[exim] CLSID attachment blocking

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
David at ->
Delete this message
Reply to this message
Author: Stephen Gran
Date:  
To: exim-users
Subject: [exim] CLSID attachment blocking
Hello all,

I have a rather simple minded request for assistance, perhaps, but it's
been bothering me.

The general advice found on google and places is to use:
regex = ^(?i)Content-Disposition::(.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

(long line, sorry)

This is supposed to block files with CLSID extensions in their name.
Unfortunately, the test from testvirus.org makes it through this without
a problem, so it clearly doesn't work that well. Comparing them, I see
this: 

Content-Type:  text/plain;
        name="clsidfile.txt.{00020C01-0000-0000-C000-000000000046}";
Content-Disposition: attachment;
        filename="clsidfile.txt.{00020C01-0000-0000-C000-000000000046}"


And, while I'm still not great at regex's, what I see we're looking for
in the above usual advice is:

Beginning of line, csae-insensitive match for 'Content-Disposition::' -
Content-Disposition: matches, but immediately, the second colon does
not.

Then, any amount of any character, followed by 'filename=', followed by
any amount of whitespace. This is a match. 

One or more " (double-quote) followed by either:
  a 25 (or more?) character string enclosed in {}, or
  any amount of anything, followed by 10 (or more?) spaces, followed by 
    any amount of anything.


End with one or more ". 

Is that correct?  If I am interpreting it correctly, it will only match
filenames that are either:
'{25+ alphanumics}', or 'anything           anything'


and then only if the Content-Disposition incorrectly contains a double
colon.

Maybe, something like:
^(?i)Content-Disposition:+(.*?)filename=\\s*"+((.*\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$

(Changes the double colon to one or more colons, and allows for anything
in front of the CLSID marker). Since I am not great at regular
expressions, I thought I'd post here first, in case I'm doing something
really stupid. I'd rather be stupid publically than be stupid when
admin'ing :)

Thanks for any comments,
--
--------------------------------------------------------------------------
|  Stephen Gran                  | BOFH excuse #298:  Not enough           |
|  steve@???             | interrupts                              |
|  http://www.lobefin.net/~steve |                                         |
--------------------------------------------------------------------------


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Exim authenticator recursive MySQL lookupRe: [exim] exiscan clamd temporary reject->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)