Remove --wget-timestamp option (contained a remote code execution hole)

    * Saving the filelist from thumbnail mode caused undefined behaviour due

      to handling of uninitialised memory. Since I consider this a rarely

      useful action, the feature has been disabled for thumbnail mode.

    * Remove -G/--wget-timestamp option. It was probably not working

      correctly, plus it contained a remote code execution hole when used with

      malicious URLs containing shell metacharacters (but only if those URLs

      led to a valid file)

Thu Jun 10 12:12:04 CEST 2010

output useful information, progress bars, etc.

.It Cm -v , --version

output version information and exit.

.It Cm -G , --wget-timestamp

Don't add a timestamp

.Pq Qq ?1234

to URLs when (re)loading them.

.It Cm --zoom Ar percent

Zoom images by

.Ar percent

 -k, --keep-http           Keep local copies when viewing HTTP/FTP files

     --caption-path PATH   Path to caption directory, enables caption display

 -j, --output-dir          With -k: Output directory for saved files

 -G, --wget-timestamp      Try to only reload a file if it changed. Also,

                           don't add \"?1234...\" timestamp to file URL

 -l, --list                list mode: ls-style output with image information

 -L, --customlist FORMAT   list mode with custom output, see FORMAT SPECIFIERS

 -U, --loadable            List all loadable files. No image display

char *feh_http_load_image(char *url)

{

	char *tmpname;

	char *tmpname_timestamper = NULL;

	char *basename;

	char *newurl = NULL;

	char randnum[20];

	basename = strrchr(url, '/') + 1;

	tmpname = feh_unique_filename(path, basename);

	if (opt.wget_timestamp) {

		char cppid[10];

		pid_t ppid;

		ppid = getpid();

		snprintf(cppid, sizeof(cppid), "%06ld", (long) ppid);

		tmpname_timestamper = estrjoin("", "/tmp/feh_", cppid, "_", basename, NULL);

		newurl = estrdup(url);

	} else {

	rnum = rand();

	snprintf(randnum, sizeof(randnum), "%d", rnum);

	newurl = estrjoin("?", url, randnum, NULL);

	}

	D(3, ("newurl: %s\n", newurl));

	if (opt.builtin_http) {

			if (!opt.verbose)

				quiet = estrdup("-q");

			if (opt.wget_timestamp) {

				execlp("wget", "wget", "-N", "-O", tmpname_timestamper, newurl, quiet, (char *) NULL);

			} else {

			execlp("wget", "wget", "--cache=off", "-O", tmpname, newurl, quiet, NULL);

			}

			eprintf("url: exec failed: wget:");

		} else {

			waitpid(pid, &status, 0);

			if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {

				weprintf("url: wget failed to load URL %s\n", url);

				unlink(opt.wget_timestamp ? tmpname_timestamper : tmpname);

				unlink(tmpname);

				free(newurl);

				free(tmpname);

				return(NULL);

			}

			if (opt.wget_timestamp) {

				char cmd[2048];

				snprintf(cmd, sizeof(cmd), "/bin/cp %s %s", tmpname_timestamper, tmpname);

				system(cmd);

			}

			free(newurl);

		}

	}

static void feh_parse_option_array(int argc, char **argv)

{

	static char stropts[] =

	    "a:A:b:B:cC:dD:e:E:f:Fg:GhH:iIj:klL:mM:nNo:O:pqQrR:sS:tT:uUvVwW:xXy:zZ0:1:2:4:5:8:9:.@:^:~:):|:_:+:";

	    "a:A:b:B:cC:dD:e:E:f:Fg:hH:iIj:klL:mM:nNo:O:pqQrR:sS:tT:uUvVwW:xXy:zZ0:1:2:4:5:8:9:.@:^:~:):|:_:+:";

	static struct option lopts[] = {

		/* actions */

		{"help", 0, 0, 'h'},	/* okay */

		{"preload", 0, 0, 'p'},

		{"reverse", 0, 0, 'n'},

		{"thumbnails", 0, 0, 't'},

		{"wget-timestamp", 0, 0, 'G'},

		{"builtin", 0, 0, 'Q'},

		{"scale-down", 0, 0, '.'},	/* okay */

		{"no-jump-on-resort", 0, 0, 220},

			opt.list = 1;

			opt.display = 0;

			break;

		case 'G':

			opt.wget_timestamp = 1;

			break;

		case 'Q':

			opt.builtin_http = 1;

			break;