Hi, Tim Rühsen <[email protected]> writes:
> Please review / test this patch. > > Please check the 'Reported-by' in the commit message and if you got a CVE > number, please report for inclusion into the commit message (and/or the code). > > Regards, Tim > > On Mittwoch, 17. August 2016 10:40:35 CEST Dawid Golunski wrote: >> Random file name + .part extension on temporary files would already be >> good improvement (even if still stored within the same directory) and >> help prevent the exploitation. I still think we should used a fixed extension, not a random file name. If wget crashes or the process is terminated for any reason, these files will be left around. With a deterministic name, at least we can recover from what was left. IMO, it is enough to open these files with rw only for the user and not add any extra complexity. It is not wget responsibility to take care of a misconfigured server that allows to execute random files fetched from http/ftp. Regards, Giuseppe
