Version bump. Fix insecure usage of temporary files (#240546).

(Portage version: 2.1.4.4)

4 files changed, 271 insertions, 2 deletions

diff --git a/www-apps/freeradius-dialupadmin/ChangeLog b/www-apps/freeradius-dialupadmin/ChangeLog
index d86336de5468..3464533c5bf0 100644
--- a/www-apps/freeradius-dialupadmin/ChangeLog
+++ b/www-apps/freeradius-dialupadmin/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for www-apps/freeradius-dialupadmin
-# Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/freeradius-dialupadmin/ChangeLog,v 1.8 2007/04/14 08:58:32 mrness Exp $
+# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/www-apps/freeradius-dialupadmin/ChangeLog,v 1.9 2008/10/12 10:33:19 mrness Exp $
+
+*freeradius-dialupadmin-1.80 (12 Oct 2008)
+
+  12 Oct 2008; Alin Năstac <mrness@gentoo.org>
+  +files/freeradius-dialupadmin-1.80-gentoo.patch,
+  +files/freeradius-dialupadmin-1.80-tmpfile.patch,
+  +freeradius-dialupadmin-1.80.ebuild:
+  Version bump. Fix insecure usage of temporary files (#240546).
 
   14 Apr 2007; Alin Năstac <mrness@gentoo.org> files/setrootpath,
   freeradius-dialupadmin-1.70.3.ebuild:
diff --git a/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-gentoo.patch b/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-gentoo.patch
new file mode 100644
index 000000000000..31f8490c5103
--- /dev/null
+++ b/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-gentoo.patch
@@ -0,0 +1,32 @@
+diff -Nru freeradius-server-2.1.1.orig/dialup_admin/Makefile freeradius-server-2.1.1/dialup_admin/Makefile
+--- freeradius-server-2.1.1.orig/dialup_admin/Makefile	2008-10-12 10:13:16.000000000 +0000
++++ freeradius-server-2.1.1/dialup_admin/Makefile	2008-10-12 10:16:16.000000000 +0000
+@@ -4,7 +4,6 @@
+ # Version:	$Id: freeradius-dialupadmin-1.80-gentoo.patch,v 1.1 2008/10/12 10:33:19 mrness Exp $
+ #
+ 
+-include ../Make.inc
+ 
+ DIALUP_PREFIX := /usr/local/dialup_admin
+ DIALUP_DOCDIR := $(DIALUP_PREFIX)/doc
+diff -Nru freeradius-server-2.1.1.orig/dialup_admin/conf/admin.conf freeradius-server-2.1.1/dialup_admin/conf/admin.conf
+--- freeradius-server-2.1.1.orig/dialup_admin/conf/admin.conf	2008-09-25 08:41:26.000000000 +0000
++++ freeradius-server-2.1.1/dialup_admin/conf/admin.conf	2008-10-12 09:14:12.000000000 +0000
+@@ -204,7 +204,7 @@
+ #
+ # Uncomment to enable ldap debug
+ #
+-ldap_debug: true
++#ldap_debug: true
+ #
+ # Allow for defining the ldap filter used when searching for a user
+ # Variables supported:
+@@ -274,7 +274,7 @@
+ #
+ # Uncomment to enable sql debug
+ #
+-sql_debug: true
++#sql_debug: true
+ #
+ # If set to yes then the HTTP credentials (http authentication)
+ # will be used to connect to the sql server instead of sql_username
diff --git a/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-tmpfile.patch b/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-tmpfile.patch
new file mode 100644
index 000000000000..1da5671761ff
--- /dev/null
+++ b/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-tmpfile.patch
@@ -0,0 +1,148 @@
+diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/clean_radacct freeradius-server-2.1.1/dialup_admin/bin/clean_radacct
+--- freeradius-server-2.1.1.orig/dialup_admin/bin/clean_radacct	2008-09-25 08:41:26.000000000 +0000
++++ freeradius-server-2.1.1/dialup_admin/bin/clean_radacct	2008-10-12 09:29:50.000000000 +0000
+@@ -5,6 +5,7 @@
+ # Works with mysql and postgresql
+ #
+ use POSIX;
++use File::Temp;
+ 
+ $conf=shift||'/usr/local/dialup_admin/conf/admin.conf';
