Commit b9fd6312 authored by Austin English's avatar Austin English Committed by anonym

Fix CVE-2015-7665 against wget in Tails.

Force --passive-ftp in our wget wrapper, and use dpkg-divert to
replace /usr/bin/wget instead of having a second wget in $PATH.

Will-fix: #10364
parent dfa1d43d
#!/bin/sh
set -e
# We don't want the real binary to be in $PATH:
# Also note that wget uses the executable name in some help/error messages,
# so wget-real/etc. should be avoided.
mkdir -p /usr/lib/wget
dpkg-divert --add --rename --divert /usr/lib/wget/wget /usr/bin/wget
# We don't want users or other applications using wget directly:
cat > /usr/bin/wget << 'EOF'
#!/bin/sh
unset http_proxy
unset HTTP_PROXY
unset https_proxy
unset HTTPS_PROXY
exec torsocks /usr/lib/wget/wget --passive-ftp "$@"
EOF
chmod 755 /usr/bin/wget
#!/bin/sh
unset http_proxy
unset HTTP_PROXY
unset https_proxy
unset HTTPS_PROXY
exec torsocks /usr/bin/wget "$@"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment