[Mimedefang] JPEG exploit checking in mimedefang-filter
Tomasz Ostrowski
tometzky at batory.org.pl
Tue Sep 28 04:55:39 EDT 2004
I have written a quick and dirty checking for corrupt jpeg files in
mimedefang-filter. It uses program "djpeg", which should be in most
Linux and Unices distributions, to convert the file to bitmap writing
in /dev/null. It lets the file in, if it manages to successfully convert
it, or rejects it otherwise.
It should catch the latest JPEG virus. At least it catches the sample
I have found here:
http://www.easynews.com/virus.html
###################################################################
# New function: check for corrupted JPEG files
sub filter_corrupt_jpeg ($) {
my($entity) = @_;
if (re_match($entity, '\.jp(e?)g$') ) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
my($code, $category, $action) =
run_virus_scanner( "djpeg -fast -dither none -grayscale -scale 1/8 -outfile /dev/null $path" );
if ($action ne 'proceed') {
return $code;
}
if ($code) {
return $code;
}
}
}
}
return 0;
}
###################################################################
###################################################################
# This should go in filter() function
if (filter_corrupt_jpeg($entity)) {
md_graphdefang_log('corrupt_jpeg', $fname, $type);
action_bounce("Access denied. Corrupt file $fname not allowed.", "554", "5.7.1");
return action_discard();
}
###################################################################
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
More information about the MIMEDefang
mailing list