[Esd-l] Re: procmail sanitizer and 8-bit attachments.

John D. Hardin jhardin at impsec.org
Mon Jun 23 19:06:49 PDT 2003 

On Mon, 23 Jun 2003, Joe Steele wrote:

> Both of these requirements have been violated.  Nonetheless, I
> presume this entire issue has arisen because certain lame-brained
> MUAs are parsing the filename as an 'encoded-word'?

Generally this occurs where the filenames are eight bit (e.g. contain
european accented characters) and they are being encoded to be 7-bit
safe.

Interesting if the RFC really should be interpreted that way.

> > Add a local-rule:
> > 
> > :0 B hfi
> > * ^Content-(Type|Disposition):.*name="=\?iso-8859-[0-9]+\?B\?
> 
> Since respectable MUAs should never use the 'encoded-word' syntax 
> within a filename, I'd suggest casting a wider net (because character 
> sets don't have to begin with "iso-8859-" and because the method of 
> encoding doesn't have to be 'B').  Possibly something like:
> 
> * ^Content-(Type|Disposition):.*name=.*=\?.*\?

Too broad. Be *very* careful with .* patterns.

 * ^Content-(Type|Disposition):.*name="=\?iso-8859-[0-9]+\?[BQ]\?

...is a little better,

 * ^Content-(Type|Disposition):.*name="=\?[^?"]+\?[BQ]\?

...is as general as I'd dare get.

> Alas, because of the restrictions contained in RFC 2047, 
> another RFC was written (RFC 2231) which establishes a different 
> method for encoding parameter values (such as filenames) for use 
> within MIME headers.  To trap it, you'd probably need something like:
> 
> * ^Content-(Type|Disposition):.*name(\*[0-9]+)*\*=.*%

Yeah, the break-a-filename-into-multiple-encoded-parts stuff. Oh, my
aching head.
 
> Of course, this again runs the risk of trapping false positives.

Which is why the Sanitizer needs to deal with it.

Soon. {sigh}

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.
                                            -- James Madison, 1799
-----------------------------------------------------------------------
   498 days until the Presidential Election

More information about the esd-l mailing list