1 |
mrness 08/10/12 10:33:19 |
2 |
|
3 |
Added: freeradius-dialupadmin-1.80-gentoo.patch |
4 |
freeradius-dialupadmin-1.80-tmpfile.patch |
5 |
Log: |
6 |
Version bump. Fix insecure usage of temporary files (#240546). |
7 |
(Portage version: 2.1.4.4) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-gentoo.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-gentoo.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-gentoo.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: freeradius-dialupadmin-1.80-gentoo.patch |
16 |
=================================================================== |
17 |
diff -Nru freeradius-server-2.1.1.orig/dialup_admin/Makefile freeradius-server-2.1.1/dialup_admin/Makefile |
18 |
--- freeradius-server-2.1.1.orig/dialup_admin/Makefile 2008-10-12 10:13:16.000000000 +0000 |
19 |
+++ freeradius-server-2.1.1/dialup_admin/Makefile 2008-10-12 10:16:16.000000000 +0000 |
20 |
@@ -4,7 +4,6 @@ |
21 |
# Version: $Id: freeradius-dialupadmin-1.80-gentoo.patch,v 1.1 2008/10/12 10:33:19 mrness Exp $ |
22 |
# |
23 |
|
24 |
-include ../Make.inc |
25 |
|
26 |
DIALUP_PREFIX := /usr/local/dialup_admin |
27 |
DIALUP_DOCDIR := $(DIALUP_PREFIX)/doc |
28 |
diff -Nru freeradius-server-2.1.1.orig/dialup_admin/conf/admin.conf freeradius-server-2.1.1/dialup_admin/conf/admin.conf |
29 |
--- freeradius-server-2.1.1.orig/dialup_admin/conf/admin.conf 2008-09-25 08:41:26.000000000 +0000 |
30 |
+++ freeradius-server-2.1.1/dialup_admin/conf/admin.conf 2008-10-12 09:14:12.000000000 +0000 |
31 |
@@ -204,7 +204,7 @@ |
32 |
# |
33 |
# Uncomment to enable ldap debug |
34 |
# |
35 |
-ldap_debug: true |
36 |
+#ldap_debug: true |
37 |
# |
38 |
# Allow for defining the ldap filter used when searching for a user |
39 |
# Variables supported: |
40 |
@@ -274,7 +274,7 @@ |
41 |
# |
42 |
# Uncomment to enable sql debug |
43 |
# |
44 |
-sql_debug: true |
45 |
+#sql_debug: true |
46 |
# |
47 |
# If set to yes then the HTTP credentials (http authentication) |
48 |
# will be used to connect to the sql server instead of sql_username |
49 |
|
50 |
|
51 |
|
52 |
1.1 www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-tmpfile.patch |
53 |
|
54 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-tmpfile.patch?rev=1.1&view=markup |
55 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/freeradius-dialupadmin/files/freeradius-dialupadmin-1.80-tmpfile.patch?rev=1.1&content-type=text/plain |
56 |
|
57 |
Index: freeradius-dialupadmin-1.80-tmpfile.patch |
58 |
=================================================================== |
59 |
diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/clean_radacct freeradius-server-2.1.1/dialup_admin/bin/clean_radacct |
60 |
--- freeradius-server-2.1.1.orig/dialup_admin/bin/clean_radacct 2008-09-25 08:41:26.000000000 +0000 |
61 |
+++ freeradius-server-2.1.1/dialup_admin/bin/clean_radacct 2008-10-12 09:29:50.000000000 +0000 |
62 |
@@ -5,6 +5,7 @@ |
63 |
# Works with mysql and postgresql |
64 |
# |
65 |
use POSIX; |
66 |
+use File::Temp; |
67 |
|
68 |
$conf=shift||'/usr/local/dialup_admin/conf/admin.conf'; |
69 |
$back_days = 35; |
70 |
@@ -42,11 +43,10 @@ |
71 |
|
72 |
$query = "DELETE FROM $sql_accounting_table WHERE AcctStopTime IS NULL AND AcctStartTime < '$date';"; |
73 |
print "$query\n"; |
74 |
-open TMP, ">/tmp/clean_radacct.query" |
75 |
- or die "Could not open tmp file\n"; |
76 |
-print TMP $query; |
77 |
-close TMP; |
78 |
-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/clean_radacct.query" if ($sql_type eq 'mysql'); |
