shithub: riscv

Info  •  Files  •  Log  •  Branches

stats: get rid of the legacy import fallback

using legacy import is dangerious as it is unencrypted by default,
so a man in the middle can force the fallback to import protocol
and then take over the connection to the remote machine gaining
full access to is.

--- a/sys/src/cmd/stats.c

+++ b/sys/src/cmd/stats.c

@@ -548,7 +548,6 @@

 		int pid;

 		snprint(mpt, sizeof mpt, "/n/%s", p);

-		snprint(buf, sizeof buf, "rimport %q / %q || import %q / %q", name, mpt, name, mpt);

 		pid = fork();

 		switch(pid){

@@ -556,7 +555,7 @@

 			fprint(2, "can't fork: %r\n");

 			return 0;

 		case 0:

-			execl("/bin/rc", "rc", "-c", buf, nil);

+			execl("/bin/rimport", "rimport", name, "/", mpt, nil);

 			fprint(2, "can't exec: %r\n");

 			exits("exec");

 		}