On 2004-04-06, 18:12:45 (-0500), Seth A Robertson wrote:
>
> Don't you love ambiguous results?! While filename is an array of both the
> ContentID and the correct filename (this is the buggy behavior we saw
> before), names takes only the correct filename (compare the names values
> above with the 1.66 results further above), and thus enforces the correct
Not a bug, a feature! :-)
The code which treats content-IDs as file names does so because
content-IDs appeared to be used *and interpreted* as file names in a
few Outlook/IE interaction exploits I saw on Bugtraq some time ago.
However since this exploit hasn't been widely exploited and the "fix"
caused lots of problems for people, it seems the protection provided
probably isn't worth the hassle, leading to me creating an exception for
".com". Security is always a trade-off...
So although it's a feature, it may not be a particularly good one.
The renaming behavior you saw with the .gov Content-ID was rather
interesting though. Do you have .gov listed in rule number two on your
site? I ask, because when the sanitizer takes action based on a file
name matching a rule, it attempts to ensure that that is the file name
which the end-user will see: "renaming" the attachment so the behavior
of the email client matches that expected by the policy being enforced
on the server.
If the file got renamed to "something.gov", that indicates that
"something.gov" matched rule 2 and caused the attachment to be
accepted.
Which is rather odd... why would you be explicitly accepting .gov
attachments?
> I've also run about 10 other various tests on mails containing attachments
> of different sizes and flavors (extensions), and containing messages with
> multiple extensions which match different policies, and all functionality
> appears to be preserved...but I'm very concerned that this may have
> negative repercussions too.
Disabling the code which treats Content-IDs as file names should work
fine as long as you aren't concerned about those obscure exploits.
Since they are rather obscure, rarely used, and may be limited to
certain combinations of Outlook/Outlook Express/Internet Explorer only,
then this may in fact cause no additional risk at your site.
I'm considering making the Content-ID stuff completely optional for
people in the next release, maybe even turning it off by default. It
seems to be an example of the Sanitizer being overly aggressive with
very little benefits as a result.
-- Bjarni Rúnar Einarsson 122190@xyz.molar.is http://bre.klaki.net/PGP: 02764305, B7A3AB89