On 2023-08-03 at 12:21:11 UTC-0400 (Thu, 3 Aug 2023 12:21:11 -0400)
Jared Hall <ja...@jaredsec.com>
is rumored to have said:
SA v3.4.6:
Consider an Email with a UTF-8 attachment name: ®Payroll_stubs.Htm
defined by the MIME header:
Content-Disposition: attachment;
filename*0*=utf-8''%C2%AEPayroll_stubs.Htm
A PERL unicode-formatted rule fails:
mimeheader __JR_EXPLOIT_ATT_UTF Content-Disposition =~
/(\xC2\xAEPayroll_stubs\.Htm)([";']?|$)/
The more native (raw) formatted rule works even without specifying
"Content-Disposition:raw":
mimeheader __JR_EXPLOIT_ATT_UTF Content-Disposition =~
/(%C2%AEPayroll_stubs\.Htm)([";']?|$)/
How does SA handle UTF-8 filenames?
That is dependent on the value of normalize_charset (and possibly also
on your Perl version but that would be due to bugs in Perl.)
It may also vary by platform, as substantial improvement in Unicode
handling was made between 3.4.x and 4.x and some distros that
cherry-pick improvements may have backported fixes into what they call
'3.4.6'.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
