Yet another long-overdue release. :-)
Get it from here:
The changelog entry for this release follows in it's entirety - lots
of stuff changed.
I've been swamped in work and have totally lost track of my incoming
patch/contrib submisions. Those of you who submitted useful stuff to
me and don't see it in this release, please bear with me and resubmit.
In other news, I'm happy to verify that the Sanitizer has (at least
for me) lived up to it's promise of blocking direct, email-based
attacks as well as the usual worms and viruses. A few days after the
BadTrans outbreak, a message was sent to me which was formatted like
BadTrans (tried to expoit the same Outlook auto-execution bug), but
contained a completely unknown payload (no antivirus programs I had
access to recognized it at the time). It's since been added to
F-Prot's database as W32/HLLW.Explo, I don't know about the other
Basically, someone tried to send me some trojan or "rootkit" and the
Sanitizer blocked it. I thought it was pretty cool to have this
"theoretical" benefit of the Sanitizer verified in this way. :-)
Anyway, the changelog:
WARNING: Scoring works again - but not like it used to!
WARNING: The default configuration has been updated quite a bit,
and does some NEW THINGS. You have been warned.
Most test cases were modified for this release (I've gotta start
releasing things more often...).
Almost complete rewrite of HTML sanitization code, to switch from a
default-allow to default-deny strategy. Primary benefits:
- Old problem with <style> blocks becoming visible solved.
- Rudimentary support for simple (safe) style markup.
- Defangs non-standard HTML introduced by recent MS Office products.
- CID defanging is more precise.
- A few safe META and LINK tags are now recognized, fixing (for example)
problems with charset-definitions.
- Web-bugs can now be optionally defanged (feat_webbugs).
- Initial measurements at FRISK indicate that the "false-positive"
rate is somewhat lower than before. Plenty of room for improvement
longer used by the Sanitizer.
MIMEStream now guesses boundary strings for multipart/ parts, if no
boundary string is specified in the header. The Sanitizer adds the
missing boundary string to the Content-Type header, if found and
This release re-introduces ! policies and the score_bad feature,
although the semantics are slightly different - see the manual for
details. The score_panic, score_panic_code and score_bad_code
variables (and features) have been removed. For semi-safe backwards
compatibility, the panic policy acts just like the drop policy.
The default configuration was dramatically improved (it's now very
close to my "recommended" configuration, although it obviously lacks
a proper virus scanner). It should now be easie to "tweak" the
config to change policies for classes of files or add a virus
scanner, without having to copy whole rules.
Added feat_log_after, which formats messages in such a way as to
facilitate after-the-fact insertion of logs into messages, without
forcing the log process to rewrite the entire message.
Fixed a bug in the Sanitizer where certain "fixes" made to the message
headers could get lost if "feat_log_inline = 2" was used. Also fixed
minor glitches within MIMEStream.
Minor tweaks to header encoding routines.
Added sanity-checks for certain MIME types, which defangs the attachment
if the name doesn't match the MIME type. This blocks (amongst other
things) the audio/x-wav exploit commonly used Nimda, BadTrans and others.
Fixed an ugly bug to do with handling of nested multiparts. I'm not
sure whether this was present in 1.44 or not.
Added incomplete support for RFC2231 MIME Parameter Value and Encoded
Word Extensions. This needs more work.
Modified header checks to allow longer individual words within headers
(the limit was 128 characters, raised it to 196). Relaxed the checks
on subject lines quite a bit as well - they were downright irritating.
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 email@example.com -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/