On 12/10/19 1:45 pm, Andrew Gregory wrote:
> system() runs the provided command via a shell, which is subject to
> command injection. Even though pacman already provides a mechanism to
> sign and verify the databases containing the urls, certain distributions
> have yet to get their act together and start signing databases, leaving
> them vulnerable to MITM attacks. Replacing the system call with an
> almost equivalent exec call removes the possibility of a shell-injection
> attack for those users.
>
> Signed-off-by: Andrew Gregory <andrew.gregor...@gmail.com>
<snip>
> @@ -230,17 +300,26 @@ static int download_with_xfercommand(const char *url,
> const char *localpath,
> unlink(destfile);
> }
>
> - tempcmd = strdup(config->xfercommand);
> - /* replace all occurrences of %o with fn.part */
> - if(strstr(tempcmd, "%o")) {
> - usepart = 1;
> - parsedcmd = strreplace(tempcmd, "%o", tempfile);
> - free(tempcmd);
> - tempcmd = parsedcmd;
> + if((argv = calloc(config->xfercommand_argc + 1, sizeof(char*))) ==
> NULL) {
need to free this at the end.
