> > I would check MIME type, file extension, and most importantly the
> > magic, to make sure that they all match. Any failure to match
> > would be suspect, regardless of what the A/V program says. I
> > think you misunderstood my earlier point.
> In truth I must have done, I *still* wouldn't like to trust that those
> things weren't being hijacked though, even the magic.
Exactly. So if an attachment has MIME type T then it should have one of the
known extensions for MIME type T and it should have the correct magic. That
way if an attachment claims to be MIME type "image/jpeg", then it must have
an extension of .jpeg, jpg or jpe, AND have a magic value of
0xFFD8FFE0JFIF0x00. If it has a magic value of something else, e.g.,
0x7FELF or MZ, then it should be rejected *regardless of the anti-virus
scan*. A simple set of magic is:
Format Magic
PNG 0xD3PNG
GIF GIF89a
JPEG 0xFFD8FFE0JFIF0x00
ELF 0x7FELF
Windows .EXE MZ
/usr/share/[misc/]magic has a collected set to use with the file command
(Windows users, see: http://www.alaska.net/~royce/pub/solaris/MAGIC). The
pertinent aspects of the file command could be re-implemented in Java.
The purpose would be to prevent someone from slipping an executable by as a
non-executable, since most operating systems load by magic, not extension or
MIME type.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
