Allowing BANNED extensions inside compressed archives

Darek M. fafaforza at yahoo.com
Thu Apr 19 21:55:09 CEST 2012


Hi list, so I want to allow exe files if they are inside a compressed zip or rar archive, and want to ask for verification of my change to amavisd.conf


In the regexp definition for "$banned_filename_re", I moved

          [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives

which by default is 14 lines below the " $banned_filename_re" declaration to be the first thing in the block, before exe, dll, cab, pif, etc.  This is what it looks like right now:

          $banned_filename_re = new_RE(

          [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives

          ### BLOCKED ANYWHERE
          # qr'^UNDECIPHERABLE$',  # is or contains any undecipherable components 
          qr'^\.(exe-ms|dll)$',                   # banned file(1) types, rudimentary
          # qr'^\.(exe|lha|tnef|cab|dll)$',         # banned file(1) types

          ### BLOCK THE FOLLOWING, EXCEPT WITHIN UNIX ARCHIVES:
          # [ qr'^\.(gz|bz2)$'             => 0 ],  # allow any in gzip or bzip2
          [ qr'^\.(rpm|cpio|tar)$'       => 0 ],  # allow any in Unix-type archives

          qr'.\.(pif|scr)$'i,                     # banned extensions - rudimentary
          # qr'^\.zip$',                            # block zip type

          ### BLOCK THE FOLLOWING, EXCEPT WITHIN ARCHIVES:
          # [ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ],  # allow any within these archives  

I just want to make sure I am not going to have some unforeseen things happen.  On first glance, it's working as expected.  A client's Raima database files are being tagged as exe files and being dropped.  I'm fine with letting through compressed archives, no matter what's inside, really.

-- 
Darek


More information about the amavis-users mailing list