First of all: I didn't have time to go through my entire incoming patch
collection, so stuff some of you have contributed isn't in this
release, although I promised that it would be. Sorry about that!
Also, since this release contains quite a few relatively important bug
fixes - including one bug which could cause attachment corruption - I
decided to rush it out without updating all the documentation. Again,
Hopefully I'll make a 1.45 release soon to address these issues.
Highlights in this release:
- Mangling of cid: URLs. This is necessary, since a CID which looks
like a file name will be treated like a filename by all unpatched
Explorer-based HTML renderers (recent Eudoras and Outlooks, to name
the biggies). So people could send you an executable named
blah.jpg, with the content-ID blah.exe - and Explorer would happily
execute it without even asking for permission. Big hole.
The downside is, my CID: defanging is way too aggressive - it
causes way too many false positives, and unfortunately has the
drawback of making attachments appear to "vanish" in certain
mailers which don't provide an icon for the file, but count on the
HTML to display it instead (which it doesn't do because I mangle
the CID: url).
This is pretty high on my list of Things I Need To Fix For Work, so
hopefully it'll be addressed within the next few releases.
- Fixed a very stupid bug in the scanner plugin code.
- Fixed a bad bad bug in the Base64 code, which would corrupt some
files if people were using "feat_log_inline = 2".
- Fixed a bug in the boundary ambiguity-handling code.
- Added a bunch of little features for us hacker types, see the
CHANGELOG file for detauls.
Also: My employer's virus scanner F-Prot is now available for free
(as a beta release) for the Linux platform. It should work great
with the Sanitizer. See http://www.frisk.is/ for info. We could
use your feedback. :-)
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 firstname.lastname@example.org -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/