Ensure that data returned from server on initial challenge is, in

fact, only the data that we expect.

Submitted by:	Matthew Seaman <m.seaman@infracaninophile.co.uk>

3 files changed, 61 insertions, 8 deletions

diff --git a/sysutils/bsdstats/Makefile b/sysutils/bsdstats/Makefile
index a4580149c1e3..ec5394905910 100644
--- a/sysutils/bsdstats/Makefile
+++ b/sysutils/bsdstats/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	bsdstats
 PORTVERSION=	3.0
+PORTREVISION=	1
 CATEGORIES=	sysutils
 DISTFILES=
 
diff --git a/sysutils/bsdstats/files/300.statistics b/sysutils/bsdstats/files/300.statistics
index 303e3807b99f..0bc1cd2b07b6 100644
--- a/sysutils/bsdstats/files/300.statistics
+++ b/sysutils/bsdstats/files/300.statistics
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: /tmp/pcvs/ports/sysutils/bsdstats/files/Attic/300.statistics,v 1.11 2006-08-14 07:35:09 scrappy Exp $
+# $FreeBSD: /tmp/pcvs/ports/sysutils/bsdstats/files/Attic/300.statistics,v 1.12 2006-08-14 13:08:01 scrappy Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -33,12 +33,38 @@ send_devices () {
 }
 
 get_id_token () {
+    local IFS
+
+    IFS='=
+'
+
     if [ ! -f $id_token_file ] ;
     then
        IDTOKEN=$( /usr/bin/openssl rand -base64 16 )
-       /usr/bin/fetch -qo $id_token_file "http://$checkin_server/scripts/getid.php?key=$IDTOKEN"
-       /usr/sbin/chown root:wheel $id_token_file 
-       /bin/chmod 600 $id_token_file                     
+       
+       idf=$( mktemp "$id_token_file.XXXXXX" )   && \
+       /usr/sbin/chown root:wheel $id_token_file && \
+       /bin/chmod 600 $id_token_file             && \    
+
+       /usr/bin/fetch -qo - \
+	   "http://$checkin_server/scripts/getid.php?key=$IDTOKEN" | { 
+	   while read var val 
+	     do  
+	     case $var in
+		 KEY)
+                     echo "KEY=$val"
+		 ;;
+		 TOKEN)
+                     echo "TOKEN=$val"
+		 ;;
+		 *)
+                 ;;
+		 esac
+	   done
+       } > $idf                                  && \
+
+       mv $idf $id_token_file
+
        echo "To protect against abuse, the initial challenge/response phase"
        echo "contains a 15 minute pause.  Please be patient while this time"
        echo "limit elapses"
diff --git a/sysutils/bsdstats/files/300.statistics.in b/sysutils/bsdstats/files/300.statistics.in
index 9a7a7be5992b..07eb7326c384 100644
--- a/sysutils/bsdstats/files/300.statistics.in
+++ b/sysutils/bsdstats/files/300.statistics.in
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-# $FreeBSD: /tmp/pcvs/ports/sysutils/bsdstats/files/300.statistics.in,v 1.11 2006-08-14 07:35:09 scrappy Exp $
+# $FreeBSD: /tmp/pcvs/ports/sysutils/bsdstats/files/300.statistics.in,v 1.12 2006-08-14 13:08:01 scrappy Exp $
 #
 
 # If there is a global system configuration file, suck it in.
@@ -33,12 +33,38 @@ send_devices () {
 }
 
 get_id_token () {
+    local IFS
+
+    IFS='=
+'
+
     if [ ! -f $id_token_file ] ;
     then
        IDTOKEN=$( /usr/bin/openssl rand -base64 16 )
-       /usr/bin/fetch -qo $id_token_file "http://$checkin_server/scripts/getid.php?key=$IDTOKEN"
-       /usr/sbin/chown root:wheel $id_token_file 
-       /bin/chmod 600 $id_token_file                     
+       
+       idf=$( mktemp "$id_token_file.XXXXXX" )   && \
+       /usr/sbin/chown root:wheel $id_token_file && \
+       /bin/chmod 600 $id_token_file             && \    
+
+       /usr/bin/fetch -qo - \
+	   "http://$checkin_server/scripts/getid.php?key=$IDTOKEN" | { 
+	   while read var val 
+	     do  
+	     case $var in
+		 KEY)
+                     echo "KEY=$val"
+		 ;;
+		 TOKEN)
+                     echo "TOKEN=$val"
+		 ;;
+		 *)
+                 ;;
+		 esac
+	   done
+       } > $idf                                  && \
+
+       mv $idf $id_token_file
+
        echo "To protect against abuse, the initial challenge/response phase"
        echo "contains a 15 minute pause.  Please be patient while this time"
        echo "limit elapses"