Re: BODY_URI_ONLY is broken

Fri, 25 Mar 2016 20:37:45 -0700 

On Sat, 26 Mar 2016, Reindl Harald wrote:



Am 26.03.2016 um 03:54 schrieb David B Funk:

 On Sat, 26 Mar 2016, Reindl Harald wrote:

>  BODY_URI_ONLY Message body is only a URI in one line of text

> 
>  how can that hit the (anonymized) mail below?

>  ___________________________

> 
>  Content-Type: text/html; charset=utf-8

>  Content-Transfer-Encoding: quoted-printable

> 
>  <h2>****** =C3=9Cbermittlung: **** in ***=

>  ***</h2><table><tr><td>From:</td><td>*** **<somebody@example=
>  .com></td></tr><tr><td>=C3=9Cberpr=C3=BCfen Sie bitte den Artikel
>  unter f=
>  olgender URL:</td><td><a href=3D"http://example.com/administra=
>  tor/index.php?option=3Dcom_k2&view=3Ditem&cid=3D1832">Artikel
>  =C3=BCberpr=
>  =C3=BCfen</a></td></tr><table class=3D"admintable"
>  id=3D"extraFields"><tr=
> >  <td align=3D"left" class=3D"key">****</td><td></td></tr><tr><td a=
>  lign=3D"left" class=3D"key">****</td><td>Array  </td></tr><tr><td ali=
>  gn=3D"left" class=3D"key">***</td><td></td></tr></table>

 Because that is one long line that has been broken up for shipment using
 QP encoding (those '=' at the end of each part). Before doing body
 checks SA decodes all MIME text components (EG Base64, QP, etc).

 So as far as the SA body rules are concerned that -is- only one line


* it is *not* an URI only


That's not what the description says.

"Message body is only a URI in one line of text or for an image"

It doesn't say that there's nothing there but the URI.


* with that logic *any* message with a link would hit that rule
* the message has a headline and a table



It's more likely the bug is that the HTML stripper isn't breaking that 
into two body paragraphs at the </tr> and </h2> tags, where the HTML 
rendering engine would insert line breaks.



If you run that message through a test environment with this rule defined, 
what does it report in debug for hits?


  body    __ALL_BODY    /.+/
  tflags  __ALL_BODY    multiple


If it only reports one body line for the header and multi-line HTML table, 
that is the source of the problem.


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  At $8 billion per year, the TSA is the most expensive theatrical
  production in history.                 -- David Burge @iowahawkblog
-----------------------------------------------------------------------
 94 days since the first successful real return to launch site (SpaceX)






















					Reply via email to