Fitzpatrick, Ted wrote:
Thanks, Mark. The MUA is including "application/octet-stream" as the
mime type. I didn't include this as passable because I wanted to strip
".exe" files from messages. It looks like if I want to enable
subscribers to attach PDF files, it will at the same time enable them to
attach EXE files. From the security perspective, do most Mailman admins
let EXE files pass?
Thanks, Mark. The MUA is including "application/octet-stream" as the
mime type. I didn't include this as passable because I wanted to strip
".exe" files from messages. It looks like if I want to enable
subscribers to attach PDF files, it will at the same time enable them to
attach EXE files. From the security perspective, do most Mailman admins
let EXE files pass?
You'll want to test all this to be sure, but there's already a default
list of extensions in filter_filename_extensions which is 'exe',
'bat', 'cmd', 'com', 'pif', 'scr', 'vbs', 'cpl' which should block any
'named' attachments with those extensions.
However, if you add 'application/octet-stream' to pass_mime_types and
put 'pdf' and 'png' in pass_filename_extensions you should wind up
accepting named with extension attachments with only .png and .pdf
extensions. You will also accept an application/octet-stream
attachment without an extension, but this may not be particularly
risky, at least to those users with systems that identify a file type
by extension.
So no, it is not a good idea to allow .exe attachments on your list,
but you can allow some application/octet-stream files and still not
allow .exe files.
--
Mark Sapiro <msapiro at value.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
