From 23421a86cc826dd30f3dc4f62057fafb04b3ac40 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Wed, 9 Feb 2011 19:44:48 +0100
Subject: imlib.c: Use wget --no-clobber

This prevents a (highly unlikely) case of an attacker knowing feh's PID and
the user's URL rewriting user files by means of a TOCTTOU attack.

It is still possible to _create_ arbitrary files via dangling symlinks. That
will be fixed once I switch from wget to libcurl.
---
 ChangeLog   | 3 +++
 src/imlib.c | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 5178b6b..2d656ba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,9 @@ git HEAD
     * Add --zoom fill as equivalent for --auto-zoom
     * Add --zoom max (zooming like in --bg-max)
     * --menu-style is now deprecated
+    * Use wget --no-clobber to prevent TOCTTOU-based hole allowing a
+      well-informed attacker to rewrite arbitrary user files. An attacker can
+      still use it to _create_ arbitrary files.
 
 Wed, 26 Jan 2011 21:07:19 +0100  Daniel Friesel <derf@finalrewind.org>
 
diff --git a/src/imlib.c b/src/imlib.c
index 01384d1..b251cac 100644
--- a/src/imlib.c
+++ b/src/imlib.c
@@ -453,7 +453,8 @@ char *feh_http_load_image(char *url)
 			if (!opt.verbose)
 				quiet = estrdup("-q");
 
-			execlp("wget", "wget", "--cache=off", "-O", tmpname, url, quiet, NULL);
+			execlp("wget", "wget", "--no-clobber", "--cache=off",
+					"-O", tmpname, url, quiet, NULL);
 			eprintf("url: Is 'wget' installed? Failed to exec wget:");
 		} else {
 			waitpid(pid, &status, 0);
-- 
cgit v1.2.3