joey@darkstar:~/tmp/y>ln -s /etc/passwd README
joey@darkstar:~/tmp/y>ls
README@
joey@darkstar:~/tmp/y>wget -O foo ftp://ftp.funet.fi/pub/Linux/mirrors/debian/README
--2015-05-05 13:17:22-- ftp://ftp.funet.fi/pub/Linux/mirrors/debian/README
=> ‘foo’
Resolving ftp.funet.fi (ftp.funet.fi)... 193.166.3.2, 2001:708:10:9::20:2
Connecting to ftp.funet.fi (ftp.funet.fi)|193.166.3.2|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/Linux/mirrors/debian ... done.
==> SIZE README ... 1495
==> PASV ... done. ==> RETR README ... done.
Length: 1495 (1.5K) (unauthoritative)
README 100%[=====================>] 1.46K 5.45KB/s in 0.3s
2015-05-05 13:17:28 (5.45 KB/s) - ‘foo’ saved [1495]
joey@darkstar:~/tmp/y>ls
foo
Doesn't happen if README is a file rather than a symlink, doesn't happen
when using http. The ftp downloader apparently has a bug..
URL:
<http://savannah.gnu.org/bugs/?45037>
Summary: wget -O foo
ftp://ftp.funet.fi/pub/Linux/mirrors/debian/README deletes README symlink
Project: GNU Wget
Submitted by: nok
Submitted on: Mi 06 Mai 2015 15:36:34 CEST
Category: Program Logic
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 1.16.3
Operating System: GNU/Linux
Reproducibility: Every Time
Fixed Release: None
Planned Release: None
Regression: None
Work Required: None
Patch Included: No
forwarded 784348 https://savannah.gnu.org/bugs/?45037 found 784348 1.16.3-2 tags 784348 upstream thanks Hello Joey, Am Dienstag, den 05.05.2015, 13:18 -0400 schrieb Joey Hess: ... Thanks for your report. It is reproducible with the latest version 1.16.3 and I forwarded it to the upstream bugtracker. Regards Noël
Update of bug #45037 (project wget):
Status: None => Confirmed
Follow-up Comment #1, bug #45037 (project wget): slightly related bug.. $ ln -s /etc/passwd README $ wget -O README http://foo.bar README: Permission denied
Follow-up Comment #2, bug #45037 (project wget): Use -d to get Unlinking README (symlink). In ftp.c you will find those lines: /* Remove it if it's a link. */ remove_link (con->target); This is done by purpose (I just can guess why: not to overwrite the content the link points to). The question is: is it a bug or a feature ? Should we just document this behaviour (maybe it already is).
Follow-up Comment #3, bug #45037 (project wget): It's clearly a bug. If we are downloading README to local file foo, there's no reason to remove the local symlink README. When we want to save into a name where there's currently a symlink, consistency with shell > would dictate just to follow the link on writing, but as that may lead to security issues, replacing with a file may also be acceptable.
I agree. This is definitely a bug. My guess is, we should default to shell like behaviour and provide a command line option to instead replace the file, if the user wishes so. Given that this is a clearly documented feature of Wget, that -O is supposed to work as shell redirection, I think it should not pose too many issues. Yes, there is the security risk where another file may be overwritten, but I think the user should be careful about those.
This definitely is a bug. I've attached a small fix for this particular issue. If no one has any issues with it, I'll push it in a day. Although, I think we should also look into the issue Giuseppe found, and also the point that Angel raised about compatibility with shell like redirection.
Hi Darshit, your patch doesn't work as expected. $ cat abc >xxx $ ln -s xxx foo $ ln -s /etc/passwd README $ ../src/wget -O foo ftp://ftp.funet.fi/pub/Linux/mirrors/debian/README ... $ ls -la lrwxrwxrwx 1 oms users 11 May 7 09:28 README -> /etc/passwd -rw-r--r-- 1 oms users 1495 May 7 09:30 xxx 'foo' doesn't exist and 'xxx' has been overwritten !!! Regards, Tim
Aah! It was a quick patch I wrote and had tested only one scenario. Which is why I wanted some reviews before pushing it. Seems like it'll take slightly more effort to fix this. I'll take a look again today evening.
I was thinking in a recursive download creating a symlink and then following it, using the same code path. If the user explicitely requested wget -O symlink, it's the user responsability.