Re: [Mimedefang] Password protected Bagle.F

Mon, 01 Mar 2004 16:31:38 -0800 

"David F. Skoll" <[EMAIL PROTECTED]> writes:

> AFAIK, you can always list the contents of a zip file, even a
> password-protected one.  I guess it's time to look inside zip archives
> for banned filenames. :-(

I've written some code to look into zip archives to run File::Scan on
archive members. Adding checking for encryption is now easy 8-) Note:
this isn't much tested, proceed with caution:

#------------------------------------------------------------------------------
    if (lc($ext) =~ /\.zip$/) {
        use Archive::Zip qw(:ERROR_CODES);
        my $path = $entity->bodyhandle->path;
        my $zip = Archive::Zip->new();
        if ($zip->read($path) == AZ_OK) {
            my $tfname = Archive::Zip::tempFileName('.');
            my @members = $zip->members();
            foreach my $member (@members) {
                my $file = $member->fileName();
                $size = $member->uncompressedSize();
                if ($size > 50e6) {
                    md_graphdefang_log('Archive member too big ', $file, $RelayAddr);
                    action_bounce("Archive member $file too big");
                    return;
                }
                if ($member->isEncrypted()) {
                    if (lc($file) =~ 
/\.(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)$/)
 {
                        md_graphdefang_log('Encrypted file', $file, $RelayAddr);
                        action_bounce("Encrypted files of this type not allowed here");
# or discard, or quarantine, or whatever
                        return;
                    }
                    md_syslog('warning', "Encrypted file $file");
                } else {
                    $zip->extractMember($member, $tfname);
                    use File::Scan;
                    my $scanner = File::Scan->new;
                    my $virus = $scanner->scan($tfname);
                    unlink($tfname);
                    if ($virus) {
                        md_graphdefang_log('virus-zip', $virus, $RelayAddr);
                        action_discard();
                        return;
                    }
                }
            }
        }
    }
#------------------------------------------------------------------------------

  MJ
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to