imlib.c: Use wget --no-clobber

This prevents a (highly unlikely) case of an attacker knowing feh's PID and the user's URL rewriting user files by means of a TOCTTOU attack. It is still possible to _create_ arbitrary files via dangling symlinks. That will be fixed once I switch from wget to libcurl.
author: Daniel Friesel <derf@finalrewind.org> 2011-02-09 19:44:48 +0100
committer: Daniel Friesel <derf@finalrewind.org> 2011-02-09 19:49:28 +0100
commit: 23421a86cc826dd30f3dc4f62057fafb04b3ac40 (patch)
tree: 7c5fcaf8aceaf6df290721a8247e18d06bfc4bb0 /ChangeLog
parent: 15bd1c8bd3429ee565ba713fbc95af69a0c10c94 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 5178b6b..2d656ba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@ git HEAD
     * Add --zoom fill as equivalent for --auto-zoom
     * Add --zoom max (zooming like in --bg-max)
     * --menu-style is now deprecated
+    * Use wget --no-clobber to prevent TOCTTOU-based hole allowing a
+      well-informed attacker to rewrite arbitrary user files. An attacker can
+      still use it to _create_ arbitrary files.
 
 Wed, 26 Jan 2011 21:07:19 +0100  Daniel Friesel <derf@finalrewind.org>
author	Daniel Friesel <derf@finalrewind.org>	2011-02-09 19:44:48 +0100
committer	Daniel Friesel <derf@finalrewind.org>	2011-02-09 19:49:28 +0100
commit	23421a86cc826dd30f3dc4f62057fafb04b3ac40 (patch)
tree	7c5fcaf8aceaf6df290721a8247e18d06bfc4bb0 /ChangeLog
parent	15bd1c8bd3429ee565ba713fbc95af69a0c10c94 (diff)