Change #274574
| Category | wget |
| Changed by | Acts1631 <acts1611kjv@proton.me> |
| Changed at | Sun 12 Jul 2026 11:03:50 |
| Repository | https://gitlab.com/gnuwget/wget.git |
| Project | wget |
| Branch | master |
| Revision | 5a31b8481cf9144acdec71159ade7bba1fa97ee7 |
Comments
http: reject symlink replacement before retry writes * src/http.c (open_output_stream): Safely reopen download targets after a partial transfer. * src/ftp.c (getftp): Likewise. * src/utils.c (fopen_nofollow): New function. * src/utils.h: Declare it. After a partial HTTP or FTP transfer, Wget reopens the local target by pathname. An attacker who can modify the download directory can replace the partially written file with a symlink before that reopen, causing Wget to append to or overwrite the symlink target with its own privileges. Use an inode-checked reopen helper for existing regular files. It uses O_NOFOLLOW where available and validates the opened descriptor before writing or truncating it. A replacement symlink is rejected, and later pathname changes cannot redirect the already-open descriptor. When --start-pos requests a non-existent target, create it exclusively so the normal download path continues to work. Copyright-paperwork-exempt: Yes
Changed files
- src/ftp.c
- src/http.c
- src/utils.c
- src/utils.h