79 |
-$command = "$sqlcmd -U $sql_username -f /tmp/clean_radacct.query $sql_database" if ($sql_type eq 'pg'); |
80 |
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/clean_radacct.query" if ($sql_type eq 'sqlrelay'); |
81 |
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n"; |
82 |
+print $fh $query; |
83 |
+close $fh; |
84 |
+$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql'); |
85 |
+$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg'); |
86 |
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay'); |
87 |
`$command`; |
88 |
diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/log_badlogins freeradius-server-2.1.1/dialup_admin/bin/log_badlogins |
89 |
--- freeradius-server-2.1.1.orig/dialup_admin/bin/log_badlogins 2008-09-25 08:41:26.000000000 +0000 |
90 |
+++ freeradius-server-2.1.1/dialup_admin/bin/log_badlogins 2008-10-12 10:09:58.000000000 +0000 |
91 |
@@ -14,6 +14,7 @@ |
92 |
|
93 |
use Date::Manip qw(ParseDate UnixDate); |
94 |
use Digest::MD5; |
95 |
+use File::Temp; |
96 |
$|=1; |
97 |
|
98 |
$file=shift||'none'; |
99 |
@@ -29,7 +30,8 @@ |
100 |
# CHANGE THESE TO MATCH YOUR SETUP |
101 |
# |
102 |
#$regexp = 'from client localhost port 135|from client blabla '; |
103 |
-$tmpfile='/var/tmp/sql.input'; |
104 |
+$tmpdir=tempdir( CLEANUP => 1 ); |
105 |
+$tmpfile="$tmpdir/sql.input"; |
106 |
# |
107 |
$verbose = 0; |
108 |
# |
109 |
diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/monthly_tot_stats freeradius-server-2.1.1/dialup_admin/bin/monthly_tot_stats |
110 |
--- freeradius-server-2.1.1.orig/dialup_admin/bin/monthly_tot_stats 2008-09-25 08:41:26.000000000 +0000 |
111 |
+++ freeradius-server-2.1.1/dialup_admin/bin/monthly_tot_stats 2008-10-12 09:29:50.000000000 +0000 |
112 |
@@ -1,5 +1,6 @@ |
113 |
#!/usr/bin/perl |
114 |
use POSIX; |
115 |
+use File::Temp; |
116 |
|
117 |
# Log in the mtotacct table aggregated accounting information for |
118 |
# each user spaning in one month period. |
119 |
@@ -51,14 +52,13 @@ |
120 |
AcctDate <= '$date_end' GROUP BY UserName,NASIPAddress;"; |
121 |
print "$query1\n"; |
122 |
print "$query2\n"; |
123 |
-open TMP, ">/tmp/tot_stats.query" |
124 |
- or die "Could not open tmp file\n"; |
125 |
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle'); |
126 |
-print TMP $query1; |
127 |
-print TMP $query2; |
128 |
-close TMP; |
129 |
-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql'); |
130 |
-$command = "$sqlcmd -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg'); |
131 |
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n"; |
132 |
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle'); |
133 |
+print $fh $query1; |
134 |
+print $fh $query2; |
135 |
+close $fh; |
136 |
+$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql'); |
137 |
+$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg'); |
138 |
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle'); |
139 |
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay'); |
140 |
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay'); |
141 |
`$command`; |
142 |
diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/tot_stats freeradius-server-2.1.1/dialup_admin/bin/tot_stats |
143 |
--- freeradius-server-2.1.1.orig/dialup_admin/bin/tot_stats 2008-09-25 08:41:26.000000000 +0000 |
144 |
+++ freeradius-server-2.1.1/dialup_admin/bin/tot_stats 2008-10-12 09:29:50.000000000 +0000 |
145 |
@@ -1,5 +1,6 @@ |
146 |
#!/usr/bin/perl |
147 |
use POSIX; |
148 |
+use File::Temp; |
149 |
|
150 |
