[Mimedefang] Strip DOC with macros
David F. Skoll
dfs at roaringpenguin.com
Wed Feb 25 14:08:55 EST 2015
On Wed, 25 Feb 2015 13:17:42 -0500 (EST)
Justin Edmands <j.edmands at sagedining.com> wrote:
> I wanted to know if I could use mimedefang to strip
> out .DOC, .DOCX, .XLS, and .XLSX files (or any applicable file type)
> if they contain a macro.
Yes. Stripping attachments is explained in the mimedefang-filter page.
The important part is detecting macros. Here's code we have to do it.
(This is a code fragment just to give you the idea. You'll need to modify
it to integrate it with MIMEDefang.)
Regards,
David.
==============================================================================
# These markers were documented at:
# http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
sub contains_office_macros
{
my ($self, $entity) = @_;
my @parts = $entity->parts();
if (scalar(@parts) > 0) {
foreach my $part (@parts) {
if ($self->contains_office_macros($part)) {
return 1;
}
}
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename Content-Type.name) ) {
my $possible = $entity->head->mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity->bodyhandle) && defined($entity->bodyhandle->path);
my $fp;
if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
return 0;
}
my $contents;
{
local $/;
$contents = <$fp>;
close($fp);
}
if (index($contents, $marker1) > -1 &&
index($contents, $marker2) > -1) {
return 1;
}
return 0;
}
More information about the MIMEDefang
mailing list