From: Ian Jackson Date: Thu, 24 Oct 2019 14:39:08 +0000 (+0100) Subject: make-secnet-sites: Taint the `group' parameter X-Git-Tag: v0.5.0~17 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=secnet.git;a=commitdiff_plain;h=1699c102b7b7d76a66aaf65832cda1476171671f make-secnet-sites: Taint the `group' parameter This comes from the untrusted caller. It should be tainted before we use it as a filename. (Actually in practice it's checked against the `location' from the header, so this doesn't actually fix a vulnerability.) Signed-off-by: Ian Jackson --- diff --git a/make-secnet-sites b/make-secnet-sites index f14a725..668dbf6 100755 --- a/make-secnet-sites +++ b/make-secnet-sites @@ -227,6 +227,8 @@ def parse_args(): print("Wrong number of arguments") sys.exit(1) (header, groupfiledir, sitesfile, group) = av.arg + group = Tainted(group,0,'command line') + # untrusted argument from caller if "USERV_USER" not in os.environ: print("Environment variable USERV_USER not found") sys.exit(1) @@ -732,14 +734,15 @@ complaints=None # arranges to crash if we complain later if service: # Put the user's input into their group file, and rebuild the main # sites file - f=open(groupfiledir+"/T"+group,'w') + f=open(groupfiledir+"/T"+group.groupname(),'w') f.write("# Section submitted by user %s, %s\n"% (user,time.asctime(time.localtime(time.time())))) f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION) for i in userinput: f.write(i) f.write("\n") f.close() - os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group) + os.rename(groupfiledir+"/T"+group.groupname(), + groupfiledir+"/R"+group.groupname()) f=open(sitesfile+"-tmp",'w') f.write("# sites file autogenerated by make-secnet-sites\n") f.write("# generated %s, invoked by %s\n"%