[Esa-l] Double Extensions fails

Bjarni R. Einarsson bre at klaki.net
Tue Feb 13 07:45:58 PST 2001

On 2001-02-13, 07:12:01 (-0800), John D. Hardin wrote:
> On Mon, 12 Feb 2001, Phil Pennock wrote:
> > Uhm, the problem is when files are called things like:
> > 
> >  test.jpg<lots-of-white-space>.vbs
> > 
> > isn't it?
> That would be very bad. The current double-extension rule would not
> catch it. I didn't think of space padding.
> I have updated the master ruleset. The website will take a bit to
> update, so I've attached the new globs to this message. Please add
> them to your poisoned executables list.

The new rules are better than before, but still don't cut it.
test.jpg<lots-of-white-space>abacab.vbs is just as deceptive and
dangerous, but will still slip through if you aren't explicitly
blocking long file names or .vbs files.  The variations on this
long-deceptive-filename theme are endless.

So basically, I think explicitly worrying about double extensions is
a little silly.  If you have a sane policy for handling really long
file names and another sane policy for handling unknown and/or
dangerous extensions, then worrying about double extensions is
totally unnecessary.

That's why I don't bother in my sanitizer (although user are free to
implement their own policies which detect double file names via.
regexps in their config files).

Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list