Viewing all changes in revision 5635.
- Committer: Andrew Gregory
- Date: 2019-10-12 14:04:20 UTC
- Revision ID: git-v1:808a4f15ce82d2ed7eeb06de73d0f313620558ee
run XferCommand via exec
system() runs the provided command via a shell, which is subject to
command injection. Even though pacman already provides a mechanism to
sign and verify the databases containing the urls, certain distributions
have yet to get their act together and start signing databases, leaving
them vulnerable to MITM attacks. Replacing the system call with an
almost equivalent exec call removes the possibility of a shell-injection
attack for those users.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
system() runs the provided command via a shell, which is subject to
command injection. Even though pacman already provides a mechanism to
sign and verify the databases containing the urls, certain distributions
have yet to get their act together and start signing databases, leaving
them vulnerable to MITM attacks. Replacing the system call with an
almost equivalent exec call removes the possibility of a shell-injection
attack for those users.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
expand all
collapse all
added
removed
