On Tue, Sep 16, 2014 at 01:41:36PM -0500, Noel Jones wrote:
> I've used the below for a few years with good results. It's better,
> but surely not perfect.
>
>
> # block windows executables PCRE
> /^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*(\.|=2E)(
> ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
> inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
> ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
> vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh))(\?=)?"?\s*$/x
This assumes that "name" or "filename" is the last attribute in
the header. It might instead be followed by a ";" and more
attributes. So for a bit more generality, try the below:
# block windows executables PCRE
/^\s*Content-(?:Disposition|Type): # Header label
(?:.*?;)? \s* # Any prior attributes
(?:file)?name\s*=\s*"? # name or filename
( # Capture name for response
.*?(\.|=2E) # File basename and "."
(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|
inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|
ops|pcd|pif|prf|reg|scf|scr|sct|shb|shs|shm|swf|
vb|vbe|vbs|vbx|vxd|wsc|wsf|wsh) # Capture risky extensions
) # Close capture
(?:\?=)? # Trailer of ad-hoc RFC 2047 encoding
"? # Optional close quote
\s*(;|$) # End of attribute or header
/x
[ untested ]
--
Viktor.
