Double extensions

[Paul Haldane]

A request for clarification/checking of my understanding...

In the example filename.rules.conf we have

# Allow repeated file extension, e.g. blah.zip.zip
allow   (\.[a-z0-9]{3})\1$      -       -

and then further down we have

deny    \.shs$          Possible Shell Scrap Object attack

Doesn't this mean that an attachment called paul.shs.shs would be passed
through?
That's certainly what I'm observing here.

I know this is just an example file but I'm assuming it reflects to some
extent what Julian uses (or a cleaned up version of what he's used in
the past).

Would it make more sense to move the deny rules for the extensions that
we don't want to handle to the top of the file?  I guess the important
thing being that the 

(\.[a-z0-9]{3})\1$

rule must be before the

\.[a-z][a-z0-9]{2,3}\.[a-z0-9]{3}$

rule.

Paul
-- 
Paul Haldane
Unix Systems, Computing Service, University of Newcastle upon Tyne