+ $back_days = 35;
+@@ -42,11 +43,10 @@
+ 
+ $query = "DELETE FROM $sql_accounting_table WHERE AcctStopTime IS NULL AND AcctStartTime < '$date';";
+ print "$query\n";
+-open TMP, ">/tmp/clean_radacct.query"
+-        or die "Could not open tmp file\n";
+-print TMP $query;
+-close TMP;
+-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/clean_radacct.query" if ($sql_type eq 'mysql');
+-$command = "$sqlcmd  -U $sql_username -f /tmp/clean_radacct.query $sql_database" if ($sql_type eq 'pg');
+-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/clean_radacct.query" if ($sql_type eq 'sqlrelay');
++my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
++print $fh $query;
++close $fh;
++$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
++$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
++$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
+ `$command`;
+diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/log_badlogins freeradius-server-2.1.1/dialup_admin/bin/log_badlogins
+--- freeradius-server-2.1.1.orig/dialup_admin/bin/log_badlogins	2008-09-25 08:41:26.000000000 +0000
++++ freeradius-server-2.1.1/dialup_admin/bin/log_badlogins	2008-10-12 10:09:58.000000000 +0000
+@@ -14,6 +14,7 @@
+ 
+ use Date::Manip qw(ParseDate UnixDate);
+ use Digest::MD5;
++use File::Temp;
+ $|=1;
+ 
+ $file=shift||'none';
+@@ -29,7 +30,8 @@
+ # CHANGE THESE TO MATCH YOUR SETUP
+ #
+ #$regexp = 'from client localhost port 135|from client blabla ';
+-$tmpfile='/var/tmp/sql.input';
++$tmpdir=tempdir( CLEANUP => 1 );
++$tmpfile="$tmpdir/sql.input";
+ #
+ $verbose = 0;
+ #
+diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/monthly_tot_stats freeradius-server-2.1.1/dialup_admin/bin/monthly_tot_stats
+--- freeradius-server-2.1.1.orig/dialup_admin/bin/monthly_tot_stats	2008-09-25 08:41:26.000000000 +0000
++++ freeradius-server-2.1.1/dialup_admin/bin/monthly_tot_stats	2008-10-12 09:29:50.000000000 +0000
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl
+ use POSIX;
++use File::Temp;
+ 
+ # Log in the mtotacct table aggregated accounting information for
+ # each user spaning in one month period.
+@@ -51,14 +52,13 @@
+ 	AcctDate <= '$date_end' GROUP BY UserName,NASIPAddress;";
+ print "$query1\n";
+ print "$query2\n";
+-open TMP, ">/tmp/tot_stats.query"
+-	or die "Could not open tmp file\n";
+-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+-print TMP $query1;
+-print TMP $query2;
+-close TMP;
+-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
+-$command = "$sqlcmd  -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
++my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
++print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
++print $fh $query1;
++print $fh $query2;
++close $fh;
++$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
++$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
+ $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
+-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay');
++$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
+ `$command`;
+diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/tot_stats freeradius-server-2.1.1/dialup_admin/bin/tot_stats
+--- freeradius-server-2.1.1.orig/dialup_admin/bin/tot_stats	2008-09-25 08:41:26.000000000 +0000
++++ freeradius-server-2.1.1/dialup_admin/bin/tot_stats	2008-10-12 09:29:50.000000000 +0000
+@@ -1,5 +1,6 @@
+ #!/usr/bin/perl
+ use POSIX;
++use File::Temp;
+ 
+ # Log in the totacct table aggregated daily accounting information for
+ # each user.
