[prev in list] [next in list] [prev in thread] [next in thread]
List: procmail
Subject: Re: Help! Need to use procmail to fight dangerous security exploit
From: era eriksson <era () iki ! fi>
Date: 1998-07-30 7:27:15
[Download RAW message or body]
On Thu, 30 Jul 1998 02:36:46 -0400, Walter Dnes
<waltdnes@interlog.com> wrote:
> David W. Tamkin wrote:
>> * ^Content-Disposition:(.*\>)?filename="\/[^"]+
>> * 1^1 MATCH ?? .
>> * -63^0
>> dangerbox
> Devil's advocate questions...
> 1) If there are several short headers, are their lengths
> summed up to beat 63?
> 2) Even worse; if a short header and a long header both
> exist, which one will procmail match? First, second,
> or longest
No; this will only look at the first matching occurrence of
Content-Disposition.*etc and not see the others.
> :0BH
> * ^Content-Disposition:(.*\>)?filename=\
> .................................................................."
> {
> :0f
> | formail -A "X-Reject: File attachment name greater than 63
> characters"
> :0
> junkmail
> }
The obvious problem (the lack of a leading double quote was apparently
intentional, but you should probably be checking whether any of the
intermediate matched characters is a double-quote [properly done, I
believe this should disregard backslash-escaped double-quotes, too])
is that this will look at anything that looks more or less like a
Content-Disposition header, even when it's not in the MIME header of a
MIME body part and thus completely harmless. This should really really
be done with a real MIME tool.
> Those of you who counted 66 dots, please note that I'm
> allowing for quotes around the filename. Now what about
> about Unix/NT/Win95 in terms of filename lengths? The 32-bit
> Windows variants should be able to go 255 characters, and
> unixes (there are Netscape/unix versions) will probably vary.
I believe that the problem isn't really that the filename is over the
allowed length for some platform (Macintoshes allow something like 27
characters if memory serves) but a bug in how some particular email
clients allocate memory for the file name string (but I am really only
speculating here).
/* era */
--
Paparazzi of the Net: No matter what you do to protect your privacy,
they'll hunt you down and spam you. <http://www.iki.fi/~era/spam/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic