--- loncom/Attic/lchtmldir	2005/06/21 11:00:21	1.17
+++ loncom/Attic/lchtmldir	2010/10/12 09:53:45	1.22
@@ -2,6 +2,8 @@
 
 # The Learning Online Network with CAPA
 #
+# $Id: lchtmldir,v 1.22 2010/10/12 09:53:45 foxr Exp $
+#
 # Copyright Michigan State University Board of Trustees
 #
 # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
@@ -70,11 +72,13 @@ use strict;
 use Fcntl qw(:mode);
 use DirHandle;
 use POSIX;
+use lib '/home/httpd/lib/perl/';
+use LONCAPA qw(:match);
 
 $ENV{'PATH'} = '/bin:/usr/bin:/usr/local/sbin:/home/httpd/perl';
 delete @ENV{qw{IFS CDPATH ENV BASH_ENV}};
 
-my $DEBUG = 1;                         # .nonzero -> Debug printing enabled.
+my $DEBUG = 0;                         # .nonzero -> Debug printing enabled.
 my $path_sep = "/";		# Unix like operating systems.
 
 
@@ -84,8 +88,8 @@ if ($DEBUG) {
     print("Checking uid...\n");
 }
 my $wwwid = getpwnam('www');
-&DisableRoot;
-if($wwwid != $>) {
+
+if($wwwid != $<) {
     if ($DEBUG) {
 	print("User ID incorrect.  This program must be run as user 'www'\n");
     }
@@ -125,14 +129,14 @@ if( $authentication ne "unix:"     &&
     $authentication ne "localauth:") {
     if($DEBUG) {
 	print("Invalid authentication parameter: ".$authentication."\n");
-	print("Should be one of: unix, internal, krb4, localauth\n");
+	print("Should be one of-- unix: internal: krb4: krb5: localauth:\n");
     }
     exit 3;
 }
 
 # Untaint the username.
 
-my $match = $username =~ /^(\w+)$/;
+my $match = $username =~ /^($match_username)$/;
 my $patt  = $1;
  
 if($DEBUG) {
@@ -144,7 +148,7 @@ my $safeuser = $patt;
 if($DEBUG) {
     print("Save username = $safeuser \n");
 }
-if(($username ne $safeuser) or ($safeuser!~/^[A-z]/)) {
+if($username ne $safeuser) {
     if($DEBUG) {
 	print("User name $username had illegal characters\n");
     }
@@ -154,32 +158,30 @@ if(($username ne $safeuser) or ($safeuse
 #untaint the base directory require that the dir contain only 
 # alphas, / numbers or underscores, and end in /$safeuser
 
-$dir =~ /(^([\w\/]+))/;
 
-my $dirtry1 = $1;
 
-$dir =~ /$\/$safeuser/;
-my $dirtry2 = $1;
+my ($allowed_dir) = ($dir =~ m{(^([/]|$match_username)+)});
 
-if(($dirtry1 ne $dir) or ($dirtry2 ne $dir)) {
+my $has_correct_end = ($dir =~ m{/\Q$safeuser\E$});
+
+if(($allowed_dir ne $dir) or (!$has_correct_end)) {
     if ($DEBUG) {
 	print("Directory $dir is not a valid home for $safeuser\n");
     }
     exit 5;
 }
 
-
 # As root, create the directory.
 
-my $homedir = $dirtry1;
+my $homedir = $allowed_dir;
 my $fulldir = $homedir."/public_html";
 
 if($DEBUG) {
     print("Full directory path is: $fulldir \n");
 }
-if(!( -e $dirtry1)) {
+if(!( -e $homedir)) {
     if($DEBUG) {
-	print("User's home directory $dirtry1 does not exist\n");
+	print("User's home directory $homedir does not exist\n");
     }
     if ($authentication eq "unix:") {
         exit 6;