pan-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-users] Re: Save attachment file permissions


From: Paul Crawford (at UoD)
Subject: Re: [Pan-users] Re: Save attachment file permissions
Date: Wed, 18 Feb 2009 17:43:25 +0000
User-agent: Thunderbird 2.0.0.19 (Windows/20081209)

Dear Duncan,
I found that in the my search as well, but I lost the trail trying to find where and whether pan used that library in that way, or whether it used something else (like the gmime uue and yenc functionality, which I found as well, it likely didn't have yenc tho back when Charles started using uudeview code, FWIW, MIME doesn't include file permissions info, only yenc and uue do).

It kind of confirms that uulib is being used here, and line 180 of tasks/pan/decoder.cc seems to be the bit where the decode & save occurs. However, I really do not understand the code well enough to assert this as completely true.

Looks good, but I'm not coder enough to verify whether it actually applies to pan code...

I had a brief attempt to compile the 0.132 code this morning but the ./configure utility kept telling me of stuff not installed by default in Ubuntu 8.10 (some of which was easy to add, others less obvious).

May try later with 0.133 as a more sensible test target...

If anyone *really* wanted strict posix behaviour, it could be controlled
in some config menu with a suitable dire warning about the implications.

I don't believe an option is even appropriate for pan. Keep in mind that UUE was developed for mail, where between trusting users it arguably made sense. However, the default if not specified/invalid 644 perms look like the most reasonable mandatory place to start, for a news client, modified by the umask of course, and should have been even back then, POSIX spec (which probably came AFTER UUE was first used in news) or no POSIX spec.

Agreed, we just *do not* want such dangerous behaviour as no newsgroup could be considered even moderately trustworthy.

If absolutely necessary, someone could post a .tar.gz file that preserved directories and permissions. While it bypasses security, it takes a lot more effort and is likely to be considered as too hard/suspicious even by click-happy folks.

Absolutely. It was offered purely as a workaround until an appropriate patch can be found, merged, and distributed thru whoever's supplying the binaries people are using.

Should this be entered as a 'bug report' for Pan? What is the best route to getting it resolved in a manner that is pushed out to the bulk of ordinary users soon?

Regards,
Paul






reply via email to

[Prev in Thread] Current Thread [Next in Thread]