make-secnet-sites: Taint the `group' parameter

This comes from the untrusted caller.  It should be tainted before we
use it as a filename.  (Actually in practice it's checked against the
`location' from the header, so this doesn't actually fix a
vulnerability.)

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/make-secnet-sites b/make-secnet-sites
index f14a72524d5c9580ddac78b34f524eadd0dccbfa..668dbf635b02ec9e98533e5e8b261297614074fb 100755 (executable)
--- a/make-secnet-sites
+++ b/make-secnet-sites
@@ -227,6 +227,8 @@ def parse_args():
                        print("Wrong number of arguments")
                        sys.exit(1)
                (header, groupfiledir, sitesfile, group) = av.arg
+               group = Tainted(group,0,'command line')
+               # untrusted argument from caller
                if "USERV_USER" not in os.environ:
                        print("Environment variable USERV_USER not found")
                        sys.exit(1)
@@ -732,14 +734,15 @@ complaints=None # arranges to crash if we complain later
 if service:
        # Put the user's input into their group file, and rebuild the main
        # sites file
-       f=open(groupfiledir+"/T"+group,'w')
+       f=open(groupfiledir+"/T"+group.groupname(),'w')
        f.write("# Section submitted by user %s, %s\n"%
                (user,time.asctime(time.localtime(time.time()))))
        f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
        for i in userinput: f.write(i)
        f.write("\n")
        f.close()
-       os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
+       os.rename(groupfiledir+"/T"+group.groupname(),
+                 groupfiledir+"/R"+group.groupname())
        f=open(sitesfile+"-tmp",'w')
        f.write("# sites file autogenerated by make-secnet-sites\n")
        f.write("# generated %s, invoked by %s\n"%