[Mimedefang] clamav
Jim McCullars
jim at info.uah.edu
Mon Jun 13 09:40:49 EDT 2005
On Fri, 10 Jun 2005, -ray wrote:
> Notice lots and lots of spaces in the filename to fool users into thinking
> it's a .txt file. Has anyone coded a MD rule to check for more than say
> 10 consequtive spaces in a filename in a zip file? Should be pretty
Yes, but I reject on more than three spaces. Put something like this
in filter() :
# If it's a ZIP file, look inside to see if it has a potentially bad file
#
my($body) = $entity->bodyhandle;
if(defined($body)) {
my($path) = $body->path; # path to decoded file
if($path =~ /\.zip$/) { # ZIP file?
my $zip = Archive::Zip->new(); # yes, set up to peek inside
my $status = $zip->read($path);
if($status == AZ_OK) {
foreach my $member ($zip->members) { # cycle through contents
my $filename = $member->fileName(); # grab filename
if ($filename =~ /\.(?:scr|pif|shs)$/i || # look for certain extens
$filename =~ /\s\s\s/) { # or more than three consecutive spaces
# action_add_header('X-BadFile',"$filename found in attached ZIP")
return action_bounce("ZIP files containing scr, pif, or shs
extensions, or too many spaces in the file name, are not allowed")
}
}
}
}
HTH...
Jim McCullars
University of Alabama in Huntsville
More information about the MIMEDefang
mailing list