[Esd-l] Sanitizer 1.136 and older versions of Perl

Michael Ghens michael at spconnect.com
Thu Oct 24 15:47:01 PDT 2002 

What os are you running? Linux does not have problems with this. Solaris 
chokes on the macro scanner. 

2 things todo:

use the non-macro scanning sanitizer

or

separate it out.

This might even be in the archive (I know, I need to setup a search engine 
for the archive).


On Thu, 24 Oct 2002, Joe Steele wrote:

> Date: Thu, 24 Oct 2002 17:01:46 -0400
> From: Joe Steele <joe at madewell.com>
> To: Email Security Discussion list <Esd-l at spconnect.com>,
>      'John D.  Hardin' <jhardin at impsec.org>
> Subject: [Esd-l] Sanitizer 1.136 and older versions of Perl
> 
> After noticing changes in the way messages were being sanitized with 
> 1.136, I turned on debugging/logging and discovered the following in 
> the log:
> 
>    Too many arguments for substr at -e line 318, near ""...") "
>    Execution of -e aborted due to compilation errors.
>    procmail: Error while writing to " perl -p -e ' #\
> 
> This error meant that MIME attachments were not being properly 
> sanitized.  Fortunately, the new "SECURITY_POISON_WINEXE" code was 
> kicking in and catching executables that would otherwise have gotten 
> through (Thanks to John Hardin for another useful option).
> 
> The offending substr function call is contained in the following code 
> which was newly revised in Sanitizer 1.136:
> 
>   while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{128,})"/i) { #\
>     warn " Shortening long filename.\n";    #\
>     $filen =~ s/\s+/ /g;    #\
>     substr ($filen,64,32,"...") while (length($filen) > 120);       #\
>     $hdrtxt =~ s/name\s*=\s*"[^"]{120,}"/name="$filen"/i;   #\
>     $mangle_mime_type = 1;  #\
>   } #\
> 
> With great shame, I admit that the version of Perl in use was only 
> 5.004_04.  As best I can tell (I don't know Perl), Perl's substr 
> function has been enhanced by allowing a fourth argument which 
> earlier versions of Perl don't recognize.  I have no idea which 
> version of Perl first introduced this enhancement.  I do know that 
> Perl v5.6.0 allows the enhanced syntax.
> 
> This all brings up the point that the Sanitizer's website says 
> nothing more than "You must have Perl installed."  There's no mention 
> of a minimum compatible version.
> 
> For any of you using older versions of Perl, you may want to 
> investigate whether the substr issue affects you.  Alternatively, you 
> might try the patch which follows, keeping in mind that "I don't know 
> Perl" (corrections from Perl experts welcomed).
> 
> Naturally, the best solution is to upgrade Perl.
> 
> --Joe
> 
> 
> 
> diff -uNr orig/html-trap.procmail revised/html-trap.procmail
> --- orig/html-trap.procmail	Sun Oct 20 13:38:17 2002
> +++ revised/html-trap.procmail	Thu Oct 24 13:43:28 2002
> @@ -963,7 +963,7 @@
>  	      while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{128,})"/i) {	#\
>  		warn " Shortening long filename.\n";	#\
>  		$filen =~ s/\s+/ /g;	#\
> -		substr ($filen,64,32,"...") while (length($filen) > 120);	#\
> +		substr ($filen,64,32) = "..." while (length($filen) > 120);	#\
>  		$hdrtxt =~ s/name\s*=\s*"[^"]{120,}"/name="$filen"/i;	#\
>  		$mangle_mime_type = 1;	#\
>  	      }	#\
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l

More information about the esd-l mailing list