On 10/12/19 at 09:11pm, Allan McRae wrote: > On 12/10/19 1:45 pm, Andrew Gregory wrote: > > system() runs the provided command via a shell, which is subject to > > command injection. Even though pacman already provides a mechanism to > > sign and verify the databases containing the urls, certain distributions > > have yet to get their act together and start signing databases, leaving > > them vulnerable to MITM attacks. Replacing the system call with an > > almost equivalent exec call removes the possibility of a shell-injection > > attack for those users. > > > > Signed-off-by: Andrew Gregory <[email protected]> > > <snip> > > @@ -230,17 +300,26 @@ static int download_with_xfercommand(const char *url, > > const char *localpath, > > unlink(destfile); > > } > > > > - tempcmd = strdup(config->xfercommand); > > - /* replace all occurrences of %o with fn.part */ > > - if(strstr(tempcmd, "%o")) { > > - usepart = 1; > > - parsedcmd = strreplace(tempcmd, "%o", tempfile); > > - free(tempcmd); > > - tempcmd = parsedcmd; > > + if((argv = calloc(config->xfercommand_argc + 1, sizeof(char*))) == > > NULL) { > > need to free this at the end.
Updated patch pushed to my repo that fixes this and the misplaced free and also corrects the indenting in systemvp to use tabs.
