[Esd-l] Double attachment gets through

John D. Hardin jhardin at impsec.org
Sat Nov 17 12:13:00 PST 2001

On Tue, 30 Oct 2001, Dion Black wrote:

> Here is the raw text from the server (BSD Box running Sendmail).

  Content-type: text/plain; charset=US-ASCII
  Content-transfer-encoding: 7BIT
  Content-description: Text from file 'testfile.jpg.vbs'

Again, it isn't a file attachment and Outlook has no business
attaching the filename "testfile.jpg.vbs" to it simply because that
appears in a comment field.

Unfortunately, this doesn't help much in the real world...

Okay, I've added some code to deal with this in a manner with as
little impact as possible. The development snapshot 1.31pre3 contains
this hack. I don't have a huge problem with altering comments, so
that's how I'm addressing the issue.

If you want to DISABLE this hack and leave Content-Description headers
alone, define the variable $SECURITY_DISABLE_OUTLOOK_HACKS to be
nonempty before calling the sanitizer.

Feedback welcome.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at impsec.org        pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  In 1998 more than three times as many people in the US were killed
  by incompetent physicians than were killed by handguns, yet the
  President of the A.M.A. is adopting "gun safety" as his platform.
   1081 days until the Presidential Election

More information about the esd-l mailing list