On Tue, Sep 16, 2014 at 01:41:36PM -0500, Noel Jones wrote: > I've used the below for a few years with good results. It's better, > but surely not perfect. > > > # block windows executables PCRE > /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)( > ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| > inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| > ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| > vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)?"?\s*$/x
This assumes that "name" or "filename" is the last attribute in the header. It might instead be followed by a ";" and more attributes. So for a bit more generality, try the below: # block windows executables PCRE /^\s*Content-(?:Disposition|Type): # Header label (?:.*?;)? \s* # Any prior attributes (?:file)?name\s*=\s*"? # name or filename ( # Capture name for response .*?(\.|=2E) # File basename and "." (ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta| inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws| ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf| vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh) # Capture risky extensions ) # Close capture (?:\?=)? # Trailer of ad-hoc RFC 2047 encoding "? # Optional close quote \s*(;|$) # End of attribute or header /x [ untested ] -- Viktor.