[Esd-l] mangled mime type becomes text/plain (sanitizer
Morten.Hemmingsson at iea.lth.se
Thu Jan 16 14:12:01 PST 2003
John D. Hardin writes:
> On Tue, 14 Jan 2003, Morten Hemmingsson wrote:
> > --CXKrh5wV+/
> > Content-Description: skoj
> > Content-Disposition: attachment; filename="funzip.9068DEFANGED-exe"
> > X-Content-Security: [faraday] original Content-Type was application/octet-stream
> > Content-Type: text/plain;
> > Content-Transfer-Encoding: base64
> Fascinating. I have no idea where that text/plain came from, unless
> maybe there was a 1.136 sanitizer upstream of you...
Not likely, I was trying it out with:
> procmail ./sanitizersettings < testmessage
before installing it site-wide
Comparing MIME headers:
This one got Content-Type: text/plain
And this one got Content-Type: APPLICATION/DEFANGED;
name="funzip.exe" <------ Not in the previous header
Moving the filename line in the first header
I get Content-Type: APPLICATION/DEFANGED;
So it seems to either be a case of malformed MIME headers or a problem
with the parsing of the headers. At first I thought that the
text/plain header was from the previous MIME header but deleting that
section didn't make any difference. My knowledge of perl is
nonexistent so I can't help with that part but I'll be glad to try
diffs and send whatever output you wish.
PS the sanitizer trapped a Klez worm yesterday, many thanks.
More information about the esd-l