[Exim] Executable content filter (again!)

Top Page
Delete this message
Reply to this message
Author: Richard Gilbert
Date:  
To: exim-users
Old-Topics: Re: [Exim] Dots in local parts
Subject: [Exim] Executable content filter (again!)
I know that Nigel has said that he is no longer supporting his very useful
Generic Windows Executable Content filter because it is not possible to do
a thorough job of parsing MIME headers in a regular expression, but it
seems that a lot of sites are still making use of it.

We recently had a user moaning that a file with a name like abc.com.htm
was rejected and so I thought I would take a look at the RE to see if it
could be improved to only look at the last filename component.

This is a simplified version of the RE before modification. (I roll the
two tests for with and without double quotes into one):

/name=("[^"]+\.(?:bat|com)"|\S+\.(?:bat|com))/

The first problem was that while name="abc.com.htm" fails to match the
first half because of the requirement to match the closing double quote,
it then matches the second part because the opening double quote matches
\S. So my first modification was to replace \S with [^"\s]:

/name=(?:"[^"]+\.(?:bat|com)"|[^"\s]+\.(?:bat|com))/

The second problem was that name=abc.com.htm matches the second part
because there is nothing to anchor the regular expression to the end of
the name. My second modification was to require the extension to be
followed by something which does not look like a continuation of the
name -- I used [^\w.].

/name=(?:"[^"]+\.(?:bat|com)"|[^"\s]+\.(?:bat|com)[^\w.])/

However in a header field the name could be followed by end-of-line so
when checking $header_content-type: I used (?:$|[^\w.]) instead:

/name=(?:"[^"]+\.(?:bat|com)"|[^"\s]+\.(?:bat|com)(?:$|[^\w.]))/

I have tested this with pcretest and it seems to have the desired effect,
but I am sending it to the list for comment in the hope that it will
either be useful to other people or somebody will point out the errors in
what I have done.

While I have your attention (if you have read this far), I removed EML
from the list of extensions because one of our users was sending multiple
attachments with a Micro$oft mailer which sent them as a single EML
attachment. Why are EML attachments considered dangerous?

Richard
--
Richard Gilbert
Corporate Information and Computing Services
University of Sheffield, Sheffield, S10 2TN, UK
Phone: +44 114 222 3028 Fax: +44 114 222 3040