This "magic number" topic is quite new to me :-) I've looked aroung with Google, but didn't find any link really explaining what it's all about. Do you have any good one to suggest?
Thanks, Vincenzo > -----Original Message----- > From: Noel J. Bergman [mailto:[EMAIL PROTECTED] > Sent: domenica 22 giugno 2003 1.01 > To: James Users List > Subject: RE: Virus scanning (was RE: Matchers & X Window) > > > > > I would check MIME type, file extension, and most importantly the > > > magic, to make sure that they all match. Any failure to match > > > would be suspect, regardless of what the A/V program says. I > > > think you misunderstood my earlier point. > > > In truth I must have done, I *still* wouldn't like to trust that those > > things weren't being hijacked though, even the magic. > > Exactly. So if an attachment has MIME type T then it should have > one of the > known extensions for MIME type T and it should have the correct > magic. That > way if an attachment claims to be MIME type "image/jpeg", then it > must have > an extension of .jpeg, jpg or jpe, AND have a magic value of > 0xFFD8FFE0JFIF0x00. If it has a magic value of something else, e.g., > 0x7FELF or MZ, then it should be rejected *regardless of the anti-virus > scan*. A simple set of magic is: > > Format Magic > PNG 0xD3PNG > GIF GIF89a > JPEG 0xFFD8FFE0JFIF0x00 > ELF 0x7FELF > Windows .EXE MZ > > /usr/share/[misc/]magic has a collected set to use with the file command > (Windows users, see: http://www.alaska.net/~royce/pub/solaris/MAGIC). The > pertinent aspects of the file command could be re-implemented in Java. > > The purpose would be to prevent someone from slipping an > executable by as a > non-executable, since most operating systems load by magic, not > extension or > MIME type. > > --- Noel > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]