[Esd-l] Re: procmail sanitizer and 8-bit attachments.
Joe Steele
joe at madewell.com
Mon Jun 23 17:29:19 PDT 2003
On Friday, June 20, 2003 11:50 PM, John D. Hardin wrote:
> On Thu, 19 Jun 2003, Tomas Kuliavas wrote:
>
> > > On Wed, 18 Jun 2003, Tomas Kuliavas wrote:
> > >
> > >> Content-Type: application/octet-stream;
> > >> name="=?iso-8859-4?B?seoudHh0LnNjcg==?="
> > >> Content-Disposition: attachment;
> > >> filename="=?iso-8859-4?B?seoudHh0LnNjcg==?="
Hmm... I'm certainly no expert, but the RFCs make it pretty clear
that the quoted text should be treated as nothing more than literal
US-ASCII text. RFC 2047 covers the use of the 'encoded-word'
notation used above, but the RFC specifically states that:
+ An 'encoded-word' MUST NOT appear within a 'quoted-string'...
+ An 'encoded-word' MUST NOT be used in parameter of a MIME
Content-Type or Content-Disposition field....
Both of these requirements have been violated. Nonetheless, I
presume this entire issue has arisen because certain lame-brained
MUAs are parsing the filename as an 'encoded-word'?
> > >> Content-Transfer-Encoding: 7bit
> > >
> > > Encoded filenames are a known weakness in the current version. I don't
> > > know if I will be able to add encoded filename handling soon.
> >
> > How about option to block or strip anything that looks like encoded
> > attachment? It may have high false positives rate, but sometimes it is
> > better to have 10 false positives instead of one virus.
>
> Add a local-rule:
>
> :0 B hfi
> * ^Content-(Type|Disposition):.*name="=\?iso-8859-[0-9]+\?B\?
Since respectable MUAs should never use the 'encoded-word' syntax
within a filename, I'd suggest casting a wider net (because character
sets don't have to begin with "iso-8859-" and because the method of
encoding doesn't have to be 'B'). Possibly something like:
* ^Content-(Type|Disposition):.*name=.*=\?.*\?
> | formail -A "X-Content-Security: [${HOST}] NOTIFY" \
> -A "X-Content-Security: [${HOST}] QUARANTINE" \
> -A "X-Content-Security: [${HOST}] REPORT: Trapped encoded
> filename"
Alas, because of the restrictions contained in RFC 2047,
another RFC was written (RFC 2231) which establishes a different
method for encoding parameter values (such as filenames) for use
within MIME headers. To trap it, you'd probably need something like:
* ^Content-(Type|Disposition):.*name(\*[0-9]+)*\*=.*%
Of course, this again runs the risk of trapping false positives.
--Joe
More information about the esd-l
mailing list