Date: Thu, 30 Jul 1998 18:39:09 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Gregory Sutter <gsutter@pobox.com> Cc: Brett Glass <brett@lariat.org>, freebsd-security@FreeBSD.ORG Subject: Re: procmail workaround for MIME filename overflow exploit Message-ID: <Pine.BSF.3.96.980730183022.5793B-100000@aniwa.sky> In-Reply-To: <19980729145556.C16073@notabene.zer0.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Jul 1998, Gregory Sutter wrote: > John's recipe has the same problem as Andrew McNaughton's proposed > solution -- it invokes perl. That's a lot of overhead to process a > mail message, when procmail can do it just fine. Out of several > recipes suggested on the procmail mailing list, David Tamkin's is the > best: > > :0fhw # sixty-three dots in second condition > * ^Content-Disposition:(.*\>)?filename="\/[^"]+ > * MATCH ?? ^^\/............................................................... > | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" > > That recipe will truncate any filenames longer than 63 characters to 63 > chars. If you wish to specially denote offending messages, you can > change the action line to: > > | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" \ > -i "X-Security-Modification: Truncated long filename" If formail is substantially faster than perl to invoke then it's better, but I prefer a test on the length of the entire header rather than just the filename. Do any of the vulnerable programs also make assumptions about the length of the header as a whole? Do any accept whitespace around the '='. What happens if there is no terminating '"'. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980730183022.5793B-100000>