filename checks = wrong filename report

Scott Silva ssilva at sgvwater.com
Thu Jul 10 00:00:58 IST 2008 

on 7-9-2008 3:19 PM Matt Kettler spake the following:
> Scott Silva wrote:
>> on 7-9-2008 2:43 AM Sylvain Phaneuf spake the following:
>>>>>> On 09/07/2008 at 10:26, shuttlebox <shuttlebox at gmail.com> wrote:
>>>> The filename in the report is the sanitized version. I've had the same
>>>> problem explaining to users that the original filename was longer than
>>>> 150 characters when the reported one is clearly shorter. I just added
>>>> a few explaining words to the reports to solve the problem.
>>>
>>> I would rather have a report that is not using a "sanitized version" 
>>> if it were possible.
>>> I would prefer not saying to the user: trust us, we know this 
>>> attachment is not good for you, even if the filename appears OK.
>>> And in the case I am reporting, the filename is less than 150 
>>> characters long anyway...
>>>
>>> Sylvain
>>>
>> But if the un-sanitized name has some buffer overflow or other attack 
>> in it, you have a possible problem for the user. That is one reason 
>> why filenames are sanitized.
> 
> And this would be feasible in the body text of a text/plain message 
> section? (which is ultimately what the report is)
> 
> At that point they could just send the exploit in a message body and not 
> bother with a file in the first place.
> 
> ooohoheresmyreallyscarrrylongfilenamethatcouldbufferoverflowyourpcandletmerunwhateverIwantonit.exe 
> 
> 
> 
> See, nothing happened, did it? Even if it was thousands of characters 
> long, it would be no different, because it's in the body text.
How about when that longscaryfilename..... gets sent to syslog. That is 
another reason to sanitize the names.

Julian didn't set it that way to be easier, or to mess with users. He has 
listed all the reasons in the past, I just can't remember them all.

-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080709/72e10116/signature.bin

More information about the MailScanner mailing list