[Esd-l] mangled mime type becomes text/plain (sanitizer 1.137)

Morten Hemmingsson Morten.Hemmingsson at iea.lth.se
Thu Jan 16 14:12:01 PST 2003


John D. Hardin writes:
 > On Tue, 14 Jan 2003, Morten Hemmingsson wrote:
 > 
 > > --CXKrh5wV+/
 > > Content-Description: skoj
 > > Content-Disposition: attachment; filename="funzip.9068DEFANGED-exe"
 > > X-Content-Security: [faraday] original Content-Type was application/octet-stream
 > > Content-Type: text/plain;
 > > Content-Transfer-Encoding: base64
 > 
 > Fascinating. I have no idea where that text/plain came from, unless
 > maybe there was a 1.136 sanitizer upstream of you...
 > 
 

Not likely, I was trying it out with:
> procmail ./sanitizersettings < testmessage
before installing it site-wide

Comparing MIME headers:

This one got Content-Type: text/plain

--CXKrh5wV+/
Content-Type: application/octet-stream
Content-Description: skoj
Content-Disposition: attachment;
	filename="funzip.exe"
Content-Transfer-Encoding: base64


And this one got Content-Type: APPLICATION/DEFANGED;

--------------04E93F037FB56466CDD27A22
Content-Type: application/octet-stream;
 name="funzip.exe"               <------ Not in the previous header
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="funzip.exe"


Moving the filename line in the first header

--CXKrh5wV+/
Content-Type: application/octet-stream
	filename="funzip.exe"   
Content-Description: skoj
Content-Disposition: attachment;
Content-Transfer-Encoding: base64

I get Content-Type: APPLICATION/DEFANGED;

So it seems to either be a case of malformed MIME headers or a problem
with the parsing of the headers. At first I thought that the
text/plain header was from the previous MIME header but deleting that
section didn't make any difference. My knowledge of perl is
nonexistent so I can't help with that part but I'll be glad to try
diffs and send whatever output you wish.

/Morten

PS the sanitizer trapped a Klez worm yesterday, many thanks.



More information about the esd-l mailing list