imlib.c: Use wget --no-clobber

This prevents a (highly unlikely) case of an attacker knowing feh's PID and the user's URL rewriting user files by means of a TOCTTOU attack. It is still possible to _create_ arbitrary files via dangling symlinks. That will be fixed once I switch from wget to libcurl. (cherry picked from commit 23421a86cc826dd30f3dc4f62057fafb04b3ac40) Conflicts: ChangeLog
author: Daniel Friesel <derf@finalrewind.org> 2011-02-09 20:09:53 +0100
committer: Daniel Friesel <derf@finalrewind.org> 2011-02-09 20:09:53 +0100
commit: a16225248e8feca0020113c4e93a30600a35b8f0 (patch)
tree: 2f22bad03ffff4c15ce527f332e7b6b68141e25e /src/imlib.c
parent: 3bd5012d90b7dce9d810576c5dbc06629fa137ee (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/imlib.c b/src/imlib.c
index 01384d1..b251cac 100644
--- a/src/imlib.c
+++ b/src/imlib.c
@@ -453,7 +453,8 @@ char *feh_http_load_image(char *url)
 			if (!opt.verbose)
 				quiet = estrdup("-q");
 
-			execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL);
+			execlp("wget", "wget", "--no-clobber", "--cache=off",
+					"-O", tmpname, url, quiet, NULL);
 			eprintf("url: Is 'wget' installed? Failed to exec wget:");
 		} else {
 			waitpid(pid, &status, 0);
author	Daniel Friesel <derf@finalrewind.org>	2011-02-09 20:09:53 +0100
committer	Daniel Friesel <derf@finalrewind.org>	2011-02-09 20:09:53 +0100
commit	a16225248e8feca0020113c4e93a30600a35b8f0 (patch)
tree	2f22bad03ffff4c15ce527f332e7b6b68141e25e /src/imlib.c
parent	3bd5012d90b7dce9d810576c5dbc06629fa137ee (diff)