Don't understand this match

Julian Field MailScanner at ecs.soton.ac.uk
Wed Mar 1 21:26:28 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Richard Thomas wrote:
> Julian Field wrote:
>>
>> This regexp is just fine, it has been there for several years without 
>> any changes whatsoever. I wrote it carefully and got it right first time.
>>   
>
> OK, based on that, I dug a little deeper...
>
> It *is* a dodgy filename
>
>     Content-Type: application/vnd.ms-excel;
>             name="Shortcut (2) to Copy of PayrollTFC (version 2)
>     3.lnk.xls"
>     Content-Transfer-Encoding: base64
>     Content-Disposition: attachment;
>             filename="Shortcut (2) to Copy of PayrollTFC (version 2)
>     3.lnk.xls"
>
>
> But MailScanner is reporting the filename as beign the valid one
>
>     Warning: This message has had one or more attachments removed
>     Warning: (Shortcut 29 t.xls).
>     Warning: Please read the "PsySolutions-Attachment-Warning.txt" attachment(s)
>     for more information.
>
>      
>       
>
>     ------------------------------------------------------------------------
>
>     This is a message from the MailScanner E-Mail Virus Protection Service
>     ----------------------------------------------------------------------
>     The original e-mail attachment "Shortcut 29 t.xls"
>     is on the list of unacceptable attachments for this site and has been
>     replaced by this warning message.
>
>     If you wish to receive a copy of the original attachment, please
>     e-mail helpdesk and include the whole of this message
>     in your request. Alternatively, you can call them, with
>     the contents of this message to hand when you call.
>
>     At Wed Mar  1 12:44:39 2006 the virus scanner said:
>        MailScanner: Attempt to hide real filename extension (Shortcut 29 t.xls)
>
>
> Again, we may just be behind the times.
It santises the filenames before logging them or outputting them in any way.
One way it does this is by shortening them, except for the last filename 
extension.
So you won't always see the full original filename. This is to stop 
exploits based on the reporting of filenames (imagine if you made up a 
filename that contained MIME boundaries, newline characters and a 
complete MIME attachment). It never ever outputs raw data based on the 
input data without sanitising it in some form.

This is a fundamental anti-attack method I use.

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.5 (Build 5050)

iQA/AwUBRAYRhBH2WUcUFbZUEQLiCACcCGkCBFRhSqjABCPo9GDHWeH/c5gAoIcF
8xpMgnHDBPnXiUU1o3aKJ4Qd
=N+OX
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list