Hallo Dmitry,

 AW>> bash-supplied path to hpt. If your area forwarding lists are generated
 AW>> by a coordinator and not by yourself, and you use them without
 AW>> filtering such variable references, he could inject arbitrary
 AW>> variables there and let people peek at them via areafix %list. I
 AW>> suggest a modification of the config file scanner. I imagine, htick
 AW>> has the same problem.

 DS> What exact modifications do you propose?

Difficult in general, since it is deep inside the fidoconf config parser.
If I have read correctly, the variable expansion is done with the
var_expand() call at the beginning in fidoconf's line.c::parseLine(). This
is before any semantic analysis of the keywords.
Perhaps the areafix could be modified: It could filter out [variable]
constructs out of area forwarding lists before writing back information
into the -d "description" field from auto-created EchoArea
definitions. I don't know if it does this already, since that is a piece of
software that changed very much recently.

Tschau
Alex

--- GEcho/2 1.20/beta+