October 30, 2014 in Classic self-hosted technical help
"It was found that wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP," developer Vasyl Kaigorodov wrote in a Red Hat Bugzilla comment.
"This issue can be mitigated by ensuring that all invocations of wget in the mirror mode also specify --retr-symlinks command line option," wrote Tomas Hoger on the Bugzilla report. "Doing so is equivalent to applying the upstream commit linked in comment 14, which changes the default for the retr-symlinks options from off/no to on/yes, preventing creation of symbolic links locally."
"In addition to changing arguments in all scripts or programs that invoke wget, it is possible to enabled[sic] retr-symlinks option via wget configuration file - either global /etc/wgetrc, or user specific ~/.wgetrc - by adding the line: retr-symlinks=on"
Easy and fast fix for Centos run from ssh:
echo "retr-symlinks=on" >> /etc/wgetrc
Enjoy ! :smile:
This topic is now archived and is closed to further replies.
Started 1 hour ago
Started 23 minutes ago
Started September 4