Failure extracting base64 encoded image attached to email in HTML CSS

[JAF84]

ClamAV failed to extract a base64 encoded image attached to email in HTML CSS.

The attached mail.zip contains two files:

• part.html fails to extract the image because of new line in the src string, here:

  src="data:image/png;
  base64,iVBORw0KGgoA
  

• part2.html correctly extracts the image. The new line was removed, so the src looks like this:

  src="data:image/png;base64,iVBOR
  

The difference is a newline char before the "base64".

br Johannes

[micahsnyder]

Hi Johannes,

I reviewed the contents of mail.zip and see two HTML files:

• mail/part.html
• mail/part1.html

It looks to me like you're reporting an issue with ClamAV failing to extract a PNG file embedded in the HTML using base64 encoded CSS. We'd added support for extracting that in ClamAV 1.1.

part.html is the one that fails to extract the image, while part2.html correctly extracts it. The difference is that part.html has some whitespace (a new line, which is normalized into a single space) in the mime arguments.

The diff of the two files shows it clearly (note that part2 is on the left):

The clamscan --debug output also shows where this fails, because the mime argument has that space in it:

We'll need to add some logic in there to strip any whitespace in the mime args. I think that'll fix it.
The code in question is right here in mbox.c:

I don't have time to work on this right now as I'm fighting other fires. Going to mark this as a bug for now.

[JAF84]

Hello Micah,

thank you, yes this is exact the issue.

part.html was to original/bad-mail-file
part2.html was a modification of me, just for demonstration about the issue how it should work.

br johannes