[pacman-dev] [PATCH v2 3/3] run XferCommand via exec

Andrew Gregory andrew.gregory.8 at gmail.com
Sat Oct 12 14:14:12 UTC 2019


On 10/12/19 at 09:11pm, Allan McRae wrote:
> On 12/10/19 1:45 pm, Andrew Gregory wrote:
> > system() runs the provided command via a shell, which is subject to
> > command injection.  Even though pacman already provides a mechanism to
> > sign and verify the databases containing the urls, certain distributions
> > have yet to get their act together and start signing databases, leaving
> > them vulnerable to MITM attacks.  Replacing the system call with an
> > almost equivalent exec call removes the possibility of a shell-injection
> > attack for those users.
> > 
> > Signed-off-by: Andrew Gregory <andrew.gregory.8 at gmail.com>
> 
> <snip>
> > @@ -230,17 +300,26 @@ static int download_with_xfercommand(const char *url, const char *localpath,
> >  		unlink(destfile);
> >  	}
> >  
> > -	tempcmd = strdup(config->xfercommand);
> > -	/* replace all occurrences of %o with fn.part */
> > -	if(strstr(tempcmd, "%o")) {
> > -		usepart = 1;
> > -		parsedcmd = strreplace(tempcmd, "%o", tempfile);
> > -		free(tempcmd);
> > -		tempcmd = parsedcmd;
> > +	if((argv = calloc(config->xfercommand_argc + 1, sizeof(char*))) == NULL) {
> 
> need to free this at the end.

Updated patch pushed to my repo that fixes this and the misplaced free
and also corrects the indenting in systemvp to use tabs.


More information about the pacman-dev mailing list