[LON-CAPA-cvs] cvs: loncom / lchtmldir

albertel lon-capa-cvs@mail.lon-capa.org
Thu, 05 Aug 2004 20:33:51 -0000


albertel		Thu Aug  5 16:33:51 2004 EDT

  Modified files:              
    /loncom	lchtmldir 
  Log:
  i- part of BUG#3238, lchtmldir was incorretly using tainted data, 
  
  
Index: loncom/lchtmldir
diff -u loncom/lchtmldir:1.5 loncom/lchtmldir:1.6
--- loncom/lchtmldir:1.5	Thu May 13 16:44:38 2004
+++ loncom/lchtmldir	Thu Aug  5 16:33:50 2004
@@ -1,4 +1,4 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -w
 
 # The Learning Online Network with CAPA
 #
@@ -214,8 +214,8 @@
 # Based on the authentiation mode, set the ownership of the directory.
 
 if($authentication eq "unix:") {	# Unix mode authentication...
-    &System("/bin/chown -R   $username".":".$username." ".$fulldir);
-    &JoinGroup($username);
+    &System("/bin/chown -R   $safeuser".":".$safeuser." ".$fulldir);
+    &JoinGroup($safeuser);
 } else {
     # Internal, Kerberos, and Local authentication are for users
     # who do not have unix accounts on the system.  Therefore we
@@ -268,6 +268,9 @@
     my $usergroup = shift;
 
     my $groups = `/usr/bin/groups www`;
+    # untaint
+    my ($safegroups)=($groups=~/([\s\w]+)/);
+    $groups=$safegroups;
     chomp $groups; $groups=~s/^\S+\s+\:\s+//;
     my @grouplist=split(/\s+/,$groups);
     my @ugrouplist=grep {!/www|$usergroup/} @grouplist;
@@ -285,11 +288,11 @@
 
 
 sub System {
-    my $command = shift;
+    my ($command,@args) = @_;
     if($DEBUG) {
-	print("system: $command \n");
+	print("system: $command with args ".join(' ',@args)."\n");
     }
-    system($command);
+    system($command,@args);
 }