[Mimedefang] Alternative zip blocking code

Paul Murphy pmurphy at ionixpharma.com
Fri Mar 5 13:36:55 EST 2004 

Chris,

Some observations:

1.  You don't check the size of Zip members before uncompressing them, which can
lead to denial of service attacks.  To demonstrate this, on Linux/*nix, try:
		dd if=/dev/zero bs=1024 count=80000 | zip test.zip -
What you get is a 80Kb file which uncompresses to 80Mb, so scale that up a
little and imagine the fun of trying to scan it.  Interestingly, this takes much
longer to compress using zip than using gzip, but produces very similar results.
I wonder why?  I suspect that zip using the "-" argument to read from stdin
actually creates a temporary file, dumps the input into it, processes the temp
file, then deletes it.  Is that useless or what?

2.  There are many nesting methods for zip files, including jar, bzp, tgz, and
so on, as well as the more obscure .mht file which IE produces if you archive a
whole page.  You need to check for all of them, or only allow a restricted list
of file types as contents (probably not workable in most cases).

3.  In general, nested ZIP files are a waste of time, so they're unlikely to be
seen in valid e-mail unless someone has sent a zip of a whole folder structure
which also has a zip in there somewhere.  My system blocks all nested content by
design, as we shouldn't see any in valid messages.

4.  Decompressing to /tmp may not be the best idea, as problems with the slave
will leave temp files lying around, whereas decompressing to the CWD
should/will(/may?) mean that the multiplexor  cleans up after you.

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788

_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________

More information about the MIMEDefang mailing list