[pacman-dev] [PATCH] dload: never return NULL from get_filename

Allan McRae allan at archlinux.org
Mon Oct 7 00:56:21 UTC 2019

On 7/10/19 10:06 am, Dave Reisner wrote:
> Downloads with a Content-Disposition header will typically not include
> slashes. When they do, we should most certainly only take the basename,
> but when they don't, we should treat the header value as the filename.
> Crash introduced in d197d8ab82cf when we started using get_filename
> in order to rightfully avoid an arbitrary file overwrite vulnerability.
> ---
>  lib/libalpm/dload.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)



More information about the pacman-dev mailing list