[Mailman-Users] Content Filtering Scrubs PDF Attachment

[Fitzpatrick, Ted]

Thanks, Mark. The MUA is including "application/octet-stream" as the
mime type. I didn't include this as passable because I wanted to strip
".exe" files from messages. It looks like if I want to enable
subscribers to attach PDF files, it will at the same time enable them to
attach EXE files. From the security perspective, do most Mailman admins
let EXE files pass?

Thanks,

Ted


-----Original Message-----
From: Mark Sapiro [mailto:msapiro at value.net] 
Sent: Friday, July 20, 2007 11:15 AM
To: Fitzpatrick, Ted; mailman-users at python.org
Subject: Re: [Mailman-Users] Content Filtering Scrubs PDF Attachment

Fitzpatrick, Ted wrote:
>
>When Mailman's Content Filtering is on, it is scrubbing (removing) pdf
>and png attachments,


I am guessing you mean 'removing' as in throwing away, as opposed to
'scrubbing' as in storing on the server and replacing with a link to
the stored file. If by chance, you do mean 'scrubbing' in this sense,
you need to set Non-digest options->scrub_nondigest to No in the
list's admin interface.


>even though I have entered the MIME types for these
>files as "passable." For the MIME types, I used:
>
> 
>
>application/pdf
>
>image/png


These are the appropriate MIME types. The real question is why isn't
the poster's MUA putting the correct Content-Type: in the header? What
is the Content-Type of these attachments. If this is just one bogus
MUA, you could just accept the bogus Content-Type.


>The only fix I found within this list's archives was a patch to Mailman
>that sets it to use only file extensions when filtering attachments. I
>noticed debate over the security ramifications of this.


There are alternative ways to patch this. In fact, I'm not sure that
the current behavior couldn't be considered a bug.

Currently, if we have pass_filename_extensions defined, we don't accept
any parts with filenames that don't have a matching extension. I
suppose this is OK since the main inline parts we want probably don't
have filenames so aren't subject to this test. The issue is that
currently the mime types tests are applied first and the filename
extension tests are only applied to what's left. Perhaps the 'pass'
tests should be applied concurrently and a part accepted if it has a
matching mime type OR a matching extension.


>What is the best way to configure Mailman to allow PDF and PNG files to
>pass through its filtering?


Wrong question. The question should be "what's the best way to get list
members to use MUAs that properly identify the types of attachments?"
(not that I know the answer). Basically, you're dealing with
non-compliant MUAs, and given that the MUA is non-compliant, you can't
predict what it will do.

-- 
Mark Sapiro <msapiro at value.net>       The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan