Very long filenames?

[Julian Field]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Mark Sapiro wrote:
> Bjørn T Johansen wrote:
>
>   
>> But how long is max length? And is there a way to find the original filename?
>>     
>
> <snip>
>   
>>>> The only option I can find in filenames.rules.conf is this..:
>>>>
>>>> deny    .{150,}                 Very long filename, possible OE attack
>>>>         
>
>
> That regexp matches anything 150 or more characters long. so the max
> length is 149.
>
> If the message was quarantined, I expect the original name is in the
> quarantined message. If not, there is a MailScanner entry in maillog,
> but I don't know if it has the original or the sanitized name.
>   
The original filename is put in the log. Only sanitised names are ever 
passed back to the user. As far as I am aware, there are no attacks that 
can be launched by putting nasty strings in the call to syslogd. It is 
just truncated to the maximum length of the syslog entry. But there are 
many attacked that can be launched by putting arbitrary strings into 
email messages sent to the user. Just imagine a long filename that 
contained newline sequences and MIME boundaries, you could put an entire 
attachment into a maliciously crafted filename.


Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.0 (Build 2158)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFHvvzCEfZZRxQVtlQRAg+vAKDVT7ZdG8k83RVIT2TUtHNHh/2WggCZAU6p
0OdHUi0qCrB6uePvHACAlh4=
=KXan
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.