executable file inside gzip archive not banned

[Savvas Karagiannidis]

Hi everyone,

I am using the latest version of amavis (2.11.1) and have configured 
banned filenames to block executable files (.exe) with the following in 
$banned_filename_re :

            qr'.\.(exe|vbs|pif|scr|bat|cmd|com|cpl)$'i, # banned 
extension - basic

There was a case where an attached gzip file (xxxx.gz) contained an 
executable file. The gzip file contained the filename information of the 
compressed file, so if a user opened the file using any windows archive 
tool (winzip, 7z, winrar) he could see the executable file inside with 
the .exe ending, based on the information contained in the .gz file.

I did some tests and noticed that amavis ignores the filename 
information in the .gz file and assumed that the contained file's is the 
same as the archive, removing the .gz extension

Enabling banning based on file(1) by adding the following in the config 
file:

           qr'^\.(exe|exe-ms)$',                       # banned file(1) 
types

did catch the file, but noticed several cases of false positives, so a 
cleaner, direct solution would be preferred.

I think amavis should extract the filename information contained in the 
.gz file and incorporate it in the banned filename checks.

Has anyone else come across this?

During startup amavis reports in the log file the following regarding 
gzip files (I have $gzip = "gzip" in the conf file):
         amavis[2571]: Found decoder for    .gz   at /usr/bin/gzip -d
         amavis[2571]: Internal decoder for .gz   (backup, not used)

I also tried disabling the use of gzip, in which case the internal 
decoder was used for .gz but the behavior was the same.

Regard,

Savvas Karagiannidis