Actually this topic was covered a while back when there were RAR files
masquerading as zip files.
Here's a function I call from filter_bad_filename. I've modified my filter
to handle a return of 1 as a bad file and 2 as a really bad file which
outright blocks the email.
sub filter_bad_filename ($) {
....
# Look inside ZIP files
if (re_match($entity, '\.zip$') and $Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
#CORRUPTED ZIPS ARE DANGEROUS - RETURN A REALLY BAD FILENAME
return 2 if (&check_for_corrupt_zip($path,
$entity->head->recommended_filename()));
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
}
sub check_for_corrupt_zip {
my ($path, $recommended_filename) = @_;
my ($filehandle, $header);
#OPEN THE FILE, GRAB THE HEADER AND TEST
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
read($filehandle,$header,4);
close ($filehandle);
#IS IT A RAR FILE DISGUISED AS A ZIP?
if ($header =~ /^Rar!/i) {
md_syslog('warning', "$QueueID: Discarding because of RAR file
disguised as ZIP File: $recommended_filename");
return 1;
}
#IS IT A ZIP FILE WITH A VALID MAGICK NUMBER? - IDEA From Tomasz
Ostrowski
if ($header !~ /^PK\003\004/i) {
md_syslog('warning', "$QueueID: ZIP file has an invalid ZIP Magic
Number: $recommended_filename");
return 1;
}
}
return 0;
}
----- Original Message -----
From: "Dave O'Neill" <[email protected]>
To: <[email protected]>
Sent: Thursday, January 14, 2010 12:09 PM
Subject: Re: [Mimedefang] exe in defective zip attachments gettingthrough
mimedefang
On Thu, Jan 14, 2010 at 10:54:14AM -0600, Cliff Hayes wrote:
if Archive::Zip doesn't return an AZ_OK then mimedefang lets the
attachment
through. From what I could find out, if Archive::Zip doesn't return
AZ_OK
then there is a problem with the zip file. I'd rather block defective
zip
files then let them through. In the code below, I substituted "return
0;"
with "else { return 1; }" and that solved my problem. Now good zips
still
go through, zips with exe's get replaced with warning, and defective
(hacked
I'm assuming) get replaced with warnings too. I'm surprised that
standard
procedure is to let defective zips through. Or am I understanding this
wrong?
What value is ->read() returning? It might be nice to check the status
value and determine if it's failing due to a corrupt zip file, or simply
due to a zip format that Archive::Zip doesn't recognize.
If you can grab a sample of the zip in question and send it to me offlist,
I'll take a look.
Cheers,
Dave
--
Dave O'Neill <[email protected]> Roaring Penguin Software Inc.
+1 (613) 231-6599 http://www.roaringpenguin.com/
For CanIt technical support, please mail: [email protected]
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
