~derf / interblag / entry / Code execution hole in feh --wget-timestamp
dark mode

For feh versions <= 1.7 down to at least 1.3.4, feh -G/--wget-timestamp contains an arbitrary code execution hole when called with malicious URLs containing shell characters.

The problem is that --wget-timestamp does a system() call to /bin/cp, handing it the unescaped URL. If the URL were to contain a sequence like ';something', "something" would be interpreted and executed as new shell command.

Constraints: The user must use --wget-timestamp, the URL's command part may (apparently) not contain "obfuscation" like %20 for space etc., and the remote file must exist on the server.

Example: Try feh --wget-timestamp 'https://derf.homelinux.org/stuff/foo;touch lol_hax'. Result.

All in all this is rather improbable, but I'd advise you anyways to update to feh 1.8 ;-)