[Mimedefang] exe in defective zip attachments gettingthrough mimedefang

Cliff Hayes chayes at afo.net
Thu Jan 14 13:40:39 EST 2010


Reference my last email ... I wasn't very clear.
Here is the original code:

sub re_match_in_zip_directory ($$) {
    my($zipname, $regexp) = @_;
    unless ($Features{"Archive::Zip"}) {
        md_syslog('err', "$MsgID: Attempted to use
re_match_in_zip_directory, but Perl module Archive::Zip is not installed.");
        return 0;
    }
    my $zip = Archive::Zip->new();

    # Prevent carping about errors
    Archive::Zip::setErrorHandler(\&dummy_zip_error_handler);
    if ($zip->read($zipname) == AZ_OK()) {
        foreach my $member ($zip->members()) {
            my $file = $member->fileName();
            return 1 if ($file =~ /$regexp/i);
        }
    }

    return 0;
}

=== HERE IS MY SUGGESTION: === (added test for AZ_STREAM_END and FAIL all
other codes)

sub re_match_in_zip_directory ($$) {
    my($zipname, $regexp) = @_;
    unless ($Features{"Archive::Zip"}) {
        md_syslog('err', "$MsgID: Attempted to use
re_match_in_zip_directory, but Perl module Archive::Zip is not installed.");
        return 0;
    }
    my $zip = Archive::Zip->new();

    # Prevent carping about errors
    Archive::Zip::setErrorHandler(\&dummy_zip_error_handler);
    my($archiveZipResults) = $zip->read($zipname);
    if (($archiveZipResults == AZ_OK())||($archiveZipResults ==
AZ_STREAM_END())) {
        foreach my $member ($zip->members()) {
            my $file = $member->fileName();
            return 1 if ($file =~ /$regexp/i);
        }
    } else { return 1; }
}




-----Original Message-----
From: mimedefang-bounces at lists.roaringpenguin.com
[mailto:mimedefang-bounces at lists.roaringpenguin.com]On Behalf Of Dave
O'Neill
Sent: Thursday, January 14, 2010 11:10 AM
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] exe in defective zip attachments
gettingthrough mimedefang


On Thu, Jan 14, 2010 at 10:54:14AM -0600, Cliff Hayes wrote:
> if Archive::Zip doesn't return an AZ_OK then mimedefang lets the
attachment
> through.  From what I could find out, if Archive::Zip doesn't return AZ_OK
> then there is a problem with the zip file.  I'd rather block defective zip
> files then let them through.  In the code below, I substituted "return 0;"
> with "else { return 1; }" and that solved my problem.  Now good zips still
> go through, zips with exe's get replaced with warning, and defective
(hacked
> I'm assuming) get replaced with warnings too.  I'm surprised that standard
> procedure is to let defective zips through.  Or am I understanding this
> wrong?

What value is ->read() returning?  It might be nice to check the status
value and determine if it's failing due to a corrupt zip file, or simply
due to a zip format that Archive::Zip doesn't recognize.

If you can grab a sample of the zip in question and send it to me
offlist, I'll take a look.

Cheers,
Dave
--
Dave O'Neill <dmo at roaringpenguin.com>    Roaring Penguin Software Inc.
+1 (613) 231-6599                        http://www.roaringpenguin.com/
For CanIt technical support, please mail: support at roaringpenguin.com
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.725 / Virus Database: 270.14.139/2619 - Release Date: 01/14/10
01:35:00




More information about the MIMEDefang mailing list