Pythonfilter attachments

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Pythonfilter attachments

Alessandro Vesely
Hi all,

I revamped attachments.py in order to catch Javascript Trojans inside a zip,
which were driving me crazy.  While I added that, I removed the configurable
archive.  The attached flavor of the filter rejects just the extensions
hardcoded in the source.

Enjoy
Ale

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachments.py (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Pythonfilter attachments

Gordon Messmer-2
On 02/08/2017 10:24 AM, Alessandro Vesely wrote:
> I revamped attachments.py in order to catch Javascript Trojans inside
> a zip, which were driving me crazy.


The current version supports libarchive, which should allow you to
blacklist file types inside zip files, as well.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: Pythonfilter attachments

Szépe Viktor
Idézem/Quoting Gordon Messmer <[hidden email]>:

> On 02/08/2017 10:24 AM, Alessandro Vesely wrote:
>> I revamped attachments.py in order to catch Javascript Trojans inside
>> a zip, which were driving me crazy.
>
>
> The current version supports libarchive, which should allow you to
> blacklist file types inside zip files, as well.

Could you mention it in the config file?
https://github.com/szepeviktor/courier-pythonfilter/blob/master/pythonfilter.conf#L84

Thanks.



SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: Pythonfilter attachments

Alessandro Vesely
In reply to this post by Gordon Messmer-2
On Wed 08/Feb/2017 22:11:53 +0100 Gordon Messmer wrote:
> On 02/08/2017 10:24 AM, Alessandro Vesely wrote:
>> I revamped attachments.py in order to catch Javascript Trojans inside
>> a zip, which were driving me crazy.
>
> The current version supports libarchive, which should allow you to
> blacklist file types inside zip files, as well.

Yup, that's right.  I hadn't got it.  I re-introduced support for libarchive, and have been using my alternative version since then.  Today I added the .ace extension, after I found a Trojan-PSW.Win32.Fareit.cxcl wrapped that way.

It may be safer to just use all available filters.  However, the original attachments.py fails like so:

Initialized the "attachments" python filter
Traceback (most recent call last):
  File "../courier-pythonfilter/courier-pythonfilter-1.11/filters/attachments.py", line 111, in <module>
    print doFilter(sys.argv[1], [])
  File "../courier-pythonfilter/courier-pythonfilter-1.11/filters/attachments.py", line 90, in doFilter
    if filename and checkArchive(filename, part):
  File "../courier-pythonfilter/courier-pythonfilter-1.11/filters/attachments.py", line 52, in checkArchive
    if fparts[-1].lower() in libarchive.FILTERS:
AttributeError: 'module' object has no attribute 'FILTERS'

If I patch it as attached, it throws no exception, but doesn't block an .exe inside an .ace either.  Indeed, in python, I see .ace is not set:

Python 2.7.9 (default, Jun 29 2016, 13:08:31)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import libarchive
>>> libarchive.ffi.READ_FILTER
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: 'module' object has no attribute 'READ_FILTER'
>>> libarchive.ffi.READ_FILTERS
set([u'lzma', u'all', u'uu', u'lzop', u'compress', u'bzip2', u'lzip', u'xz', u'lrzip', u'gzip', u'grzip', u'rpm', u'none'])
>>> libarchive.ffi.READ_FORMATS
set([u'all', u'zip', u'tar', u'lha', u'iso9660', u'7zip', u'xar', u'mtree', u'cpio', u'raw', u'ar', u'rar', u'cab', u'empty'])
>>>

I've published my alternative version here:
https://www.tana.it/sw/pythonfilter_attachments/

Ale
--



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

patch.txt (846 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Pythonfilter attachments

Gordon Messmer-2
On 07/25/2017 09:53 AM, Alessandro Vesely wrote:
> I've published my alternative version here:
> https://www.tana.it/sw/pythonfilter_attachments/


I'll take a look at that shortly.  Thanks.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users