Problem with unpacking code

Rick Cooper rcooper at DWFORD.COM
Thu Jun 17 20:07:46 IST 2004


Julian,

I have just updated to MS 4.31.6. I haven't done so before now because I
knew I was going to have to rebuild a couple of patches because of changes.
When I do this I run several tests to check for password protected .rar and
.zip, and unwanted file types with in .rar files and .zip files. I use the
same small exe file in both the rar and zip files and have noted previously
that if I use both one will come through but if I send one at a time each
will be caught. This has been the case for as long as I can remember, I may
have mentioned it last winter. The test files are :

Stinger.rar contains McAffeeStinger.exe
Stinger.zip contains McAffeeStinger.exe

I thought it might have to do with my UnpackRar code so I never said
anything until I could check further. Today I checked further and found that
if I sent

Stinger.zip contains McAffeeStinger.exe
StingerII.zip contains McAffeeStinger.exe

Stinger.zip would pass through the file type checks, every time. I finally
determined it was because the extracted file name/size in each archive was
the same. I changed the following code to Message.pm UnpackZip function :

Old:
        $name = $member->fileName();
        $safename = $this->MakeNameSafe($name);
        $this->{file2parent}{$name} = $zipname;
New:
    $name = $member->fileName();
    $safename = $this->MakeNameSafe($name);
        if (-e "$explodeinto/$safename"){
                my $tstamp = time;
                $name = "$tstamp$name";
                $safename = $this->MakeNameSafe("$name");
                #print STDERR "***** SafeName is now : $safename\n";
        }
    $this->{file2parent}{$name} = $zipname;

and that stopped the duplicate from coming through, However the reports, of
course, show the modified filename and more importantly, since the file name
has been changed it will fail regular expressions that are anchored with
"^". It seems to me the better solution would be to generate a new
subdirectory for each archive/message parts and scan the base directory
recursively, of course the directory would now have to be part of
$seenbefore/$seenbeforesize. I don't know if that course of action would
affect something else down the line, and it would certainly take a rewrite
of the unpacking code. Any chance you could look into this? I doubt I will
be the only person to notice this and it could circumvent the file type
checks quite easily.

--
Rick Cooper

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list