LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: LSVSFILE - bug or feecher ?

Eric Thomas <[log in to unmask]>

Tue, 22 Jan 1991 15:27:15 +0100

text/plain (58 lines)

On Tue, 22 Jan 1991 10:01:31 SET "Christian J. Reichetzeder"
<REICHETZ@AWIIMC11> said:
 
>* ABC FILELIST has a generic entry of the form
>  /    A/> *        *        PRV OWN ....
 
You must not specify a generic entry for '* *' anywhere, as it will match
any file (obviously).  This means that if someone else,  downwards in the
search order,  has an entry  for 'ABC* MEMO', your  '* *' will  catch the
file before if the filelist is not specified explicitly.
 
>As far as I could find out  the problem is within LSVSFILE. For explicit
>or implicit FILELISTs LSVSFILE starts from the root(=LISTSERV) FILELIST.
>In case the sought file is not found other FILELISTs found are searched.
>Only when the file couldn't be found  in any of the FILELISTs the search
>continues for NOTEBOOKs or LOGs  according to the LIST specification. If
>any FILELIST happens  to contain a generic entry  matching the requested
>FILELIST the search stops and authorization is given as specified in the
>generic entry.
 
I do not  see in what way this  is a problem. First, if I  were to change
the code to  behave as you suggest,  a generic entry for '*  LOG*' in XYZ
FILELIST would be  ignored when looking for XYZ LOG9001,  when the intent
of the list owner was, clearly, to set different GET/PUT access codes for
these files. There  is no difference between  '* LOG*' and '*  *' in this
respect,  except that  the latter  catches  more files.  Second, you  are
talking about  the special case of  log files and implicit  filelists. If
you consider  the more general  case of  regular files, you  will quickly
realize that the specification of '*  *' in *any* filelist means problems
as soon as  you try to store files without  specifying the filelist name,
ie 'PUT MEET9102 AGENDA' rather than 'PUT MEET9102 AGENDA MINUTES'. There
is no  solution to this  - you  did not say  which filelist the  file was
from, there is no  way for the server to "guess"  that you meant MEET9012
AGENDA from 'MEET*  AGENDA' in the MINUTES filelist,  not MEET9012 AGENDA
from '* *' in the XYZ filelist. This  is why you should not specify '* *'
on any  filelist that can be  reached from the  root, and if you  do, you
must  specify the  filelist  name on  any file  access  request to  avoid
problems.
 
What you have  to understand is that LISTSERV fileids  have 3 components,
and when you specify only the first 2 it is trying to guess at the third.
Most of  the time there is  no ambiguity, but of  course nothing prevents
you from having  a 'README MEMO' in  2 filelists; in that  case, the user
can no longer omit the last component.
 
>This is not only an inconvenience but also a security exposure (...) The
>owner of ABC (FILE)LIST could specify a generic entry of * * GET=OWN and
>thus be able to retreive the logs of XYZ LIST regardless of their FACs.
 
No, because  these are  not the  same files.  If a  match occurs  for XYZ
NOTEBOOK on  the ABC FILELIST,  LISTSERV will  search ABC FILEID  for the
real CMS  fileid. It will not  find an entry  for this file there,  so it
will generate a new fileid, nnnnnnnn  ABC on the designated default disk.
You can GET/PUT this file, but this is a different one from 'XYZ NOTEBOOK
XYZ'.
 
  Eric

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM