[Mimedefang] Word Macro warning in subject.

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 12 Feb 2016, System Operations wrote:

> I made the changes to the  sub contains_office_macros  below, I hope that 
> these changes are correct.
> Does the sub contains_office_macros need be called by sub filter_multipart 
> only or
> does it need to be called by the sub filter as well?

you want to test files only, hence, no need in filter_multipart, but 
filter only.

Also, see this snippet from the man page:

        The heart of mimedefang-filter is the filter procedure.  See the 
examples that came with MIMEDefang to learn to write a filter.  The filter 
is called with the following arguments:

        $entity
               The MIME::Entity object.  (See the MIME::tools Perl module documentation.)

        $fname The suggested attachment filename, or "" if none was supplied.

        $ext   The file extension (all characters from the rightmost period to the end of the filename.)

        $type  The MIME type (for example, "text/plain".)

you should use $ext and $type to probe these strings, if you check the 
content, because MIMEDefang takes great care to populate sane values 
there. They replace the foreach loop. Also note, if the MIME type suggests 
"MS Office style document", the filename need not end in .doc/.xls/.... . 
Many MUAs accept those parts as MSOffice doc, too.

> # These markers were documented at:
> # 
> http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
> # as of 2015-01-15
> # $entity is a MIME::Entity that's the parsed message
>
> my $marker1 = "\xd0\xcf\x11\xe0";
> my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
>
> sub contains_office_macros
> {
>    my ($entity) = @_;
>    my @parts = $entity->parts();
>    if (scalar(@parts) > 0) {
>        return 0;
>    }
>    my $is_msoffice_extension = 0;
>    foreach my $attr_name (qw( Content-Disposition.filename 
> Content-Type.name) ) {
>        my $possible = $entity->head->mime_attr($attr_name);
>        $possible = decode_mimewords($possible);
>        if ($possible =~ /\.(doc|docx)$/i) {
>            $is_msoffice_extension = 1;
>            last;
>        }
>    }
>    return 0 unless $is_msoffice_extension;
>    return 0 unless defined($entity->bodyhandle) && 
> defined($entity->bodyhandle->path);
>    my $fp;
>    if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
>        return 0;
>    }
>    my $contents;
>    {
>        local $/;
>        $contents = <$fp>;
>        close($fp);
>    }
>    if (index($contents, $marker1) > -1 &&
according your reference, marker1 must be on location == 0 (start of file)

>        index($contents, $marker2) > -1) {
>        return 1;
>    }
>    return 0;
> }
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
>
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
>

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVr2ZqFGgR0+MU/4GAQL8fAf8CbdC+jrh7Kf+6BdTmVm8+r2h7twgYzwm
KzYu8RM4RQsHiViaYJIP2/IMs8ur2qJik4f6FYs7IrcZ3uFuYwXpT8ySbYJlEIMC
Rz0m8mMmMPdtv8n2mAfZmgJc4mGf1QO6zqiJFEEMo/5iXlFo9auDhxsCJ09aR0X+
NJ8udQa3IXfpTTEZBvuuV2otmAyzozSH9kXUWqPuS7uAumuIlbaVpzbRUdwAk8Kz
4U9VzRM0pPTY8cKqo6J41/SBga08+3lxj5FW+Nj1SSMh3sVSCe0ZNNVSt9gsVJb7
6LS/c6xE3EQm7q9pPazV8HcDeswP7h2unqwwNt+GBO50ocPDT3H/Lg==
=88Uy
-----END PGP SIGNATURE-----