nested .zip containing bad files not being caught
Rick Cooper
rcooper at DWFORD.COM
Mon Jul 26 22:03:20 IST 2004
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Bob Jones
> Sent: Monday, July 26, 2004 12:48 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: nested .zip containing bad files not being caught
>
>
> Hey all. I have an issue here. It appears that a nested zip archive is
> getting through mailscanner. I have mailscanner configured to look into
> archives and to block bad files. Here's the scenario... were receiving
> a file called instruction.zip which is getting through our scanning. If
> you unzip this file, you get another .zip which if you send it through
> *does* get caught by mailscanner, and if you unzip that you get
> instruction.pif which *does* get caught as well. I've upgraded to
> Archive-Zip module version 1.12 as I know the previous version had a
> hole. So, any idea what's going on here? I running MailScanner-4.31.6
> and have attached my MailScanner.conf file. Also, I've put 2 examples
> of the files up on our ftp server. You can grabe them at:
>
The problem has to do with how Mailscanner unpacks archives. If it
encounters two of the same file names it ignores the second one as already
seen and doesn't process it at all, that means if you pack the bad file
within a filename that matches the parent file name the bad file will never
get unpacked, or checked against rules. This is a known issue (at least a
month now) and I think Julian is working on a real solution. I have a patch
for a quick fix, but it isn't a best solution, just a work around. It will
find dupes and rename then with a timestamp prepended to the actually file
name. This would allow everything to work properly except a case where a
file name rule was based on the first xxxx characters of the file name and
not the extension. I will root around and see if I can post the patch later
today.
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list