Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!elroy!ucla-cs!uci-ics!nagel@beaver.ics.uci.edu
From: nagel@beaver.ics.uci.edu (Mark Nagel)
Newsgroups: news.software.nntp
Subject: Re: NNTP 1.5 Patch 4
Keywords: NNTP 1.5 patch 4
Message-ID: <15151@paris.ics.uci.edu>
Date: 20 May 89 02:28:52 GMT
References: <157@lib.tmc.edu> <1720@ucsd.EDU> <14701@paris.ics.uci.edu> <161@lib.tmc.edu>
Sender: news@paris.ics.uci.edu
Reply-To: nagel@beaver.ics.uci.edu (Mark Nagel)
Organization: University of California, Irvine - Dept of ICS
Lines: 22
In-reply-to: sob@watson.bcm.tmc.edu (Stan Barber)

In article <161@lib.tmc.edu>, sob@watson (Stan Barber) writes:
|When I made the extentions to NNTP for TMNN's news readers, Phil and I
|had a short chat about the functionality of a LIST filename type of
|command. The upshot of the comment was that LIST filename was a bad
|idea bacause of the ambiguity and the resulting security problem.

I don't see why it has to be such a security problem.  Given that
certain files are already allowed to be accessed, just allow the rest
of the files in lib/news to be accessed as well.  The simplest
security measures of allowing no '/' characters in the name and only
allowing read access to files in lib/news should take care of it.
Then NNTP won't have to be extended for every new reader that comes
out (ala the new patches for TMNN).  When you say 'ambiguity' do you
mean that it is not clear what the file you are accessing is?  I would
hope that the LIST extension would simply provide a way to allow NNTP
readers the same exact view of the news library that a local reader
has.

Mark Nagel @ UC Irvine, Department of Information and Computer Science
                            +----------------------------------------+
ARPA: nagel@ics.uci.edu     | radiation: smog with an attitude       |
UUCP: ucbvax!ucivax!nagel   |                                        |