[Esd-l] ZIP scanning, take two (repost)

[John D. Hardin]

Okay, the list seems to be working again...

All:

Okay, I have decided to make the sanitizer use either CPAN or external
programs, your choice.

$USE_CPAN specifies using the CPAN modules, and $PVT_CPAN gives a
dir to search if you can't put them in the system dirs; external
programs are used if $USE_CPAN is not defined.

That should make it a drop-in replacement for existing sanitizer
installations, except you'll need to define your $ZIPPED_EXECUTABLES
list... Note that ".zip" entries in your STRIP and POISON lists will
now have an effect!!

I've also moved a few more notices out to environment variables, both
to help localization and to try to keep the script size under control.
(hah!)

Again, feedback solicited.


Example zip file policy (say you get libraries from Borland for
testing):

  # default to not trusting ZIPs at all
  ZIPPED_EXECUTABLES=$POISONED_EXECUTABLES

  :0
  * ^From: .*@borland.com
  {
    # accept zipped .DLL files from Borland
    ZIPPED_EXECUTABLES="poisoned_list_except_for_*.dll_filespec"
  }


Question: should I make the "ZIPPED_EXECUTABLES=$POISONED_EXECUTABLES"
the default behavior? In other words, should I force you to think
about your zipped files policy by making it reject everything if you
don't give a policy, or should ZIPs be trusted by default unless you
want to be more careful.

As always, I'm leaning towards default-paranoid.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   41 days until the Slovakian Presidential Election