On Fri, 11 Oct 2002 18:22:15 +0400 (MSD)
Roman Suzi <[EMAIL PROTECTED]> wrote:
> >The problem is the '/' in the attachment name. I'll address this as a matter
> >of some urgency.
>
> Isn't it possible to user some digest (sha, md5, ...) of file name instead
> of real name? This will solve this problem securely. Otherwise some
> '=2f' quoted-printable encoded could emerge and the security hole
> will be present again... (and I can't guess whatever else could happen
> on the place of file name. For example, Perl CGI scripts
> treat \0 as end of file name. This also could mess things. So I see digesting
> as much safer solution).
Yes Roman, you're right. Nigel: there is a function called cl_md5buff() in
libclamav, it should be really simple to fix the problem.
> Right now I am using simple Python script to dumbly de-base-64 all lines
> longer than 60 chars and feed it onto stdin of clamav. And, believe it or not,
> it works better than --mbox switch!
But when reading from stdin, clamscan doesn't scan archives..
Best regards,
Tomasz Kojm
--
oo ..... [EMAIL PROTECTED]
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
