Hello Niels!
05 Dec 20 17:13, you wrote to me:
Hi Andrew,
One of my users has found and reported to me another issue with
regards to reading / listing private messages. While the fix in commit [942e85] works for local, private echos, it does not take into account
the possibillity of two users having the same name (e.g. "Tom Smith")
but different AKAs. Since the fix in [942e85] does not check the From
/ To addresses this may lead to the possibility of a user"Tom
Smith@1:2/3" reading and being able to list messages for "Tom Smith@3:4/5".
This check should only be applied in NetMail areas. EchoMail areas, by definition, do not specify a destination address, but only a to name. There is no way, using standard FTN technology, to address an EchoMail message, even one flagged as private, to only Tom Smith@3:4/5 but not Tom Smith@1:2/3. The message would be sent to all nodes connected to the echo, and any Tom Smith would be able to read them on any node in the echo.
I've already fixed the if (..) statments in mail.c (lines 1116, 1258
and 1909) and will provide a proper pull request in the next few days.
I just wanted to inform you that there is still a security issue and
that there is work being done to fix it.
I will certainly look at the pull request when you send it, and evaluate accordingly.
Andrew
--- GoldED+/LNX 1.1.5-b20180707
* Origin: Phoenix BBS * phoenix.bnbbbs.net (1:320/219)