'Re: Help! Need to use procmail to fight dangerous security exploit'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       procmail
Subject:    Re: Help! Need to use procmail to fight dangerous security exploit
From:       era eriksson <era () iki ! fi>
Date:       1998-07-30 7:27:15
[Download RAW message or body]

On Thu, 30 Jul 1998 02:36:46 -0400, Walter Dnes
<waltdnes@interlog.com> wrote:
 > David W. Tamkin wrote:
 >> * ^Content-Disposition:(.*\>)?filename="\/[^"]+
 >> * 1^1 MATCH ?? .
 >> * -63^0
 >> dangerbox
 >   Devil's advocate questions...
 >     1) If there are several short headers, are their lengths
 >        summed up to beat 63?
 >     2) Even worse; if a short header and a long header both
 >        exist, which one will procmail match?  First, second,
 >        or longest

No; this will only look at the first matching occurrence of
Content-Disposition.*etc and not see the others.

 > :0BH
 > * ^Content-Disposition:(.*\>)?filename=\
 > .................................................................."
 > {
 > :0f
 > | formail -A "X-Reject: File attachment name greater than 63
 > characters"
 > :0
 > junkmail
 > }

The obvious problem (the lack of a leading double quote was apparently
intentional, but you should probably be checking whether any of the
intermediate matched characters is a double-quote [properly done, I
believe this should disregard backslash-escaped double-quotes, too])
is that this will look at anything that looks more or less like a
Content-Disposition header, even when it's not in the MIME header of a
MIME body part and thus completely harmless. This should really really
be done with a real MIME tool.

 >   Those of you who counted 66 dots, please note that I'm
 > allowing for quotes around the filename.  Now what about
 > about Unix/NT/Win95 in terms of filename lengths?  The 32-bit
 > Windows variants should be able to go 255 characters, and
 > unixes (there are Netscape/unix versions) will probably vary.

I believe that the problem isn't really that the filename is over the
allowed length for some platform (Macintoshes allow something like 27
characters if memory serves) but a bug in how some particular email
clients allocate memory for the file name string (but I am really only
speculating here).

/* era */

-- 
 Paparazzi of the Net: No matter what you do to protect your privacy,
  they'll hunt you down and spam you. <http://www.iki.fi/~era/spam/>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic