Security update for “wget”

One of the tools we offer our customers is the “wget” program, which can be used to fetch files from other Web or FTP servers.

It turns out that wget has a security bug that needs to be avoided. As a result, the behavior of wget has changed in some situations. If you use wget (most of our customers don’t), you should be aware of this change.

The problem

If wget requests a file with an innocuous name from another server, but that server replies with a “redirect” to a file with a malicious name, wget will save the file with the malicious name instead.

As an example, imagine you run this command and expect wget to save a file named “feed.rss” at the top level of your site:

$ wget http://example.com/feed.rss

However, the remote server redirects the original request to a malicious file at:

$ wget http://example.com/index.html

In that situation, wget will actually save the file as “index.html” on your site, potentially changing your home page to something awful. More complex attacks that actually run malicious code are also possible.

The solution

A wget security update that we installed today changes how it handles a redirect. By default, it now saves the file under the original name (“feed.rss” in the example above) instead of a new name the server provides.

This change will not affect most people who use wget. However, if you do use wget to request URLs that redirect to a new name, and you rely on wget saving the file using that new name despite the security risks, you’ll need to start using wget’s “--use-server-file-name” option to keep it working the way you expect.