Hello Niels!

05 Dec 20 17:13, you wrote to me:

 NH> Hi Andrew,

 NH> One of my users has found and reported to me another issue with
 NH> regards to reading / listing private messages. While the fix in commit
 NH> [942e85] works for local, private echos, it does not take into account
 NH> the possibillity of two users having the same name (e.g. "Tom Smith")
 NH> but different AKAs. Since the fix in [942e85] does not check the From
 NH> / To addresses this may lead to the possibility of a user"Tom
 NH> Smith@1:2/3" reading and being able to list messages for "Tom
 NH> Smith@3:4/5".

This check should only be applied in NetMail areas.  EchoMail areas, by 
definition, do not specify a destination address, but only a to name.  There 
is no way, using standard FTN technology, to address an EchoMail message, even 
one flagged as private, to only Tom Smith@3:4/5 but not Tom Smith@1:2/3.  The 
message would be sent to all nodes connected to the echo, and any Tom Smith 
would be able to read them on any node in the echo.

 NH> I've already fixed the if (..) statments in mail.c (lines 1116, 1258
 NH> and 1909) and will provide a proper pull request in the next few days.
 NH> I just wanted to inform you that there is still a security issue and
 NH> that there is work being done to fix it.

I will certainly look at the pull request when you send it, and evaluate 
accordingly.

Andrew

--- GoldED+/LNX 1.1.5-b20180707