Subj : Another fix regarding reading/listing prvt. msgs.
To : Niels Haedecke
From : Andrew Leary
Date : Sat Dec 05 2020 09:31 pm
Hello Niels!
05 Dec 20 17:13, you wrote to me:
NH> Hi Andrew,
NH> One of my users has found and reported to me another issue with
NH> regards to reading / listing private messages. While the fix in commit
NH> [942e85] works for local, private echos, it does not take into account
NH> the possibillity of two users having the same name (e.g. "Tom Smith")
NH> but different AKAs. Since the fix in [942e85] does not check the From
NH> / To addresses this may lead to the possibility of a user"Tom
NH> Smith@1:2/3" reading and being able to list messages for "Tom
NH> Smith@3:4/5".
This check should only be applied in NetMail areas. EchoMail areas, by
definition, do not specify a destination address, but only a to name. There
is no way, using standard FTN technology, to address an EchoMail message, even
one flagged as private, to only Tom Smith@3:4/5 but not Tom Smith@1:2/3. The
message would be sent to all nodes connected to the echo, and any Tom Smith
would be able to read them on any node in the echo.
NH> I've already fixed the if (..) statments in mail.c (lines 1116, 1258
NH> and 1909) and will provide a proper pull request in the next few days.
NH> I just wanted to inform you that there is still a security issue and
NH> that there is work being done to fix it.
I will certainly look at the pull request when you send it, and evaluate
accordingly.
