Package: dansguardian Version: 2.9.9.4-1+lenny1+b1 Severity: important After installing dansguardian, all file extensions listed in /etc/dansguardian/lists/bannedextensionlist should be blocked by default. However, only some of them are being effectively blocked.
Steps to reproduce: 1) Install a minimal Lenny system 2) apt-get install squid dansguardian 3) Enable and start dansguardian 4) Upload an ini file to an external webserver 5) Configure a web browser to go through dansguardian and try to fetch the file uploaded in previous step 6) Even when the .ini file extension should be blocked by default, you'll be able to download the file without problems. In the dansguardian access.log file you'll find something like this: 2010.6.25 1:28:06 - 127.0.0.1 http://www.example.net/test.ini GET 9416 -30 1 200 text/plain - Other file extensions that aren't being blocked: - cab - cpl - cue Some file extensions where blocking works: - avi - dll - doc - exe - mp3 2010.6.25 1:30:06 - 127.0.0.1 http://www.example.net/dgtest.avi *DENIED* Banned extension: .avi GET 0 0 Banned extension 1 403 video/x-msvideo - 2010.6.25 1:30:09 - 127.0.0.1 http://www.examle.net/dgtest.mp3 *DENIED* Banned extension: .mp3 GET 0 0 Banned extension 1 403 audio/mpeg - 2010.6.25 1:30:13 - 127.0.0.1 http://www.example.net/dgtest.exe *DENIED* Banned extension: .exe GET 0 0 Banned extension 1 403 application/x-msdownload - 2010.6.25 1:30:17 - 127.0.0.1 http://www.example.net/dgtest.doc *DENIED* Banned extension: .doc GET 0 0 Banned extension 1 403 application/msword - The only pattern that I can see so far is that the extensions that aren't blocked are always shown with text/plain Content-type in the dansguardian log, while the ones that are being correctly blocked show some specific type. I think it would be important to research this problem further and try to find a solution or workaround, since the package it's not working as documented, and could give a false sense of security to users that are unaware of this issue. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
