From 808a4f15ce82d2ed7eeb06de73d0f313620558ee Mon Sep 17 00:00:00 2001 From: Andrew Gregory Date: Sun, 9 Jun 2019 09:56:36 -0700 Subject: run XferCommand via exec system() runs the provided command via a shell, which is subject to command injection. Even though pacman already provides a mechanism to sign and verify the databases containing the urls, certain distributions have yet to get their act together and start signing databases, leaving them vulnerable to MITM attacks. Replacing the system call with an almost equivalent exec call removes the possibility of a shell-injection attack for those users. Signed-off-by: Andrew Gregory --- test/pacman/tests/sync200.py | 2 +- test/pacman/tests/xfercommand001.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'test') diff --git a/test/pacman/tests/sync200.py b/test/pacman/tests/sync200.py index 2bcdd5d3..18f38b81 100644 --- a/test/pacman/tests/sync200.py +++ b/test/pacman/tests/sync200.py @@ -1,6 +1,6 @@ self.description = "Synchronize the local database" -self.option['XferCommand'] = ['/usr/bin/curl %u > %o'] +self.option['XferCommand'] = ['/usr/bin/curl %u -o %o'] sp1 = pmpkg("spkg1", "1.0-1") sp1.depends = ["spkg2"] diff --git a/test/pacman/tests/xfercommand001.py b/test/pacman/tests/xfercommand001.py index 0d244dc6..0ac99080 100644 --- a/test/pacman/tests/xfercommand001.py +++ b/test/pacman/tests/xfercommand001.py @@ -3,7 +3,7 @@ self.description = "Quick check for using XferCommand" # this setting forces us to download packages self.cachepkgs = False #wget doesn't support file:// urls. curl does -self.option['XferCommand'] = ['/usr/bin/curl %u > %o'] +self.option['XferCommand'] = ['/usr/bin/curl %u -o %o'] numpkgs = 10 pkgnames = [] -- cgit v1.2.3-24-g4f1b