diff options
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | src/imlib.c | 3 |
2 files changed, 5 insertions, 1 deletions
@@ -3,6 +3,9 @@ git HEAD * Add --zoom fill as equivalent for --auto-zoom * Add --zoom max (zooming like in --bg-max) * --menu-style is now deprecated + * Use wget --no-clobber to prevent TOCTTOU-based hole allowing a + well-informed attacker to rewrite arbitrary user files. An attacker can + still use it to _create_ arbitrary files. Wed, 26 Jan 2011 21:07:19 +0100 Daniel Friesel <derf@finalrewind.org> diff --git a/src/imlib.c b/src/imlib.c index 01384d1..b251cac 100644 --- a/src/imlib.c +++ b/src/imlib.c @@ -453,7 +453,8 @@ char *feh_http_load_image(char *url) if (!opt.verbose) quiet = estrdup("-q"); - execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL); + execlp("wget", "wget", "--no-clobber", "--cache=off", + "-O", tmpname, url, quiet, NULL); eprintf("url: Is 'wget' installed? Failed to exec wget:"); } else { waitpid(pid, &status, 0); |