[Esd-l] NOTICE: you probably should add *.CPL to yourpoison
list
Joe Steele
joe at madewell.com
Thu May 6 11:27:24 PDT 2004
On Thursday, May 06, 2004 9:15 AM, John D. Hardin wrote:
> On Wed, 5 May 2004, Rob Landry wrote:
>
> > Given that the wormmongers seem to be putting arbitrary suffixes
> > on their payloads to get around filters such as Sanitizer, might
> > it be time to switch to a system whereby all attachments are
> > disallowed except those bearing an allowable suffix (.doc, .exe,
> > .pdf, .mp3, etc)?
>
> You can do this by setting your $MANGLE_EXTENSIONS thusly:
>
> MANGLE_EXTENSIONS='((?!(?:jpg|gif|txt|mp3))[a-z0-9]+)|\{[-0-9a-f]+\}'
>
Careful -- This is a perl RE, but there is a non-perl instance in the
sanitizer where $MANGLE_EXTENSIONS is used as part of a condition for
a procmail recipe. Not a major problem, just a small complication.
> Extend the list of acceptable extensions as desired.
>
> Note: I am still checking this against my set of test messages, but it
> appears to be working well. I might add some simple scripting to allow
> for a variable (maybe $ACCEPTABLE_EXTENSIONS) that, if present, would
> override the default $MANGLE_EXTENSIONS as described above. Then you'd
> be able to do something more friendly like:
>
> ACCEPTABLE_EXTENSIONS="txt|jpe?g|gif|png|mp3|etc"
>
> Comments solicited.
>
Using a carefully chosen extension whitelist is a better security
model than using an extension blacklist. Unfortunately, people will
be faced with deciding to whitelist an extension because they were
asked to do so and because they couldn't find any reason not to. The
trouble is, proving to yourself that something is safe is harder than
proving that it is hazardous. And concluding that an extension is
safe today doesn't mean that it will remain safe tomorrow.
I suspect publishing and maintaining an all-inclusive whitelist
that people could reference would be much more difficult than
continuing to maintain a blacklist of extensions known to be
suspicious. So in that regard, blacklists are still useful and
necessary in preventing people from making uninformed decisions.
If a whitelist model is implemented, then the issue for me is whether
people will manually crosscheck all their new whitelist candidates
against a blacklist maintained on a website (and diligently recheck
their whitelist every time the blacklist is updated), or whether the
sanitizer should continue to provide a default (but configurable)
blacklist that automatically overrides any local whitelist
preferences. Using both types of lists is probably overkill, but it
would be erring on the side of safety and would provide more
flexibility for local policy.
--Joe
More information about the esd-l
mailing list