[Esd-l] mangled mime type becomes text/plain (sanitizer
1.137)
Morten Hemmingsson
Morten.Hemmingsson at iea.lth.se
Thu Jan 16 14:12:01 PST 2003
John D. Hardin writes:
> On Tue, 14 Jan 2003, Morten Hemmingsson wrote:
>
> > --CXKrh5wV+/
> > Content-Description: skoj
> > Content-Disposition: attachment; filename="funzip.9068DEFANGED-exe"
> > X-Content-Security: [faraday] original Content-Type was application/octet-stream
> > Content-Type: text/plain;
> > Content-Transfer-Encoding: base64
>
> Fascinating. I have no idea where that text/plain came from, unless
> maybe there was a 1.136 sanitizer upstream of you...
>
Not likely, I was trying it out with:
> procmail ./sanitizersettings < testmessage
before installing it site-wide
Comparing MIME headers:
This one got Content-Type: text/plain
--CXKrh5wV+/
Content-Type: application/octet-stream
Content-Description: skoj
Content-Disposition: attachment;
filename="funzip.exe"
Content-Transfer-Encoding: base64
And this one got Content-Type: APPLICATION/DEFANGED;
--------------04E93F037FB56466CDD27A22
Content-Type: application/octet-stream;
name="funzip.exe" <------ Not in the previous header
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="funzip.exe"
Moving the filename line in the first header
--CXKrh5wV+/
Content-Type: application/octet-stream
filename="funzip.exe"
Content-Description: skoj
Content-Disposition: attachment;
Content-Transfer-Encoding: base64
I get Content-Type: APPLICATION/DEFANGED;
So it seems to either be a case of malformed MIME headers or a problem
with the parsing of the headers. At first I thought that the
text/plain header was from the previous MIME header but deleting that
section didn't make any difference. My knowledge of perl is
nonexistent so I can't help with that part but I'll be glad to try
diffs and send whatever output you wish.
/Morten
PS the sanitizer trapped a Klez worm yesterday, many thanks.
More information about the esd-l
mailing list