# Log in the totacct table aggregated daily accounting information for |
151 |
# each user. |
152 |
@@ -48,14 +49,13 @@ |
153 |
AcctStopTime < '$date_end' GROUP BY UserName,NASIPAddress;"; |
154 |
print "$query1\n"; |
155 |
print "$query2\n"; |
156 |
-open TMP, ">/tmp/tot_stats.query" |
157 |
- or die "Could not open tmp file\n"; |
158 |
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle'); |
159 |
-print TMP $query1; |
160 |
-print TMP $query2; |
161 |
-close TMP; |
162 |
-$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database </tmp/tot_stats.query" if ($sql_type eq 'mysql'); |
163 |
-$command = "$sqlcmd -U $sql_username -f /tmp/tot_stats.query $sql_database" if ($sql_type eq 'pg'); |
164 |
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n"; |
165 |
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle'); |
166 |
+print $fh $query1; |
167 |
+print $fh $query2; |
168 |
+close $fh; |
169 |
+$command = "$sqlcmd -h $sql_server -u $sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql'); |
170 |
+$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg'); |
171 |
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle'); |
172 |
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/tot_stats.query" if ($sql_type eq 'sqlrelay'); |
173 |
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay'); |
174 |
`$command`; |
175 |
diff -Nru freeradius-server-2.1.1.orig/dialup_admin/bin/truncate_radacct freeradius-server-2.1.1/dialup_admin/bin/truncate_radacct |
176 |
--- freeradius-server-2.1.1.orig/dialup_admin/bin/truncate_radacct 2008-09-25 08:41:26.000000000 +0000 |
177 |
+++ freeradius-server-2.1.1/dialup_admin/bin/truncate_radacct 2008-10-12 09:29:50.000000000 +0000 |
178 |
@@ -5,6 +5,7 @@ |
179 |
# Works with mysql and postgresql |
180 |
# |
181 |
use POSIX; |
182 |
+use File::Temp; |
183 |
|
184 |
$conf=shift||'/usr/local/dialup_admin/conf/admin.conf'; |
185 |
$back_days = 90; |
186 |
@@ -44,13 +45,12 @@ |
187 |
$query .= "DELETE FROM $sql_accounting_table WHERE AcctStopTime < '$date' AND AcctStopTime IS NOT NULL ;"; |
188 |
$query .= "UNLOCK TABLES;" if ($sql_type eq 'mysql'); |
189 |
print "$query\n"; |
190 |
-open TMP, ">/tmp/truncate_radacct.query" |
191 |
- or die "Could not open tmp file\n"; |
192 |
-print TMP "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle'); |
193 |
-print TMP $query; |
194 |
-close TMP; |
195 |
-$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database </tmp/truncate_radacct.query" if ($sql_type eq 'mysql'); |
196 |
-$command = "$sqlcmd -U $sql_username -f /tmp/truncate_radacct.query $sql_database" if ($sql_type eq 'pg'); |
197 |
+my ($fh, $tmp_filename) = tempfile() or die "Could not open tmp file\n"; |
198 |
+print $fh "ALTER SESSION SET NLS_TIMESTAMP_TZ_FORMAT='YYYY-MM-DD HH24:MI:SS.FF TZH:TZM';\n" if ($sql_type eq 'oracle'); |
199 |
+print $fh $query; |
200 |
+close $fh; |
201 |
+$command = "$sqlcmd -h$sql_server -u$sql_username $sql_password $sql_database < $tmp_filename" if ($sql_type eq 'mysql'); |
202 |
+$command = "$sqlcmd -U $sql_username -f $tmp_filename $sql_database" if ($sql_type eq 'pg'); |
203 |
$command = "$sqlcmd $sql_username/$pass" . "@" . "$sql_database <$tmpfile.$server" if ($sql_type eq 'oracle'); |
204 |
-$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' </tmp/truncate_radacct.query" if ($sql_type eq 'sqlrelay'); |
205 |
+$command = "$sqlcmd '$sql_server' '$sql_port' '' '$sql_username' '$sql_password' < $tmp_filename" if ($sql_type eq 'sqlrelay'); |
206 |
`$command`; |