What I REALLY like about this is that it performs a straight-forward "are you what you say you are?" test, rather than the more nebulous and error-prone "are you not what you pretend to be?"
Thanks for posting this, Tomasz! Ken -----Original Message----- From: Tomasz Ostrowski [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 4:56 AM To: [EMAIL PROTECTED] Subject: [Mimedefang] JPEG exploit checking in mimedefang-filter I have written a quick and dirty checking for corrupt jpeg files in mimedefang-filter. It uses program "djpeg", which should be in most Linux and Unices distributions, to convert the file to bitmap writing in /dev/null. It lets the file in, if it manages to successfully convert it, or rejects it otherwise. It should catch the latest JPEG virus. At least it catches the sample I have found here: http://www.easynews.com/virus.html ################################################################### # New function: check for corrupted JPEG files sub filter_corrupt_jpeg ($) { my($entity) = @_; if (re_match($entity, '\.jp(e?)g$') ) { my $bh = $entity->bodyhandle(); if (defined($bh)) { my $path = $bh->path(); if (defined($path)) { my($code, $category, $action) = run_virus_scanner( "djpeg -fast -dither none -grayscale -scale 1/8 -outfile /dev/null $path" ); if ($action ne 'proceed') { return $code; } if ($code) { return $code; } } } } return 0; } ################################################################### ################################################################### # This should go in filter() function if (filter_corrupt_jpeg($entity)) { md_graphdefang_log('corrupt_jpeg', $fname, $type); action_bounce("Access denied. Corrupt file $fname not allowed.", "554", "5.7.1"); return action_discard(); } ################################################################### Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang