[Qmail-scanner-general][Qmail-scanner-announce] Buglet with double-barreled extensions in Qmail-Scanner 1.24 (with patch!)

Wed, 08 Dec 2004 15:28:11 -0800

There is a minor bug in the double-barreled extension checks that showed up between 1.23 and 1.24. I had added an exclusion check and it actually broke the check completely

It means that people sending attachments like "filename.doc.doc" are getting blocked, when they should have been let through. Even though it is a double-barreled extension - it's one that cannot change the way the end-user interacts with it (i.e. the user will think it's a Word document instead of a... Word document) - so it should be ignored.


If you want to fix it, change

if (!$quarantine_event && ($file =~ /(^.*)\.($VALID_WINDOWS_EXTENSIONS)\s*\.($SNEAKY_WINDOWS_EXTENSIONS)$/i) && $file !~ /((\.[a-z0-9]{3})\1|\.pp.\.pp.)$/i) {

to

if (!$quarantine_event && ($file =~ /(^.*)\.($VALID_WINDOWS_EXTENSIONS)\s*\.($SNEAKY_WINDOWS_EXTENSIONS)$/i) && $file !~ /(\.[a-z0-9]{3})\1|\.pp.\.pp.$/i) {

i.e. there's an extra set of brackets in there that aren't actually needed.

A simple patch against Q-S 1.24 is included to make life easier. Run as "patch < qs-1.24-double-barreled.patch", and then rebuild Qmail-Scanner as normal via "./configure..."

[Obviously this will be fixed in the next release. However, I have plans for a Jan release, and this isn't worth the title of 1.25 :-)]

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

*** qmail-scanner-queue.template.orig	2004-12-09 12:12:01.250364751 +1300
--- qmail-scanner-queue.template	2004-12-09 12:12:13.433783734 +1300
*************** sub perlscan_scanner {
*** 1136,1142 ****
        #The VALID_WINDOWS_EXTENSIONS is based on double-barrel virii caught in a years worth of Qmail-Scanner
        #logs (gotta love those logs!). Notice that I expressly allow "file.exe.exe" through - as the double-extension
        #doesn't hide anything [just implies a user made a mistake]
!       if (!$quarantine_event && ($file =~ /(^.*)\.($VALID_WINDOWS_EXTENSIONS)\.($SNEAKY_WINDOWS_EXTENSIONS)$/i) && $file !~ /((\.[a-z0-9]{3})\1|\.pp.\.pp.)$/i) {
  	$quarantine_description="Disallowed double-barrelled attachment filename ($file) - potential virus";
  	&debug("w_c: $quarantine_description");
  	$illegal_mime=1;
--- 1136,1142 ----
        #The VALID_WINDOWS_EXTENSIONS is based on double-barrel virii caught in a years worth of Qmail-Scanner
        #logs (gotta love those logs!). Notice that I expressly allow "file.exe.exe" through - as the double-extension
        #doesn't hide anything [just implies a user made a mistake]
!       if (!$quarantine_event && ($file =~ /(^.*)\.($VALID_WINDOWS_EXTENSIONS)\.($SNEAKY_WINDOWS_EXTENSIONS)$/i) && $file !~ /(\.[a-z0-9]{3})\1|\.pp.\.pp.$/i) {
  	$quarantine_description="Disallowed double-barrelled attachment filename ($file) - potential virus";
  	&debug("w_c: $quarantine_description");
  	$illegal_mime=1;

Reply via email to