Re: [pmg-devel] [PATCH pmg-api v2 2/2] ruledb: content-type: add flag for matching only based on magic/content

From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: Friedrich Weber <f.weber@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api v2 2/2] ruledb: content-type: add flag for matching only based on magic/content
Date: Wed, 19 Feb 2025 13:22:15 +0100	[thread overview]
Message-ID: <Z7XM99cpDqek_1vf@rosa.proxmox.com> (raw)
In-Reply-To: <ab5bd9b1-cb08-4b77-8e1b-64eab07ac191@proxmox.com>

On Tue, Feb 18, 2025 at 06:18:13PM +0100, Friedrich Weber wrote:
> On 18/02/2025 14:54, Stoiko Ivanov wrote:
> > our current content-type matching is sensibly quite cautious in
> > matching if any available information indicates a potential match:
> > * mime-type detection based on file contents
> > * mime-type detection based on file suffix
> > * content-type header
> > 
> > Sometimes this can lead to surprises (e.g. when a MUA sets the
> > filetype of a pdf to application/octet-stream (the default type if no
> > information is available), or a filter for zip-files matching
> > docx-files.
> > 
> > This change gives users the option to restrict matching only on the
> > content as detected by xdg_mime_get_mime_type_for_data.
> > 
> > This is a fix for the intial request in #2691 and addresses the
> > suggestion from Friedrich from:
> > https://bugzilla.proxmox.com/show_bug.cgi?id=5618#c2
> 
> 
> Thanks for tackling this! I think having a flag like only-content makes
> sense.
> 
> I tested this a bit and there seems to be one issue, steps to reproduce:
> 
> - add a What object with a Content Type Filter for application/pdf,
> enable the new "Ignore header information" flag
> 
> - create a rule that blocks incoming mails matching this What object
> 
> - send an email with a random 1K blob as attachment that sets
> Content-Type: application/pdf and some non-descriptive filename for the
> attachment:
> 
> swaks --from [...] --to [...] --server [...] --attach-type
> application/pdf --attach-name foo.bin --attach <(dd if=/dev/urandom
> bs=1k count=1)
> 
> The email is blocked by the rule. But I would expect it to be accepted,
> because the `xdg_mime_get_mime_type_for_data` shouldn't recognize the
> random blob as PDF, and the user-provided Content-Type application/pdf
> should be ignored.
> 
> I think the email is accepted because the magic ct [1] defaults to the
> user-provided Content-Type and since `xdg_mime_get_mime_type_for_data`
> returns application/octet-stream, we're keep it at the user-provided
> Content-Type. I guess it would be nicer if the magic wouldn't default to
> the user-provided Content-Type if "Ignore header information" is
> enabled, but I'm not sure how easily this can be done.
> 
> [1]
> https://git.proxmox.com/?p=pmg-api.git;a=blob;f=src/PMG/Utils.pm;h=0b8945f245;hb=6bbc222#l623

Thanks big-time for the testing, issue-finding and analysis of the cause!
reworked the content-type finding in Utils.pm - after quickly checking
where we rely on that information:
https://lore.proxmox.com/pmg-devel/20250219121851.110090-1-s.ivanov@proxmox.com/T/#t

>..snip..

_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel