anomy-bugs

sanitizer: inline images, false positives with T'bird

From: Doug McCasland (30781@xyz.molar.is)
Date: Tue 27 Jul 2004 - 23:43:41 GMT

  • Next message: Doug McCasland: "Re: sanitizer: inline images, false positives with T'bird"

    Hi,
         I found an interesting problem.
         I composed a msg with Moz. Thunderbird in HTML format. Used Insert|Image and put in a gif file in the message body. When I sent it to myself Anomy accepted it.
         When my wife did the same thing from her installation of T'bird, Anomy deleted the attachment. The only difference: her sender address in .com, mine is in .net.
         The message source has this in the HTML attachment:

    <img alt="" src="cid:30903@xyz.molar.is" ...

    The cid content ID tag refers to the image attachment later in the message::

    Content-Type: image/gif; name="image.gif"
    Content-Transfer-Encoding:
       base64 Content-ID: <30903@xyz.molar.is>
    Content-Disposition: inline; filename="image.gif"

         From the Anomy logs:

    [Attachment accepted]
    Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="30957@xyz.molar.is, image.gif", mimetype="image/gif"):

    [Attachment deleted]
    Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="30903@xyz.molar.is, image.gif", mimetype="image/gif"):

    As you can see, T'bird uses the sender domain to make the Content-ID name. ".net" is not a known threat, so it was accepted. ".com" is obviously an unacceptable extension, so it was dropped, even though the .com had nothing to do with the attached file's contents.
         From the Sanitizer.pm code:

    sub SanitizeFile
    ..
     foreach my $h ("_description", "_id")
            {
                foreach my $v (map { ($_->{"data"}, $_->{"raw"}) }
                        $part->GetMIMEAttributes("(?i)^$h\$"))
                    {
                        $v = $1 if ($v =~ /^<+(.*?)>+\s*$/);
                            push @filenames, $v if ($v =~ /\./);
                    }
            }
    ..

    When I comment out this loop, the log shows:

    Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="image.gif", mimetype="image/gif"):

    which is properly accepted. I'm not sure what the loop does (or why), I suppose certain malware can somehow be transmitted in a Content-ID? I'm leaving the loop commented out for now. Since I use ClamAV before Anomy, I'm not that concerned about actual malware inside HTML.
         What do you think?

    --
    Doug McCasland   Healdsburg, California   <30781@xyz.molar.is>
    



    hosted by molar.is