$) {
> [...]
> my $re = '\.' . $office_exts;
> if ((re_match_ext($entity, $re) || $type =~
> /\/(ms|microsoft)-?(word|access|powerpoint|excel)$/i) &&
> (defined($entity->bodyhandle) && defined($entity->bodyhandle->path))) {
> my $ft = $filetype->checktype_filename($entity->bodyhandle->path);
> if ($ft && $ft =~ /executable/i) {
> #debug_log(0,"filter: This attach would have been quarantined because
> it is executable: $fname");
> md_graphdefang_log('hidden_executable');
> return action_quarantine($entity,
> removed_part_note("A probable MS Office attachment named
> \"$fname\"",'seemed to be an executable file').
> note_footer(get_quarantine_dir(),$MsgID)
> );
> }
> }
> [...]
> }
More information about the MIMEDefang
mailing list