From 23421a86cc826dd30f3dc4f62057fafb04b3ac40 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Wed, 9 Feb 2011 19:44:48 +0100 Subject: imlib.c: Use wget --no-clobber This prevents a (highly unlikely) case of an attacker knowing feh's PID and the user's URL rewriting user files by means of a TOCTTOU attack. It is still possible to _create_ arbitrary files via dangling symlinks. That will be fixed once I switch from wget to libcurl. --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 5178b6b..2d656ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ git HEAD * Add --zoom fill as equivalent for --auto-zoom * Add --zoom max (zooming like in --bg-max) * --menu-style is now deprecated + * Use wget --no-clobber to prevent TOCTTOU-based hole allowing a + well-informed attacker to rewrite arbitrary user files. An attacker can + still use it to _create_ arbitrary files. Wed, 26 Jan 2011 21:07:19 +0100 Daniel Friesel -- cgit v1.2.3