[Mimedefang] Password protected Bagle.F
Michal Jankowski
Michal.Jankowski at fuw.edu.pl
Mon Mar 1 19:18:17 EST 2004
"David F. Skoll" <dfs at roaringpenguin.com> writes:
> AFAIK, you can always list the contents of a zip file, even a
> password-protected one. I guess it's time to look inside zip archives
> for banned filenames. :-(
I've written some code to look into zip archives to run File::Scan on
archive members. Adding checking for encryption is now easy 8-) Note:
this isn't much tested, proceed with caution:
#------------------------------------------------------------------------------
if (lc($ext) =~ /\.zip$/) {
use Archive::Zip qw(:ERROR_CODES);
my $path = $entity->bodyhandle->path;
my $zip = Archive::Zip->new();
if ($zip->read($path) == AZ_OK) {
my $tfname = Archive::Zip::tempFileName('.');
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
$size = $member->uncompressedSize();
if ($size > 50e6) {
md_graphdefang_log('Archive member too big ', $file, $RelayAddr);
action_bounce("Archive member $file too big");
return;
}
if ($member->isEncrypted()) {
if (lc($file) =~ /\.(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)$/) {
md_graphdefang_log('Encrypted file', $file, $RelayAddr);
action_bounce("Encrypted files of this type not allowed here");
# or discard, or quarantine, or whatever
return;
}
md_syslog('warning', "Encrypted file $file");
} else {
$zip->extractMember($member, $tfname);
use File::Scan;
my $scanner = File::Scan->new;
my $virus = $scanner->scan($tfname);
unlink($tfname);
if ($virus) {
md_graphdefang_log('virus-zip', $virus, $RelayAddr);
action_discard();
return;
}
}
}
}
}
#------------------------------------------------------------------------------
MJ
More information about the MIMEDefang
mailing list