+@@ -48,14 +49,13 @@
+ 	AcctStopTime < '$date_end' GROUP BY UserName,NASIPAddress;";
+ print "$query1\n";
+ print "$query2\n";
+-open TMP, ">/tmp/tot_stats.query"
+-	or die "Could not open tmp file\n";
+-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+-print TMP $query1;
+-print TMP $query2;
+-close TMP;
+-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql');
+-$command = "$sqlcmd  -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg');
++my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
++print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
++print $fh $query1;
++print $fh $query2;
++close $fh;
++$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
++$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
+ $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
+-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay');
++$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
+ `$command`;
+diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/truncate_radacct freeradius-server-2.1.1/dialup_admin/bin/truncate_radacct
+--- freeradius-server-2.1.1.orig/dialup_admin/bin/truncate_radacct	2008-09-25 08:41:26.000000000 +0000
++++ freeradius-server-2.1.1/dialup_admin/bin/truncate_radacct	2008-10-12 09:29:50.000000000 +0000
+@@ -5,6 +5,7 @@
+ # Works with mysql and postgresql
+ #
+ use POSIX;
++use File::Temp;
+ 
+ $conf=shift||'/usr/local/dialup_admin/conf/admin.conf';
+ $back_days = 90;
+@@ -44,13 +45,12 @@
+ $query .= "DELETE FROM $sql_accounting_table WHERE AcctStopTime < '$date' AND AcctStopTime IS NOT NULL ;";
+ $query .= "UNLOCK TABLES;" if ($sql_type eq 'mysql');
+ print "$query\n";
+-open TMP, ">/tmp/truncate_radacct.query"
+-        or die "Could not open tmp file\n";
+-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
+-print TMP $query;
+-close TMP;
+-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/truncate_radacct.query" if ($sql_type eq 'mysql');
+-$command = "$sqlcmd  -U $sql_username -f /tmp/truncate_radacct.query $sql_database" if ($sql_type eq 'pg');
++my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n";
++print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle');
++print $fh $query;
++close $fh;
++$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql');
++$command = "$sqlcmd  -U $sql_username -f  $tmp_filename $sql_database" if ($sql_type eq 'pg');
+ $command = "$sqlcmd  $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle');
+-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/truncate_radacct.query" if ($sql_type eq 'sqlrelay');
++$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay');
+ `$command`;
diff --git a/www-apps/freeradius-dialupadmin/freeradius-dialupadmin-1.80.ebuild b/www-apps/freeradius-dialupadmin/freeradius-dialupadmin-1.80.ebuild
new file mode 100644
index 000000000000..d8ee2c104b27
--- /dev/null
+++ b/www-apps/freeradius-dialupadmin/freeradius-dialupadmin-1.80.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/www-apps/freeradius-dialupadmin/freeradius-dialupadmin-1.80.ebuild,v 1.1 2008/10/12 10:33:19 mrness Exp $
+
+inherit eutils webapp
+MY_FREERADIUS_PV="2.1.1"
+
+DESCRIPTION="Web administration interface of freeradius server"
+SRC_URI="ftp://ftp.freeradius.org/pub/radius/freeradius-server-${MY_FREERADIUS_PV}.tar.gz"
+HOMEPAGE="http://www.freeradius.org/dialupadmin.html"
+
+KEYWORDS="~amd64 ~ppc ~x86"
+IUSE=""
+LICENSE="GPL-2"
+
+DEPEND="sys-apps/findutils
+	sys-apps/sed"
+RDEPEND="virtual/php
+	dev-perl/DateManip
+	>=net-dialup/freeradius-${MY_FREERADIUS_PV}"
+
+S="${WORKDIR}/freeradius-server-${MY_FREERADIUS_PV}/dialup_admin"
+
+src_unpack() {
+	unpack ${A}
+
+	cd "${S}"
+	epatch "${FILESDIR}/${P}-gentoo.patch"
+	epatch "${FILESDIR}/${P}-tmpfile.patch"
+
+	sed -i -e 's:/usr/local:/usr:' \
+		-e 's:/usr/etc/raddb:${general_raddb_dir}:' \
+		-e 's:/usr/radiusd::' \
+			conf/admin.conf
+	sed -i -e 's:/usr/local:/usr:' bin/*
+
+	#rename files .php3 -> .php
+	(find . -iname '*.php3' | (
+		local PHPFILE
+		while read PHPFILE; do
+			mv "${PHPFILE}" "${PHPFILE/.php3/.php}"
+		done
+	)) && \
+	(find . -type f | xargs sed -i -e 's:[.]php3:.php:g') || \
+		die "failed to replace php3 with php"
+
+	# fix dangling ../ to deal with the way webapp-config installs files
+	find . -name '*.php' | xargs sed -i \
+		-e 's:../conf/:../../conf/:' \
+		-e 's:../html/:../../html/:' \
+		-e 's:../lib/:../../lib/:'
+}
+
+src_install() {
+	webapp_src_preinst
+
+	insinto "${MY_HTDOCSDIR}"
+	doins -r htdocs/*
+	insinto "${MY_HOSTROOTDIR}"
+	doins -r conf html lib
+	exeinto "${MY_HOSTROOTDIR}/bin"
+	dodoc bin/*.cron bin/Changelog*
+	rm bin/*.cron bin/Changelog*
+	doexe bin/*
+
+	insinto "${MY_SQLSCRIPTSDIR}"
+	doins -r sql/*
+
+	dodoc Changelog README doc/*
+
+	webapp_hook_script "${FILESDIR}/setrootpath"
+
+	cd "${D}/${MY_HOSTROOTDIR}"
+	local CONFFILE
+	for CONFFILE in conf/* ; do
+		webapp_configfile "${MY_HOSTROOTDIR}/${CONFFILE}"
+		webapp_serverowned "${MY_HOSTROOTDIR}/${CONFFILE}"
+	done
+
+	webapp_src_install
+}