[Mimedefang] Executables != MS Office documents

[Jonas Eckerman]

I'm not sure if it's ever been exploited or not, but considering that on at least one machine here MS Office helpfully executes any DOS/Win binary executable files with a .doc or .xls extensions, I've put the following in my filter:

$office_exts = '(doc|xml|dot|rtf|wps|xls|xlt|csv|xlw|wk4|wk3|wk1|wks|xla|mdb|adp|dbf|ppt|pot|pps|ppa|wmf|emf|mpp|mpt|mpd|pub)';
[...]
use File::Type;
$filetype = File::Type->new();
[...]

sub filter ($$$$) {
[...]
	my $re = '\.' . $office_exts;
	if ((re_match_ext($entity, $re) || $type =~ /\/(ms|microsoft)-?(word|access|powerpoint|excel)$/i) &&
			(defined($entity->bodyhandle) && defined($entity->bodyhandle->path))) {
		my $ft = $filetype->checktype_filename($entity->bodyhandle->path);
		if ($ft && $ft =~ /executable/i) {
			#debug_log(0,"filter: This attach would have been quarantined because it is executable: $fname");
			md_graphdefang_log('hidden_executable');
			return action_quarantine($entity,
				removed_part_note("A probable MS Office attachment named \"$fname\"",'seemed to be an executable file').
				note_footer(get_quarantine_dir(),$MsgID)
			);
		}
	}
[...]
}

Might be unneeded, but unless File::Type returns false matches, it shouldn't hurt. Seems to work so far.

Anyone knows any other similar file type/extension mismatches that would be good guarding against with the same method?

Regards
/Jonas

-- 
Jonas Eckerman, jonas at truls.org
http://www.truls.org/