[Mimedefang] filename matching in filter_bad_filename

[Graham Dunn]

On Mon, Jun 14, 2004 at 03:37:13PM -0400, David F. Skoll wrote:
> On Mon, 14 Jun 2004, Graham Dunn wrote:
> 
> > OK, even with this in there, I'm still hitting the code that checks for
> > bad zips.
> 
> [...]
> 
> >     return 1 if (re_match($entity, $re));
> >     return 0 if (re_match($entity, $secret));
> 
> Ponder the order of those two statements...

OK ...

pondering "return 1 if (re_match($entity, $re));"

at this point, $re = '\.' . $bad_exts . '\.*$'; and there's no match,
because Content-Disposition.filename, Content-Type.name or
Content-Description is .zip, which is not in $re.

on to "return 0 if (re_match($entity, $secret));"

at this point, compare Content-Disposition.filename, Content-Type.name
or Content-Description against $secret (which is '^itc.*\.zip$'). As the
filename is itc-blah.zip, I'm seeing a match on "if  ((re_match($entity,
'\.zip$')) {...}" and as the zip contains an exe, it's getting nabbed by
re_match_in_zip_directory().

As to the order, am I wrong in thinking that the logic is:

1) re_match($entity, $re) evaluates to 0, so don't return 1, move to the
next line,
2) re_match($entity, $secret) evaluates to 1, so return 0 to this if
statement:

 if (filter_bad_filename($entity)) {
        md_graphdefang_log('bad_filename', $fname, $type);
        return action_drop_with_warning("An attachment named $fname was
	removed from this document as it\nconstituted a security hazard.  If you
	require this document, please contact\nthe sender and arrange an
	alternate means of receiving it.\n");
 }

so no md_graphdefang_log, and no return action_drop_with_warning should
be called?

However, this is not what reality is showing me, so I humbly request
correction :]

Thanks,
Graham