[Esd-l] Double attachment gets through
John D. Hardin
jhardin at impsec.org
Sat Nov 17 12:13:00 PST 2001
On Tue, 30 Oct 2001, Dion Black wrote:
> Here is the raw text from the server (BSD Box running Sendmail).
--Message-Boundary-9271
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Text from file 'testfile.jpg.vbs'
Again, it isn't a file attachment and Outlook has no business
attaching the filename "testfile.jpg.vbs" to it simply because that
appears in a comment field.
Unfortunately, this doesn't help much in the real world...
Okay, I've added some code to deal with this in a manner with as
little impact as possible. The development snapshot 1.31pre3 contains
this hack. I don't have a huge problem with altering comments, so
that's how I'm addressing the issue.
If you want to DISABLE this hack and leave Content-Description headers
alone, define the variable $SECURITY_DISABLE_OUTLOOK_HACKS to be
nonempty before calling the sanitizer.
Feedback welcome.
--
John Hardin KA7OHZ ICQ#15735746 http://www.wolfenet.com/~jhardin/
jhardin at impsec.org pgpk -a finger://gonzo.wolfenet.com/jhardin
768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
In 1998 more than three times as many people in the US were killed
by incompetent physicians than were killed by handguns, yet the
President of the A.M.A. is adopting "gun safety" as his platform.
-----------------------------------------------------------------------
1081 days until the Presidential Election
More information about the esd-l
mailing list