Bug 143574 - taint errors with alternate formats. Also make data/template

checksetup.pl

@@ -841,6 +841,8 @@ END
     if (-e 'data/template') {
         unless (-d 'data/template' && -e 'data/template/.lastRebuild' &&
                 (stat('data/template/.lastRebuild'))[9] >= $lastTemplateParamChange) {
+            print "Removing existing compiled templates ...\n";
+
             # If File::Path::rmtree reported errors, then I'd use that
             use File::Find;
             sub remove {
@@ -904,6 +906,8 @@ END
     }
 
     {
+        print "Precompiling templates ...\n";
+
         use File::Find;
 
         use Cwd;
@@ -1089,7 +1093,7 @@ if ($my_webservergroup) {
     my $gid = (split " ", $()[0];
     fixPerms('.htaccess', $<, $gid, 022); # glob('*') doesn't catch dotfiles
     fixPerms('data/.htaccess', $<, $gid, 022);
-    fixPerms('data/template', $<, $gid, 022, 1);
+    fixPerms('data/template', $<, $gid, 000, 1); # webserver will write to these
     fixPerms('data/webdot/.htaccess', $<, $gid, 022);
     fixPerms('data/params', $<, $gid, 011);
     fixPerms('*', $<, $gid, 022);

globals.pl

@@ -1680,7 +1680,15 @@ sub GetOutputFormats {
         # Loop over each file in the sub-directory looking for format files
         # (files whose name looks like SCRIPT-FORMAT.EXT.tmpl).
         foreach my $file (@files) {
-            if ($file =~ /^\Q$script\E-(.+)\.(.+)\.(tmpl)$/) {
+            if ($file =~ /^\Q$script\E-(.+)\.(.+)\.tmpl$/) {
+                # This must be a valid file
+                # If an attacker could add a previously unused format
+                # type to trick us into running it, then they could just
+                # change an existing one...
+                # (This implies that running without a webservergroup is
+                # insecure, but that is the case anyway)
+                trick_taint($file);
+
                 $formats->{$1} = { 
                   'template'    => $file , 
                   'extension'   => $2 ,