Bugtraq mailing list archives
Re: base64
From: MightyE <trash () mightye org>
Date: Thu, 25 Sep 2003 14:21:41 -0400
This is a remarkably good and simple approach (thus I'm a bit abashed that I didn't think of it), and permits liberal acceptance, with out exposing the user to a targeted intentional malformation of base64 encoded data. Accept all mis formed data, make a best guest as to what it is (or follow RFC on how to handle this where applicable), check the result, and pending acceptance, write it to the user's mail file, in its newly interpreted form.
Eric Stevens mightye a@t mightye d.o.t org Bennett Todd wrote:
2003-09-25T09:06:58 MightyE:There are two methods which you can use in the writing of your email virus scanner; you can either decode it every known way that any client does so, [...] Alternatively you can accept it only if it is properly encoded, [...]There's a third method, which I think is rather better than either of those. You can re-code everything into a canonical form. Some email client drop some punctuation characters in filenames? Delete all such characters from filenames. Different tools handle various i18n encoded filenames differently? Map to US-ASCII. Enforce length limits. Recode base64. Recode uuencoded chunks. Regularize non-standard MIME. Do all this canonicalization before the message hits your attachment type policy enforcement and malware scanner, so they only have to deal with the common forms that everybody handles the same. -Bennett
Current thread:
- Re: base64, (continued)
- Re: base64 David Wilson (Sep 24)
- Re: base64 der Mouse (Sep 24)
- Re: base64 Earl Hood (Sep 26)
- RE: base64 latte (Sep 23)
- Re: base64 Ilya Teterin (Sep 23)
- Re: base64 MightyE (Sep 24)
- Re: base64 Buck Huppmann (Sep 24)
- Re: base64 Andrew Church (Sep 25)
- Message not available
- Re: base64 MightyE (Sep 25)
- Re: base64 Bennett Todd (Sep 25)
- Re: base64 MightyE (Sep 25)
- Re: base64 Earl Hood (Sep 26)
- Re: base64 Bennett Todd (Sep 26)
- Re[2]: base64 3APA3A (Sep 26)
- RE: base64 Alun Jones (Sep 26)
- Re: base64 Bennett Todd (Sep 26)
- Re: base64 Buck Huppmann (Sep 24)
- Re: base64 Bennett Todd (Sep 26)