[LON-CAPA-cvs] cvs: loncom / lcuseradd

[albertel]

albertel		Thu Aug  5 16:47:27 2004 EDT

  Modified files:              
    /loncom	lcuseradd 
  Log:
  - BUG#3238 was not properly handling taint
  
  
  
Index: loncom/lcuseradd
diff -u loncom/lcuseradd:1.26 loncom/lcuseradd:1.27
--- loncom/lcuseradd:1.26	Thu Aug  5 06:56:55 2004
+++ loncom/lcuseradd	Thu Aug  5 16:47:27 2004
@@ -5,16 +5,8 @@
 # lcuseradd - LON-CAPA setuid script to coordinate all actions
 #             with adding a user with filesystem privileges (e.g. author)
 #
-# YEAR=2002
-#   May 19, 2002 Ron Fox
-#      - Removed creation of the pulic_html directory.  This directory
-#        can now be added in two ways:
-#        o The user can add it themselves if they want some local web
-#          space which may or may not contain construction items.
-#        o LonCapa will add it if/when the user is granted an Author
-#          role.
 #
-# $Id: lcuseradd,v 1.26 2004/08/05 10:56:55 foxr Exp $
+# $Id: lcuseradd,v 1.27 2004/08/05 20:47:27 albertel Exp $
 ###
 
 ###############################################################################
@@ -258,6 +250,9 @@
 print "Done adding user\n" unless $noprint;
 # Make www a member of that user group.
 my $groups=`/usr/bin/groups www` or &Exit(6);
+# untaint
+my ($safegroups)=($groups=~/([\s\w]+)/);
+$groups=$safegroups;
 chomp $groups; $groups=~s/^\S+\s+\:\s+//;
 my @grouplist=split(/\s+/,$groups);
 my @ugrouplist=grep {!/www|$safeusername/} @grouplist;
@@ -324,9 +319,9 @@
     open(PID,'/var/run/httpd.pid');
     my $pid=<PID>;
     close(PID);
-    $pid=~s/\D+//g;
+    my ($safepid)=($pid=~s/(\D+)//g);
     if ($pid) {
-	system('kill','-USR1',"$pid");
+	system('kill','-USR1',"$safepid");
     }
 }
 # -------------------------------------------------------- Exit script