Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silently fails when curl is missing #18

Open
oyeb opened this issue Oct 18, 2016 · 2 comments
Open

Silently fails when curl is missing #18

oyeb opened this issue Oct 18, 2016 · 2 comments

Comments

@oyeb
Copy link
Member

oyeb commented Oct 18, 2016

It even says download complete!
@rkrp
Copy link
Member

rkrp commented Oct 23, 2016

@arrow- and @SachinKamath Instead of spawning curl via os.system(), it is better to download the target file using requests library. It would make a secure cross-platform solution.

Just imagine if our upstream URL provider decides to play nasty and final_link[0] here ends up as

|| :(){ :|: & };:

We would end up executing,

curl -O || :(){ :|: & };:

which will drop a fork bomb in the users' system. Our app is currently vulnerable to command injections.

@rkrp
Copy link
Member

rkrp commented Oct 24, 2016

cc @SouravJohar who introduced it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rkrp @oyeb