On 28 Apr 97, Trev Roydhouse wrote to John Giannini:
>> Amen! If only those two enhancements were made, I'd
>> be happy. Assuming they fix the file download bug
>> that lets anyone download any files they can see if
>> they place them on one multiple-file request line....
TR> Would you care to explain this mite in detail?
I explained it in great detail in an early 1995 Meadow message, but to recap:
On my board:
Access_priv is set to twit for all file areas. (so any caller can browse
all file directories or use the "new files" command.)
Download_priv is set to twit on 5 download directories. (I want anyone to be
able to d/l from those directories, even new callers)
Download_priv is set to "normal" for all other file directories.
A person's normal priv level on my board is "limited" unless they become a
subscriber, in which case they are bumped up to "normal" allowing them to
download from all file directories.
Now. With this setup, a non-subscriber is prevented from downloading from a
subscriber area because if they go into that area, they will see no "D"
command on their Opus filearea menu. With no "D" command, they can't
download from that area.
But some smart non-subcriber people have from time to time figured out that
with global downloading, they might be able get a "subscriber" file by going
into one of those 5 non-subscriber file directories where they do see the "D"
command, and tell Opus from there, using that "D" command (that they can see
from there) to send them a file from a subscriber area. (one of the areas
they wouldn't see the "D" command in, if they were directly in that area).
I discovered 2 years ago that if someone tried that, and listed only one file
on a line, like:
D Z SEXYGIRL.GIF
where that gif was in a subscriber area, Opus would tell them it couldn't
find that file, and that spelling counted. So far, so good.
But! If they gave Opus more than one filename on that line, Opus would send
every file but the first one. MASSIVE BUG! Example:
D Z SEXYGRL1,GIF SEXYGRL2.GIF SEXYGRL3.GIF SEXYGRL4.GIF
Opus would then send gifs 2-4 listed above, even though they shouldn't be
able to download those files. And you couldn't use locks and keys either,
because if the person's account had a key turned on for a lock for a file
area, so they could see that file area, they could still download from it.
Bottom line? If a user could *see* a file area, they could get anything from
it, no matter what it's download_priv was or what their priv level was, as
long as at least ONE file area on the BBS offered them the use of the "D"
command. All they needed to do was list what they wanted as 2nd, 3rd or 4th
file on a batch file request.
The obvious software problem? Opus references download_priv only for the
*first* file in a batch download queue, and only that one.
Implications: Legally perilous! If one had adult files online, and one
wanted anyone to be able to browse those files or query the BBS for new
files, but NOT download from them w/o a subscription, you couldn't. All
someone would have to do, even a kid, was go into an area where they could
see the "D" command (like a new-caller directory) and download away. VERY
BAD.
When I wrote about this in MEADOW 2 years ago, I got the following suggestion
from a number of people as per setup of my board:
"Make all file areas access_priv normal except one that has your master
filelist in it. Generate a filelist nightly that anyone can download. Let
*that* be how people see what you have online."
My problem with this solution, as I replied back then, was that it made the
"File Titles" command, and the "New Files" command unusable to anyone but
subscribers, and they are few in number! Indeed, it was my philosophy that
the New Files command *has* to be available to non-subscribers. It's one of
the ways systems can *get* subscribers. People call, do a "New Files" check,
see what's new, and if something sparks their interest, they might subscribe
to get it. I *nned* the File Titles and New Files commands available to all.
No one will subscribe if they can't see what I have online.
The response to my posting this sentiment above was that people *insisted*
that if I wanted to take NO LEGAL RISKS, my only option was to impliment the
master filelist idea. If I wanted to do some semblence of "New Files"
listings, they suggested, I could do a 2nd nightly list of just new files for
the last 2 weeks, for example. New callers and non-subscribers could call,
d/l that little list, and in that way, see just as easily what was new.
My response? "Not true" I said. It would NOT as easy for someone to call
and d/l that little list, as it would be for them merely to just pop into the
files section and use the New Files command. Besides, by doing the filelist
thing, it makes the "F" command and the "N" command almost useless! Why have
them if hardly anyone can use them? The problem as I saw it, and still do,
is NOT the "F" or "N" commands - those commands are fine, and very useful,
and should be available to everyone. The PROBLEM is the BUG allowing those
who know the secret to download files they shouldn't have download access to.
The bug is the problem.
What I was suggesting last week was that that bug be fixed. Make Opus check
the download_priv for *each* file listed in a batch file download request,
not just the first one, and everything will be fine. I hope the new Opus
takes care of this problem.
If you need any additional info, Trev, let me know...
--- GoldED 2.50
---------------
* Origin: The Moonshadow :*: 916.343.0534 :*: Chico, CA :*: (1:119/50)
|