run XferCommand via exec

system() runs the provided command via a shell, which is subject to
command injection.  Even though pacman already provides a mechanism to
sign and verify the databases containing the urls, certain distributions
have yet to get their act together and start signing databases, leaving
them vulnerable to MITM attacks.  Replacing the system call with an
almost equivalent exec call removes the possibility of a shell-injection
attack for those users.

Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>

2 files changed, 2 insertions, 2 deletions

diff --git a/test/pacman/tests/sync200.py b/test/pacman/tests/sync200.py
index 2bcdd5d3..18f38b81 100644
--- a/test/pacman/tests/sync200.py
+++ b/test/pacman/tests/sync200.py
@@ -1,6 +1,6 @@
 self.description = "Synchronize the local database"
 
-self.option['XferCommand'] = ['/usr/bin/curl %u > %o']
+self.option['XferCommand'] = ['/usr/bin/curl %u -o %o']
 
 sp1 = pmpkg("spkg1", "1.0-1")
 sp1.depends = ["spkg2"]
diff --git a/test/pacman/tests/xfercommand001.py b/test/pacman/tests/xfercommand001.py
index 0d244dc6..0ac99080 100644
--- a/test/pacman/tests/xfercommand001.py
+++ b/test/pacman/tests/xfercommand001.py
@@ -3,7 +3,7 @@ self.description = "Quick check for using XferCommand"
 # this setting forces us to download packages
 self.cachepkgs = False
 #wget doesn't support file:// urls.  curl does
-self.option['XferCommand'] = ['/usr/bin/curl %u > %o']
+self.option['XferCommand'] = ['/usr/bin/curl %u -o %o']
 
 numpkgs = 10
 pkgnames = []