anomy-list

Re: Content-ID problems - again!

From: Bjarni R. Einarsson (122190@xyz.molar.is)
Date: Wed 07 Apr 2004 - 01:47:02 GMT

  • Next message: Bob George: "Re: annoying problem with sanitizer via procmail"

    On 2004-04-06, 18:12:45 (-0500), Seth A Robertson wrote:
    >
    > Don't you love ambiguous results?! While filename is an array of both the
    > ContentID and the correct filename (this is the buggy behavior we saw
    > before), names takes only the correct filename (compare the names values
    > above with the 1.66 results further above), and thus enforces the correct

    Not a bug, a feature! :-)

    The code which treats content-IDs as file names does so because
    content-IDs appeared to be used *and interpreted* as file names in a
    few Outlook/IE interaction exploits I saw on Bugtraq some time ago.

    However since this exploit hasn't been widely exploited and the "fix"
    caused lots of problems for people, it seems the protection provided
    probably isn't worth the hassle, leading to me creating an exception for
    ".com". Security is always a trade-off...

    So although it's a feature, it may not be a particularly good one.

    The renaming behavior you saw with the .gov Content-ID was rather
    interesting though. Do you have .gov listed in rule number two on your
    site? I ask, because when the sanitizer takes action based on a file
    name matching a rule, it attempts to ensure that that is the file name
    which the end-user will see: "renaming" the attachment so the behavior
    of the email client matches that expected by the policy being enforced
    on the server.

    If the file got renamed to "something.gov", that indicates that
    "something.gov" matched rule 2 and caused the attachment to be
    accepted.

    Which is rather odd... why would you be explicitly accepting .gov
    attachments?

    > I've also run about 10 other various tests on mails containing attachments
    > of different sizes and flavors (extensions), and containing messages with
    > multiple extensions which match different policies, and all functionality
    > appears to be preserved...but I'm very concerned that this may have
    > negative repercussions too.

    Disabling the code which treats Content-IDs as file names should work
    fine as long as you aren't concerned about those obscure exploits.
    Since they are rather obscure, rarely used, and may be limited to
    certain combinations of Outlook/Outlook Express/Internet Explorer only,
    then this may in fact cause no additional risk at your site.

    I'm considering making the Content-ID stuff completely optional for
    people in the next release, maybe even turning it off by default. It
    seems to be an example of the Sanitizer being overly aggressive with
    very little benefits as a result.

    -- 
    Bjarni Rúnar Einarsson
     122190@xyz.molar.is
     http://bre.klaki.net/
    

    PGP: 02764305, B7A3AB89



    hosted by molar.is