diff options
| author | Daniel Friesel <derf@finalrewind.org> | 2011-02-09 19:44:48 +0100 |
|---|---|---|
| committer | Daniel Friesel <derf@finalrewind.org> | 2011-02-09 19:49:28 +0100 |
| commit | 23421a86cc826dd30f3dc4f62057fafb04b3ac40 (patch) | |
| tree | 7c5fcaf8aceaf6df290721a8247e18d06bfc4bb0 /src | |
| parent | 15bd1c8bd3429ee565ba713fbc95af69a0c10c94 (diff) | |
imlib.c: Use wget --no-clobber
This prevents a (highly unlikely) case of an attacker knowing feh's PID and
the user's URL rewriting user files by means of a TOCTTOU attack.
It is still possible to _create_ arbitrary files via dangling symlinks. That
will be fixed once I switch from wget to libcurl.
Diffstat (limited to 'src')
| -rw-r--r-- | src/imlib.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/imlib.c b/src/imlib.c index 01384d1..b251cac 100644 --- a/src/imlib.c +++ b/src/imlib.c @@ -453,7 +453,8 @@ char *feh_http_load_image(char *url) if (!opt.verbose) quiet = estrdup("-q"); - execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL); + execlp("wget", "wget", "--no-clobber", "--cache=off", + "-O", tmpname, url, quiet, NULL); eprintf("url: Is 'wget' installed? Failed to exec wget:"); } else { waitpid(pid, &status, 0); |