chaosdorf.de/git has been discontinued. Please refer to git.chaosdorf.de instead.

Commit 23421a86 authored Feb 09, 2011 by Birte Kristina Friesel

imlib.c: Use wget --no-clobber

This prevents a (highly unlikely) case of an attacker knowing feh's PID and
the user's URL rewriting user files by means of a TOCTTOU attack.

It is still possible to _create_ arbitrary files via dangling symlinks. That
will be fixed once I switch from wget to libcurl.

parent 15bd1c8b

ChangeLog

+3 −0

Original line number	Diff line number	Diff line
		@@ -3,6 +3,9 @@ git HEAD
		* Add --zoom fill as equivalent for --auto-zoom
		* Add --zoom max (zooming like in --bg-max)
		* --menu-style is now deprecated
		* Use wget --no-clobber to prevent TOCTTOU-based hole allowing a
		well-informed attacker to rewrite arbitrary user files. An attacker can
		still use it to _create_ arbitrary files.

		Wed, 26 Jan 2011 21:07:19 +0100 Daniel Friesel <derf@finalrewind.org>

src/imlib.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -453,7 +453,8 @@ char feh_http_load_image(char url)
		if (!opt.verbose)
		quiet = estrdup("-q");

		execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL);
		execlp("wget", "wget", "--no-clobber", "--cache=off",
		"-O", tmpname, url, quiet, NULL);
		eprintf("url: Is 'wget' installed? Failed to exec wget:");
		} else {
		waitpid(pid, &status, 0);