On Fri, 11 Oct 2002, Nigel Horne wrote: >On Thursday 10 Oct 2002 12:42 pm, Roman Suzi wrote: >> Hello, >> >> I'm trying clamav 0.51 and very often I see things like these: >> >> ERROR: Can't create >> /tmp/77e445760991fdd6/=?koi8-r?B?+s/dsfkhskadjfhskdajfhksdjfhkasdjfhkjsd?= >
>The problem is the '/' in the attachment name. I'll address this as a matter >of some urgency. Isn't it possible to user some digest (sha, md5, ...) of file name instead of real name? This will solve this problem securely. Otherwise some '=2f' quoted-printable encoded could emerge and the security hole will be present again... (and I can't guess whatever else could happen on the place of file name. For example, Perl CGI scripts treat \0 as end of file name. This also could mess things. So I see digesting as much safer solution). Right now I am using simple Python script to dumbly de-base-64 all lines longer than 60 chars and feed it onto stdin of clamav. And, believe it or not, it works better than --mbox switch! >> Also, I worry why temp. directories aren't deleted after the task is done. > >They are deleted unless an internal error occurs, as in this case, to help me to >debug. Hmmm... How to swithc debug mode off? Or do I need some other task which will half-hourly delete unused dirs? >> Sincerely yours, Roman A.Suzi > >-Nigel Horne > > Sincerely yours, Roman Suzi -- [EMAIL PROTECTED] =\= My AI powered by Linux RedHat 7.2 [EMAIL PROTECTED] <- not to be mailed to --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
