anomy-list

Re: Unexpected defanging of jpg images.

From: Paolo (146971@xyz.molar.is)
Date: Wed 25 Apr 2007 - 07:52:14 GMT

  • Next message: Kimmo Suominen: "Re: Unexpected defanging of jpg images."

    On Wed, Apr 25, 2007 at 10:17:31AM +0800, Jeremy A wrote:
    > Jeremy A wrote:
    > >
    > > OK I got a clean original copy of the email (not through anomy) and
    > > plugged it into the above.
    > >
    >
    > To add further. I have now processed the thunderbird version using the
    > same process. So same content, different mailer.

    not quite the same, that's the problem:

    the thunderbird msg has:
    > _encoding="base64", _type="image/jpeg", boundary="",
                          ^^^^^^^^^^^^^^^^^
    > charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
                                                          ^^^^
    ...
    > Match (names="Odyssey_OurPeopleAdd.jpg, filetype.jpeg", rule="2"):
                                                    ^^^^^^^^^^^^^
    but in your previous post original msg seems to come in wrapped in a
    'application/appledouble' MIME container as 'application/applefile', with
    extension .jpg.

    Now, taking the 1st 2 base64 lines of my test image I'd get:

    $ echo '\
    /9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
    Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh\
    '|mimencode -u|file -b -
    JPEG image data, JFIF standard 1.01

    but the same with the 2 lines from your previous post:

    $ echo '\
    AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAUAAAADAAAAVgAAABgAAAAIAAAAlgAAABAAAAAJAAAA
    pgAAACAAAAAKAAAAxgAAAAQAAAACAAAAygAAtZVPZHlzc2V5X091clBlb3BsZUFkZC5qcGcAAAAA\
    '|mimencode -u|file -b -
    AppleDouble encoded Macintosh file

    but sanitizer binary-checks for a few well known filetypes in
    Sanitizer/FileTypes.pm:

    my $JPEG = {
        id => "jpeg",
        risk => $low,
        name => "JPEG Image",
        extensions => [ "jpg", "jpe", "jpeg", "jfif", "jfif-tbnl" ],
        mime_types => [ 'image/jpeg', 'image/pjpeg' ],
        magic => [ "\xFF\xD8" ],
    };

    and the 'magic' doesn't match the extension in the original mail/mime-stream.

    Not sure how to fix that, if either in sanitizer or the original mailer,
    don't know enough about application/appledouble, perhaps it's sane adding
    the 2 magics for applesingle and appledouble, from file(1) magic:
    0 belong 0x00051600 AppleSingle encoded Macintosh file
    0 belong 0x00051607 AppleDouble encoded Macintosh file.

    so the above would be augmented as

        magic => [ "\xFF\xD8", "\x00\x05\x16\x00", "\x00\x05\x16\x07" ],

    it seems to work, though I'm not 100% sure identifying application/apple*
    as JPEG is always correct.
    If you can write your Sanitizer/FileTypes.pm it's only a matter of trying,
    you can always revert to original if any problem arises.

    --
    paolo
    



    hosted by molar.is