... darkrealms ...

Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.

MBSE

The Linux/FreeBSD MBSE BBS Support Echo

2,445 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 2,136 of 2,445

Andrew Leary to Niels Haedecke

Another fix regarding reading/listing pr

05 Dec 20 21:31:08

   REPLY: 2:240/8002@fidonet 5a68b741   
   MSGID: 1:320/219@fidonet 5fcc4486   
   CHRS: CP437 2   
   TZUTC: -0500   
   TID: MBSE-FIDO 1.0.7.20 (GNU/Linux-x86_64)   
   Hello Niels!   
      
   05 Dec 20 17:13, you wrote to me:   
      
    NH> Hi Andrew,   
      
    NH> One of my users has found and reported to me another issue with   
    NH> regards to reading / listing private messages. While the fix in commit   
    NH> [942e85] works for local, private echos, it does not take into account   
    NH> the possibillity of two users having the same name (e.g. "Tom Smith")   
    NH> but different AKAs. Since the fix in [942e85] does not check the From   
    NH> / To addresses this may lead to the possibility of a user"Tom   
    NH> Smith@1:2/3" reading and being able to list messages for "Tom   
    NH> Smith@3:4/5".   
      
   This check should only be applied in NetMail areas.  EchoMail areas, by    
   definition, do not specify a destination address, but only a to name.  There    
   is no way, using standard FTN technology, to address an EchoMail message, even    
   one flagged as private, to only Tom Smith@3:4/5 but not Tom Smith@1:2/3.  The    
   message would be sent to all nodes connected to the echo, and any Tom Smith    
   would be able to read them on any node in the echo.   
      
    NH> I've already fixed the if (..) statments in mail.c (lines 1116, 1258   
    NH> and 1909) and will provide a proper pull request in the next few days.   
    NH> I just wanted to inform you that there is still a security issue and   
    NH> that there is work being done to fix it.   
      
   I will certainly look at the pull request when you send it, and evaluate    
   accordingly.   
      
   Andrew   
      
   --- GoldED+/LNX 1.1.5-b20180707   
    * Origin: Phoenix BBS * phoenix.bnbbbs.net (1:320/219)   
   SEEN-BY: 1/19 123 16/0 18/200 90/1 103/705 105/81 120/340 123/130   
   SEEN-BY: 123/131 124/5016 154/10 203/0 124 221/0 1 226/30 227/114   
   SEEN-BY: 229/101 275 424 426 452 550 664 1016 230/0 240/5832 249/110   
   SEEN-BY: 249/206 317 400 261/38 280/464 5003 288/100 292/854 8125   
   SEEN-BY: 317/3 320/119 219 319 322/0 757 342/200 396/45 423/120 633/280   
   SEEN-BY: 712/848 770/1 2452/250   
   PATH: 320/219 203/0 280/464 229/101 426

[ << oldest | < older | list | newer > | newest >> ]