[Mimedefang] Word Macro warning in subject.
Steffen Kaiser
skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Thu Feb 11 03:52:34 EST 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 9 Feb 2016, System Operations wrote:
Hmm, do you use SpamAssassin.
I thought one could add search strings to ClamAV as well, but cannot find
any pointers in the internet.
> Slave 1 stderr: Can't call method "parts" on an undefined value at
> /etc/mail/mimedefang-filter
There is no line number?
> sub filter {
> my($entity, $fname, $ext, $type) = @_;
>
> return if message_rejected(); # Avoid unnecessary work
>
>
> if (contains_office_macros) {
^^ missing ($entity)
like many procedural languages you need to pass argumenents in ()'s
> action_notify_administrator("An attachment of type $type, sent by
> $Sender for $Recip named $fname contains macros.\n");
> my $subject = $entity->head->get('Subject',0);
> action_change_header('Subject', "[Warning Attachment $fname contains
> macros (possible virus):] $Subject");
> }
>
> return action_accept();
> }
>
>
>
> sub filter_multipart {
> my($entity, $fname, $ext, $type) = @_;
>
> return if message_rejected(); # Avoid unnecessary work
>
> if (contains_office_macros) {
> action_notify_administrator("An attachment of type $type, sent by
> $Sender for $Recip named $fname contains macros.\n");
> my $subject = $entity->head->get('Subject',0);
> action_change_header('Subject', "[Warning Attachment $fname contains
> macros (possible virus):] $Subject");
> }
>
> return action_accept();
> }
>
>
> ==============================================================================
> # These markers were documented at:
> #http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
> # as of 2015-01-15
> # $entity is a MIME::Entity that's the parsed message
>
> my $marker1 = "\xd0\xcf\x11\xe0";
> my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
>
> sub contains_office_macros
> {
> my ($self, $entity) = @_;
^^ remove $self,
there is just one argument, also remove any $self->
from the code below.
> my @parts = $entity->parts();
> if (scalar(@parts) > 0) {
> foreach my $part (@parts) {
> if ($self->contains_office_macros($part)) {
> return 1;
> }
> }
> return 0;
> }
> my $is_msoffice_extension = 0;
> foreach my $attr_name (qw( Content-Disposition.filename
> Content-Type.name) ) {
> my $possible = $entity->head->mime_attr($attr_name);
> $possible = decode_mimewords($possible);
> if ($possible =~ /\.(doc|docx)$/i) {
> $is_msoffice_extension = 1;
> last;
> }
> }
> return 0 unless $is_msoffice_extension;
> return 0 unless defined($entity->bodyhandle) &&
> defined($entity->bodyhandle->path);
> my $fp;
> if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
> return 0;
> }
> my $contents;
> {
> local $/;
> $contents = <$fp>;
> close($fp);
> }
this code pulls the whole part into memory.
> if (index($contents, $marker1) > -1 &&
> index($contents, $marker2) > -1) {
> return 1;
> }
> return 0;
> }
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBVrxL0lGgR0+MU/4GAQJsGggAjsFY1BY0d7I8d8DWOhxYOzUMKH267Wdz
d4rAmWFKYenM8ucDBFAxS1cqh+t30jdn+bz5EyEW31tHqDLyzLOHOGCsfOBis4Vr
uUTfQ08Tl80eQCbK97hlUN8C1FvJf9ONJZf2wcBKy+T7hrQ+7zjUqaZhnpDHLZba
79A/M9iXll5PLcQJPSV6YgL3lDOfYzuIlP7V6Iq8dyFVzdoqlxjkuww6SjPBHpA9
/sfeMSbYsCPGWu+LxSMeieAUF3UbaOIpSe/cgMutJEPle7XPV9THX8oMcDQucazo
AaEhxArOEDgTAmR/A1ZNaeKehZwlMWYMS13bGb6ntjvhcEUWVs1gTg==
=36Gx
-----END PGP SIGNATURE-----
More information about the MIMEDefang
mailing list