[Esd-l] 2 questions about double extension check

John D. Hardin jhardin at impsec.org
Mon Aug 16 20:49:55 PDT 2004


On Mon, 16 Aug 2004, Michael Meltzer wrote:

> Is it possible (an if so how) to restrickt the double extension
> check of the sanitizer to a certain minimum size of the message
> including the attachment ?

Hrm. Well, the double-extension check isn't hardcoded, it's in the
poisoned extensions list, so you could try this:

1) Make two poison lists, one with the all extensions including the
double-extension entries, the other omitting just the
double-extension entries. Then,

2) In your /etc/procmailrc where you set your poison filename, try
something like this:

  POISONED_EXECUTABLES=/etc/procmail/list-without-doubles

  :0
  * > 200000
  {
     POISONED_EXECUTABLES=/etc/procmail/list-with-doubles
  }

(substitute whatever size you want in place of the "200000")


> Is it possible to check double extensions only against the
> extensions in the MANGLE_EXTENSION variable or against an other
> variable or file ?

At the moment only $MANGLE_EXTENSION extensions are checked against
the poisoned filenames list.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   28 days until the "Scary-Looking Guns" ban expires


More information about the esd-l mailing list