[Mimedefang] Archive::Zip problem?
Cormack, Ken
kcormack at acs.roadway.com
Thu Mar 4 13:48:09 EST 2004
List,
Two days ago, we incorporated the Archive::Zip functionality (along with a
few suggested improvements), to our filter. That code, is below.
We saw this log entry in today's logs (we havent looked back yet, to see how
many times this has occurred.)
Mar 4 09:47:19 mail01 mimedefang-multiplexor: Slave 11 stderr: called at
/etc/mail/mimedefang-filter line 527
^Imain::filter('MIME::Entity=HASH(0x97646b8)','Document.zip','.zip','applica
tion/octet-stream') called at /usr/local/bin/mimedefang.pl line 513
^Imain::rebuild_entity('MIME::Entity=HASH(0x91211dc)','MIME::Entity=HASH(0x9
7646b8)') called at /usr/local/bin/mimedefang.pl line 4705
^Imain::do_scan('/var/spool/MIMEDefang/mdefang-i24ElHuN024909') called at
/usr/local/bin/mimedefang.pl line 4322 ^Imain::do_main_loop() called at
/usr/local/bin/mimedefang.pl line 4284 ^Imai
We have Archive::Zip 1.09 from CPAN installed, and it's dependencies are
good, as well. For reference, I've indicated in the code below, which line
numbers are which, as referenced in the log messages above.
I've indicated which line below, is line 527 in my filter. Watch out for
line-wrap.
if (lc($ext) =~ /\.zip$/) {
use Archive::Zip qw(:ERROR_CODES);
my $path = $entity->bodyhandle->path;
my $zip = Archive::Zip->new();
527 if ($zip->read($path) == AZ_OK) {
md_syslog('debug', "Scanning zip file, Path=$path");
my $tfname = Archive::Zip::tempFileName('.');
my @members = $zip->members();
foreach my $member (@members) {
my $file = $member->fileName();
$size = $member->uncompressedSize();
md_syslog('debug', "Scanning zip entry $file, size=$size");
# Approx. 50MB size limit
if ($size > 50e6) {
md_graphdefang_log('Archive member too big ', $file,
$RelayAddr);
action_bounce("Archive member $file too big");
return;
}
if ($member->isEncrypted()) {
md_syslog('debug', "scanning Encrypted ZIP member
$file");
my ($bad_exts, $re);
$bad_exts =
'(ade|adp|app|asd|asf|asx|b64|bas|bat|bhx|ceo|chm|cmd|com|cpl|crt|dll|exe|fx
p|hlp|hqx|hta|hto|inf|ini|ins|isp|js|jse?|lib|lnk|mim|mp3|msc|msi|msp|mst|oc
x|ops|pcd|pif|prf|prg|rar|reg|scf|scr|sct|sh|shb|shs|sys|url|uu|uue|vb|vbe|v
bs|vcf|vcs|vxd|wav|wma|wmd|wms|wmz|wsc|wsf|wsh|xxe|\{[^\}]+\})';
$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
if (lc($file) =~ $re) {
md_graphdefang_log('Encrypted_badfile',
$file,$RelayAddr);
action_notify_administrator("A file called $file was
detected in an encrypted ZIP file attached to an incoming e-mail -
quarantined.");
action_quarantine_entire_message("An encrypted ZIP
attachment containing $file was removed from this document as
it\nconstituted a security hazard. If you require this document, please
contact\nInformation Security to arrange for it to be released.\n");
action_discard();
return;
}
md_syslog('warning', "Encrypted file $file");
} else {
$zip->extractMember($member, $tfname);
md_syslog('debug', "Scanning ZIP entry $file");
use File::Scan;
my $scanner = File::Scan->new;
my $virus = $scanner->scan($tfname);
unlink($tfname);
if ($virus) {
md_graphdefang_log('virus-zip', $virus, $RelayAddr);
action_discard();
return;
}
}
}
}
}
KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
Open Systems Group
Sr. Software Analyst,
TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.
557 E. Tallmadge Ave., Akron, OH 44310
mailto:kcormack at acs.roadway.com
mailto:ken.cormack at acs-inc.com
Phone: (330) 643-6372
Fax: (330) 643-6367
Pager: (800) 946-4646 Pin 1412819
"If that that is 'is' is that that is not 'not is', is that that is 'not is'
that that is not 'is'? It is!" - Ken Cormack
"Sendmail administration is not black magic. There are legitimate technical
reasons why it requires the sacrificing of a live chicken." - Unknown
More information about the MIMEDefang
mailing list