XZ and banned filename

aBod abod at list.ru
Sat Aug 7 15:58:18 CEST 2021


Hello Amavis-users,

Amavis do not ban message if you receive XZ compressed file and into it has a forbidden "banned file name" (for example notepad.exe.xz)

From  mail.log:
 Checking for banned types and filenames
 lookup: (scalar) matches, result="DEFAULT"
 lookup [banned_filename], 1 matches for "email at domain.tld", results: "(constant:DEFAULT)"=>"DEFAULT"
 collect banned table[0]: email at domain.tld, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x55af0385a4b0)
 starting banned checks - traversing message structure tree
 check_for_banned (p003,p001) multipart/mixed | text/plain,.asc
 doing banned check for email at domain.tld on multipart/mixed | text/plain,.asc
 lookup_re(["multipart/mixed","text/plain",".asc"]), no matches
 lookup [check_bann:email at domain.tld] => undef, ["multipart/mixed","text/plain",".asc"] does not match
 lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p001\tL=1/1\tM=text/plain\tT=asc" does not match
 p.path email at domain.tld: "P=p003,L=1,M=multipart/mixed | P=p001,L=1/1,M=text/plain,T=asc"
 check_for_banned (p003,p002) multipart/mixed | application/octet-stream,.dat,notepad.exe.xz
 doing banned check for email at domain.tld on multipart/mixed | application/octet-stream,.dat,notepad.exe.xz
 lookup_re(["multipart/mixed","application/octet-stream",".dat","notepad.exe.xz"]), no matches
 lookup [check_bann:email at domain.tld] => undef, ["multipart/mixed","application/octet-stream",".dat","notepad.exe.xz"] does not match
 lookup [banned_namepath_re] => undef, "P=p003\tL=1\tM=multipart/mixed\nP=p002\tL=1/2\tM=application/octet-stream\tT=dat\tN=notepad.exe.xz" does not match
 p.path email at domain.tld: "P=p003,L=1,M=multipart/mixed | P=p002,L=1/2,M=application/octet-stream,T=dat,N=notepad.exe.xz"
 banned check: any=0, all=N (1)

I so decide:
unshift(@decoders, ['dat',  \&do_uncompress,
             ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ] );
Is there another way?

P.S.
os-release ="Debian GNU/Linux 10 (buster)"

amavisd-new/stable,now 1:2.11.0-6.1 all [installed]
   Interface between MTA and virus scanner/content filters
-- 
Best regards,
 aBod                          mailto:abod at list.ru





More information about the amavis-users mailing list