Dear Duncan,
I found that in the my search as well, but I lost the trail trying to
find where and whether pan used that library in that way, or whether it
used something else (like the gmime uue and yenc functionality, which I
found as well, it likely didn't have yenc tho back when Charles started
using uudeview code, FWIW, MIME doesn't include file permissions info,
only yenc and uue do).
It kind of confirms that uulib is being used here, and line 180 of
tasks/pan/decoder.cc seems to be the bit where the decode & save occurs.
However, I really do not understand the code well enough to assert this
as completely true.
Looks good, but I'm not coder enough to verify whether it actually
applies to pan code...
I had a brief attempt to compile the 0.132 code this morning but the
./configure utility kept telling me of stuff not installed by default in
Ubuntu 8.10 (some of which was easy to add, others less obvious).
May try later with 0.133 as a more sensible test target...
If anyone *really* wanted strict posix behaviour, it could be controlled
in some config menu with a suitable dire warning about the implications.
I don't believe an option is even appropriate for pan. Keep in mind that
UUE was developed for mail, where between trusting users it arguably made
sense. However, the default if not specified/invalid 644 perms look like
the most reasonable mandatory place to start, for a news client, modified
by the umask of course, and should have been even back then, POSIX spec
(which probably came AFTER UUE was first used in news) or no POSIX spec.
Agreed, we just *do not* want such dangerous behaviour as no newsgroup
could be considered even moderately trustworthy.
If absolutely necessary, someone could post a .tar.gz file that
preserved directories and permissions. While it bypasses security, it
takes a lot more effort and is likely to be considered as too
hard/suspicious even by click-happy folks.
Absolutely. It was offered purely as a workaround until an appropriate
patch can be found, merged, and distributed thru whoever's supplying the
binaries people are using.
Should this be entered as a 'bug report' for Pan? What is the best route
to getting it resolved in a manner that is pushed out to the bulk of
ordinary users soon?
Regards,
Paul
_______________________________________________
Pan-users mailing list
Pan-users@nongnu.org
http://lists.nongnu.org/mailman/listinfo/pan-users
