run XferCommand via exec

system() runs the provided command via a shell, which is subject to command injection. Even though pacman already provides a mechanism to sign and verify the databases containing the urls, certain distributions have yet to get their act together and start signing databases, leaving them vulnerable to MITM attacks. Replacing the system call with an almost equivalent exec call removes the possibility of a shell-injection attack for those users. Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
author: Andrew Gregory <andrew.gregory.8@gmail.com> 2019-06-09 18:56:36 +0200
committer: Andrew Gregory <andrew.gregory.8@gmail.com> 2019-10-12 16:04:20 +0200
commit: 808a4f15ce82d2ed7eeb06de73d0f313620558ee (patch)
tree: 9676438a2034e4cb7b0aba96b1512a8f8fa84efd /test/pacman/tests/sync200.py
parent: a82b0028e431dbd8bb3512c3193b52985da82ec2 (diff)
download: pacman-808a4f15ce82d2ed7eeb06de73d0f313620558ee.tar.gz
pacman-808a4f15ce82d2ed7eeb06de73d0f313620558ee.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/test/pacman/tests/sync200.py b/test/pacman/tests/sync200.py
index 2bcdd5d3..18f38b81 100644
--- a/test/pacman/tests/sync200.py
+++ b/test/pacman/tests/sync200.py
@@ -1,6 +1,6 @@
 self.description = "Synchronize the local database"
 
-self.option['XferCommand'] = ['/usr/bin/curl %u > %o']
+self.option['XferCommand'] = ['/usr/bin/curl %u -o %o']
 
 sp1 = pmpkg("spkg1", "1.0-1")
 sp1.depends = ["spkg2"]
author	Andrew Gregory <andrew.gregory.8@gmail.com>	2019-06-09 18:56:36 +0200
committer	Andrew Gregory <andrew.gregory.8@gmail.com>	2019-10-12 16:04:20 +0200
commit	808a4f15ce82d2ed7eeb06de73d0f313620558ee (patch)
tree	9676438a2034e4cb7b0aba96b1512a8f8fa84efd /test/pacman/tests/sync200.py
parent	a82b0028e431dbd8bb3512c3193b52985da82ec2 (diff)
download	pacman-808a4f15ce82d2ed7eeb06de73d0f313620558ee.tar.gz pacman-808a4f15ce82d2ed7eeb06de73d0f313620558ee.tar.xz