On Wed, Apr 25, 2007 at 10:17:31AM +0800, Jeremy A wrote:
> Jeremy A wrote:
> >
> > OK I got a clean original copy of the email (not through anomy) and
> > plugged it into the above.
> >
>
> To add further. I have now processed the thunderbird version using the
> same process. So same content, different mailer.
not quite the same, that's the problem:
the thunderbird msg has:
> _encoding="base64", _type="image/jpeg", boundary="",
^^^^^^^^^^^^^^^^^
> charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
^^^^
...
> Match (names="Odyssey_OurPeopleAdd.jpg, filetype.jpeg", rule="2"):
^^^^^^^^^^^^^
but in your previous post original msg seems to come in wrapped in a
'application/appledouble' MIME container as 'application/applefile', with
extension .jpg.
Now, taking the 1st 2 base64 lines of my test image I'd get:
$ echo '\
/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh\
'|mimencode -u|file -b -
JPEG image data, JFIF standard 1.01
but the same with the 2 lines from your previous post:
$ echo '\
AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAADAAAAVgAAABgAAAAIAAAAlgAAABAAAAAJAAAA
pgAAACAAAAAKAAAAxgAAAAQAAAACAAAAygAAtZVPZHlzc2V5X091clBlb3BsZUFkZC5qcGcAAAAA\
'|mimencode -u|file -b -
AppleDouble encoded Macintosh file
but sanitizer binary-checks for a few well known filetypes in
Sanitizer/FileTypes.pm:
my $JPEG = {
id => "jpeg",
risk => $low,
name => "JPEG Image",
extensions => [ "jpg", "jpe", "jpeg", "jfif", "jfif-tbnl" ],
mime_types => [ 'image/jpeg', 'image/pjpeg' ],
magic => [ "\xFF\xD8" ],
};
and the 'magic' doesn't match the extension in the original mail/mime-stream.
Not sure how to fix that, if either in sanitizer or the original mailer,
don't know enough about application/appledouble, perhaps it's sane adding
the 2 magics for applesingle and appledouble, from file(1) magic:
0 belong 0x00051600 AppleSingle encoded Macintosh file
0 belong 0x00051607 AppleDouble encoded Macintosh file.
so the above would be augmented as
magic => [ "\xFF\xD8", "\x00\x05\x16\x00", "\x00\x05\x16\x07" ],
it seems to work, though I'm not 100% sure identifying application/apple*
as JPEG is always correct.
If you can write your Sanitizer/FileTypes.pm it's only a matter of trying,
you can always revert to original if any problem arises.
-- paolo