On 12/10/19 1:45 pm, Andrew Gregory wrote: > system() runs the provided command via a shell, which is subject to > command injection. Even though pacman already provides a mechanism to > sign and verify the databases containing the urls, certain distributions > have yet to get their act together and start signing databases, leaving > them vulnerable to MITM attacks. Replacing the system call with an > almost equivalent exec call removes the possibility of a shell-injection > attack for those users. > > Signed-off-by: Andrew Gregory <andrew.gregor...@gmail.com>
<snip> > @@ -230,17 +300,26 @@ static int download_with_xfercommand(const char *url, > const char *localpath, > unlink(destfile); > } > > - tempcmd = strdup(config->xfercommand); > - /* replace all occurrences of %o with fn.part */ > - if(strstr(tempcmd, "%o")) { > - usepart = 1; > - parsedcmd = strreplace(tempcmd, "%o", tempfile); > - free(tempcmd); > - tempcmd = parsedcmd; > + if((argv = calloc(config->xfercommand_argc + 1, sizeof(char*))) == > NULL) { need to free this at the end.