Bug 3157 - SA vs. Sanitizer: defanged image tags?
Summary: SA vs. Sanitizer: defanged image tags?
Status: RESOLVED WORKSFORME
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.63
Hardware: Other other
: P5 normal
Target Milestone: 3.0.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-11 10:00 UTC by John Hardin
Modified: 2004-03-11 01:41 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Hardin 2004-03-11 10:00:54 UTC 
If the Procmail Sanitizer is in use and has web-bug sanitizing enabled, IMG tags
become DEFANGED_IMG tags.

Do the SA tests for images (size, proportion to text, etc.) take this into
account, in case SA is being used after the Sanitizer?

In other words, do the tests check for /<IMG/i or /<(DEFANGED_)?IMG/i

If they don't consider defanged images as images, they should.

Thanks.
Comment 1 Theo Van Dinter 2004-03-11 10:16:29 UTC 
> Do the SA tests for images (size, proportion to text, etc.) take this into
> account, in case SA is being used after the Sanitizer?

Nope.

> If they don't consider defanged images as images, they should.

I don't think so.  We can't possibly support every type of filtering that 
could happen pre-SA.
Comment 2 John Hardin 2004-03-11 10:30:19 UTC 
Granted.

Ok, how about some way for the end-user to make such a configuration change when
the rules are looking for specific tags?

Perhaps something like this in the config file:

   IMAGE_TAG_RE  /<(DEFANGED_)?IMG\s/i

to override the default RE?

Extend to other specific HTML tags that are being checked.
Comment 3 Theo Van Dinter 2004-03-11 10:35:22 UTC 
I think that's going to make the code and any regular expressions used horribly complicated, and likely 
very slow.

Again, we really do not want to get in the business of supporting what potentially could filter/markup/
etc the mail before it hits SA.
Comment 4 John Hardin 2004-03-11 10:41:34 UTC 
OK. Thanks.