-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 12 Feb 2016, System Operations wrote:
I made the changes to the sub contains_office_macros below, I hope that
these changes are correct.
Does the sub contains_office_macros need be called by sub filter_multipart
only or
does it need to be called by the sub filter as well?
you want to test files only, hence, no need in filter_multipart, but
filter only.
Also, see this snippet from the man page:
The heart of mimedefang-filter is the filter procedure. See the
examples that came with MIMEDefang to learn to write a filter. The filter
is called with the following arguments:
$entity
The MIME::Entity object. (See the MIME::tools Perl module
documentation.)
$fname The suggested attachment filename, or "" if none was supplied.
$ext The file extension (all characters from the rightmost period to
the end of the filename.)
$type The MIME type (for example, "text/plain".)
you should use $ext and $type to probe these strings, if you check the
content, because MIMEDefang takes great care to populate sane values
there. They replace the foreach loop. Also note, if the MIME type suggests
"MS Office style document", the filename need not end in .doc/.xls/.... .
Many MUAs accept those parts as MSOffice doc, too.
# These markers were documented at:
#
http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
sub contains_office_macros
{
my ($entity) = @_;
my @parts = $entity->parts();
if (scalar(@parts) > 0) {
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity->head->mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity->bodyhandle) &&
defined($entity->bodyhandle->path);
my $fp;
if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
return 0;
}
my $contents;
{
local $/;
$contents = <$fp>;
close($fp);
}
if (index($contents, $marker1) > -1 &&
according your reference, marker1 must be on location == 0 (start of file)
index($contents, $marker2) > -1) {
return 1;
}
return 0;
}
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEVAwUBVr2ZqFGgR0+MU/4GAQL8fAf8CbdC+jrh7Kf+6BdTmVm8+r2h7twgYzwm
KzYu8RM4RQsHiViaYJIP2/IMs8ur2qJik4f6FYs7IrcZ3uFuYwXpT8ySbYJlEIMC
Rz0m8mMmMPdtv8n2mAfZmgJc4mGf1QO6zqiJFEEMo/5iXlFo9auDhxsCJ09aR0X+
NJ8udQa3IXfpTTEZBvuuV2otmAyzozSH9kXUWqPuS7uAumuIlbaVpzbRUdwAk8Kz
4U9VzRM0pPTY8cKqo6J41/SBga08+3lxj5FW+Nj1SSMh3sVSCe0ZNNVSt9gsVJb7
6LS/c6xE3EQm7q9pPazV8HcDeswP7h2unqwwNt+GBO50ocPDT3H/Lg==
=88Uy
-----END PGP SIGNATURE-----
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
