- Fix insecure temporary file usage and arbitrary command execution

PR:		129981 (based on)
Submitted by:	Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Approved by:	maintainer

2 files changed, 84 insertions, 3 deletions

diff --git a/net-p2p/verlihub/Makefile b/net-p2p/verlihub/Makefile
index 7d5091d15a9a..009cd1f04384 100644
--- a/net-p2p/verlihub/Makefile
+++ b/net-p2p/verlihub/Makefile
@@ -7,11 +7,10 @@
 
 PORTNAME=	verlihub
 DISTVERSION=	0.9.8d-RC2
-PORTREVISION=	1
+PORTREVISION=	2
 PORTEPOCH=	1
 CATEGORIES=	net-p2p
-MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
-MASTER_SITE_SUBDIR=	${PORTNAME}
+MASTER_SITES=	SF
 
 MAINTAINER=	skylord@vt.net.ru
 COMMENT=	A Direct Connect protocol server (Hub)
diff --git a/net-p2p/verlihub/files/patch-CVE-2008-5706 b/net-p2p/verlihub/files/patch-CVE-2008-5706
new file mode 100644
index 000000000000..61dc4ca9bef6
--- /dev/null
+++ b/net-p2p/verlihub/files/patch-CVE-2008-5706
@@ -0,0 +1,82 @@
+--- src/ctrigger.cpp.orig	2005-04-11 19:18:38.000000000 +0400
++++ src/ctrigger.cpp	2008-12-27 23:28:14.000000000 +0300
+@@ -7,6 +7,9 @@
+  *   the Free Software Foundation; either version 2 of the License, or     *
+  *   (at your option) any later version.                                   *
+  ***************************************************************************/
++#include <errno.h>
++#include <stdio.h>
++#include <string.h>
+ #include "cserverdc.h"
+ #include "ctrigger.h"
+ #include "cconndc.h"
+@@ -44,16 +47,33 @@
+ {
+ 	string buf, filename, sender;
+ 	string par1, end1, parall;
++	string cmdl;
++
+ 	if (conn && conn->mpUser)
+ 	{
++		cmd_line >> cmdl;
++		/* Sanitise user input if we're going to exec anything */
++		if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
++			string cleaned = string();
++			const string toclean = string(";\"'\\`:!${}[]&><|~/");
++
++			for (string::iterator i = cmdl.begin();
++			    i < cmdl.end();
++			    i++) {
++				if (toclean.find(*i) == string::npos)
++					cleaned.append(1, *i);
++			}
++			cmdl = cleaned;
++		}
++
+ 		int uclass = conn->mpUser->mClass;
+ 		if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) {
+ 
+-			if(cmd_line.str().size() > mCommand.size()) {
+-				parall.assign(cmd_line.str(),mCommand.size()+1,string::npos);
++			if(cmdl.size() > mCommand.size()) {
++				parall.assign(cmdl,mCommand.size()+1,string::npos);
+ 			}
+-			cmd_line >> par1;
+-			end1 = cmd_line.str();
++			par1 = cmdl;
++			end1 = cmdl;
+ 
+ 			sender = server.mC.hub_security;
+ 			if (mSendAs.size()) sender = mSendAs;
+@@ -104,14 +124,25 @@
+ 
+ 			if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
+ 				string command(buf);
+-				filename = server.mConfigBaseDir;
+-				filename.append("/tmp/trigger.tmp");
+-				command.append(" > ");
+-				command.append(filename);
++				char buffer[1024];
++				FILE *stream;
++
+ 				cout << command << endl;
+-				system(command.c_str());
+ 				buf = "";
+-				if (!LoadFileInString(filename,buf)) return 0;
++				stream = popen(command.c_str(), "r");
++				if (stream == NULL) {
++					cout << strerror(errno) << std::endl;
++					return 0;
++				} else {
++					while (fgets(buffer, sizeof(buffer),
++					  stream) != NULL)
++                				buf.append(buffer);
++					if (pclose(stream) == -1) {
++						cout << strerror(errno) <<
++						  std::endl;
++						return 0;
++					}
++				}
+ 			}
+ 
+ 			// @CHANGED by dReiska +BEGINS+