On Wed 08/Feb/2017 22:11:53 +0100 Gordon Messmer wrote:
> On 02/08/2017 10:24 AM, Alessandro Vesely wrote:
>> I revamped attachments.py in order to catch Javascript Trojans inside
>> a zip, which were driving me crazy.
>
> The current version supports libarchive, which should allow you to
> blacklist file types inside zip files, as well.
Yup, that's right. I hadn't got it. I re-introduced support for libarchive,
and have been using my alternative version since then. Today I added the .ace
extension, after I found a Trojan-PSW.Win32.Fareit.cxcl wrapped that way.
It may be safer to just use all available filters. However, the original
attachments.py fails like so:
Initialized the "attachments" python filter
Traceback (most recent call last):
File
"../courier-pythonfilter/courier-pythonfilter-1.11/filters/attachments.py",
line 111, in <module>
print doFilter(sys.argv[1], [])
File
"../courier-pythonfilter/courier-pythonfilter-1.11/filters/attachments.py",
line 90, in doFilter
if filename and checkArchive(filename, part):
File
"../courier-pythonfilter/courier-pythonfilter-1.11/filters/attachments.py",
line 52, in checkArchive
if fparts[-1].lower() in libarchive.FILTERS:
AttributeError: 'module' object has no attribute 'FILTERS'
If I patch it as attached, it throws no exception, but doesn't block an .exe
inside an .ace either. Indeed, in python, I see .ace is not set:
Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import libarchive
>>> libarchive.ffi.READ_FILTER
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'READ_FILTER'
>>> libarchive.ffi.READ_FILTERS
set([u'lzma', u'all', u'uu', u'lzop', u'compress', u'bzip2', u'lzip', u'xz',
u'lrzip', u'gzip', u'grzip', u'rpm', u'none'])
>>> libarchive.ffi.READ_FORMATS
set([u'all', u'zip', u'tar', u'lha', u'iso9660', u'7zip', u'xar', u'mtree',
u'cpio', u'raw', u'ar', u'rar', u'cab', u'empty'])
>>>
I've published my alternative version here:
https://www.tana.it/sw/pythonfilter_attachments/
Ale
--
--- ../courier-pythonfilter/courier-pythonfilter-1.11/filters/attachments.py
2016-05-05 06:08:01.000000000 +0200
+++ attachments.py 2017-07-25 18:34:55.003804899 +0200
@@ -49,9 +49,9 @@
if not haveLibarchive:
return False
fparts = filename.split('.')
- if fparts[-1].lower() in libarchive.FILTERS:
+ if fparts[-1].lower() in libarchive.ffi.READ_FILTERS:
fparts.pop()
- if fparts[-1].lower() not in libarchive.FORMATS:
+ if fparts[-1].lower() not in libarchive.ffi.READ_FORMATS:
return False
d = tempfile.mkdtemp()
f = '%s/%s' % (d, filename.replace('/',''))
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
