it may be prudent to let amavisd-new block WMF based on file
contents examination as provided by a file(1) utility, which reports:
test.wmf: ms-windows metafont .wmf
(note that file(1) version 4.16 says 'metafont' instead of 'metafile',
I hope that this mistake will be rectified in the next version)
Mark: thank you!
My testing with file(1) (both versions 4.10 and 4.16) shows it does not
reliably identify .wmf files, based on the magic bytes. file(1) did
not identify a standard .wmf file copied from my Windows XP SP2 laptop,
and it also missed the .wmf exploit file from metasploit.
This is due to the .wmf entry in magic(5):
# Windows Metafont .WMF
0 string \327\315\306\232\000\000\000\000\000\000 ms-windows
metafont .wmf
Based on my testing, only the first 4 bytes (\327\315\306\232) reliably
appear in some WMF files. Others use an entirely different string: the
metasploit-based WMF file has the magic byte string: \001\000\011\000
The file "magic.xml" from the ImageMagic distribution seems to support
these magic bytes:
# grep -i wmf config/magic.xml
<magic name="WMF" offset="0" target="\327\315\306\232" />
<magic name="WMF" offset="0" target="\001\000\011\000" />
Source: ftp://ftp.nluug.nl/pub/ImageMagick/ImageMagick-6.2.5-5.tar.gz
Here are two patches to add the proper WMF magic bytes, for both file 4.10
and file 4.16 on Unix-based systems. Copy the patch the the proper
directory (/usr/share/misc on FreeBSD), and patch < patchfile. You will
probably need to generate a new magic.mgc file, normally by typing this:
# file -C -m magic
They seem to work fine on my systems, and my amavisd is now reliably
spotting .wmf files (even those named with another extension). Please let
me know if you have any issues.
Thanks,
...Eric
-------------------------------------------------------------------------
file-4.10:
*** magic Fri Dec 30 11:14:37 2005
--- magic.new Fri Dec 30 11:14:21 2005
***************
*** 1300,1306 ****
>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows
Hyperterminal
# Windows Metafont .WMF
! 0 string \327\315\306\232\000\000\000\000\000\000 ms-windows
metafont .wmf
#tz3 files whatever that is (MS Works files)
0 string \003\001\001\004\070\001\000\000 tz3 ms-works file
--- 1300,1308 ----
>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows
Hyperterminal
# Windows Metafont .WMF
! 0 string \327\315\306\232 ms-windows metafont .wmf
! 0 string \001\000\011\000 ms-windows metafont .wmf
!
#tz3 files whatever that is (MS Works files)
0 string \003\001\001\004\070\001\000\000 tz3 ms-works file
-------------------------------------------------------------------------
file-4.16:
*** magic Fri Dec 30 11:10:52 2005
--- magic.new Fri Dec 30 11:10:45 2005
***************
*** 8303,8309 ****
>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows
Hyperterminal
# Windows Metafont .WMF
! 0 string \327\315\306\232\000\000\000\000\000\000 ms-windows
metafont .wmf
#tz3 files whatever that is (MS Works files)
0 string \003\001\001\004\070\001\000\000 tz3 ms-works file
--- 8303,8310 ----
>15 string 1.0\ --\ HyperTerminal\ data\ file MS-windows
Hyperterminal
# Windows Metafont .WMF
! 0 string \327\315\306\232 ms-windows metafont .wmf
! 0 string \001\000\011\000 ms-windows metafont .wmf
#tz3 files whatever that is (MS Works files)
0 string \003\001\001\004\070\001\000\000 tz3 ms-works file
-------------------------------------------------------------------------
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/