From 6c5471e4834aebd7359d88b760b087136473bac8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20R=C3=BChsen?= Date: Wed, 26 Dec 2018 13:51:48 +0100 Subject: [PATCH 1/2] Don't use extended attributes (--xattr) by default * src/init.c (defaults): Set enable_xattr to false by default * src/main.c (print_help): Reverse option logic of --xattr * doc/wget.texi: Add description for --xattr Users may not be aware that the origin URL and Referer are saved including credentials, and possibly access tokens within the urls. CVE: CVE-2018-20483 patch 1 Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8] Signed-off-by: Aviraj CJ --- doc/wget.texi | 8 ++++++++ src/init.c | 4 ---- src/main.c | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/doc/wget.texi b/doc/wget.texi index eaf6b380..3f9d7c1c 100644 --- a/doc/wget.texi +++ b/doc/wget.texi @@ -540,6 +540,14 @@ right NUMBER. Set preferred location for Metalink resources. This has effect if multiple resources with same priority are available. +@cindex xattr +@item --xattr +Enable use of file system's extended attributes to save the +original URL and the Referer HTTP header value if used. + +Be aware that the URL might contain private information like +access tokens or credentials. + @cindex force html @item -F diff --git a/src/init.c b/src/init.c index eb81ab47..800970c5 100644 --- a/src/init.c +++ b/src/init.c @@ -509,11 +509,7 @@ defaults (void) opt.hsts = true; #endif -#ifdef ENABLE_XATTR - opt.enable_xattr = true; -#else opt.enable_xattr = false; -#endif } /* Return the user's home directory (strdup-ed), or NULL if none is diff --git a/src/main.c b/src/main.c index 81db9319..6ac1621b 100644 --- a/src/main.c +++ b/src/main.c @@ -754,7 +754,7 @@ Download:\n"), #endif #ifdef ENABLE_XATTR N_("\ - --no-xattr turn off storage of metadata in extended file attributes\n"), + --xattr turn on storage of metadata in extended file attributes\n"), #endif "\n", -- 2.19.1