[Mimedefang] clamav

Jim McCullars jim at info.uah.edu
Mon Jun 13 09:40:49 EDT 2005



On Fri, 10 Jun 2005, -ray wrote:

> Notice lots and lots of spaces in the filename to fool users into thinking
> it's a .txt file.  Has anyone coded a MD rule to check for more than say
> 10 consequtive spaces in a filename in a zip file?  Should be pretty

   Yes, but I reject on more than three spaces.  Put something like this
in filter() :

#  If it's a ZIP file, look inside to see if it has a potentially bad file
#
  my($body) = $entity->bodyhandle;
  if(defined($body)) {
    my($path) = $body->path;    # path to decoded file
    if($path =~ /\.zip$/) {     # ZIP file?
      my $zip = Archive::Zip->new();   # yes, set up to peek inside
      my $status = $zip->read($path);
      if($status == AZ_OK) {
        foreach my $member ($zip->members) {  # cycle through contents
          my $filename = $member->fileName(); # grab filename
          if ($filename =~ /\.(?:scr|pif|shs)$/i ||   # look for certain extens
              $filename =~ /\s\s\s/) {    # or more than three consecutive spaces
   #        action_add_header('X-BadFile',"$filename found in attached ZIP")
            return action_bounce("ZIP files containing scr, pif, or shs
extensions, or too many spaces in the file name, are not allowed")
          }
      }
    }
  }


   HTH...

Jim McCullars
University of Alabama in Huntsville





More information about the MIMEDefang mailing list