Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: MIME::Tools Perl module and virus scanners
From: "David F. Skoll" <dfs () roaringpenguin com>
Date: Tue, 4 Jun 2002 14:16:11 -0400 (EDT)

Bennett Todd wrote:

Do MIME::Tools and/or MIMEDefang know about the punctuation marks
that some Windows MUAs silently ignore in filename extensions?

MIMEDefang itself doesn't "know" anything, but the sample filter which
comes with it will correctly (?!) reject ".exe." as well as ".exe"
I've appended the Perl code.  The rules are convoluted, but I think
they catch most things.  Tuning the Perl rules to catch probable
viruses while leaving legitimate attachments alone took a fair bit of
time.

How
about charset canonicalization, non-default (incorrect but commonly
accepted) UTF-8 encodings?

I'm not sure about this; I'd have to check the MIME::Tools source.
MIMEDefang itself tries to decode encoded words into a default charset
if none is supplied, but it might not do the same thing as an MUA.
Canonicalizing the MIME before handing it to the MUA is the best bet.

--
David.

--- Sample filter snippet ---

# This procedure returns true for entities with bad filenames.
sub filter_bad_filename {
    my($entity) = @_;
    my($bad_exts, $re);

    # Bad extensions
    $bad_exts = 
'(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|vxd|wsc|wsf|wsh)';

    # Do not allow:
    # - curlies
    # - bad extensions (possibly with trailing dots) at end or
    #   followed by non-alphanum
    $re = '(\{)|(\})|(\.' . $bad_exts . ')\.*([^-A-Za-z0-9_.]|$)';
    return re_match($entity, $re);
}



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]