[Esa-l] Double Extensions fails

Brett Glass brett at lariat.org
Wed Feb 14 11:56:18 PST 2001


At 08:13 AM 2/14/2001, Dave Clendenan wrote:
  
>It still looks to me like blocking double extensions will
>trap 'filename.date.extension'
>
>This would cause various problems here, is there any way
>of narrowing the scope of what gets blocked.

It does indeed, and we've run into this.

A better method might be to block messages with attachments 
whose names are of the form

name.<any extension>.<mangled extension>

or

name.<innocuous extension>.<mangled extension>

The rationale: A file with an extension you are mangling has
the POTENTIAL to be dangerous. If someone's trying to hide
the extension that tips folks off to the danger, that should
set off alarm bells.

If you're not supplying your own mangling list, you can generate
a pattern by copying the regular expression out of John's
sanitizer code. It'd be nice if there were a way to interpolate
the mangled extension list within the "poisoned" file, though.

--Brett




More information about the esd-l mailing list