MFH: r336678

- update to 2.8.4
- add stage support

Security:	3b86583a-66a7-11e3-868f-0025905a4771

4 files changed, 60 insertions, 15 deletions

diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index a06d1c1e0426..00e29bf9e8ae 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -51,6 +51,36 @@ Note:  Please add new entries to the beginning of this file.
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="3b86583a-66a7-11e3-868f-0025905a4771">
+    <topic>phpmyfaq -- arbitrary PHP code execution vulnerability</topic>
+    <affects>
+      <package>
+	<name>phpmyfaq</name>
+	<range><lt>2.8.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The phpMyFAQ team reports:</p>
+	<blockquote cite="http://www.phpmyfaq.de/advisory_2013-11-26.php">
+	  <p>Secunia noticed while analysing the advisory that authenticated
+	    users with "Right to add attachments" are able to exploit an already
+	    publicly known issue in the bundled Ajax File Manager of phpMyFAQ version
+	    2.8.3, which leads to arbitrary PHP code execution for authenticated
+	    users with the permission "Right to add attachments".</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.phpmyfaq.de/advisory_2013-11-26.php</url>
+      <url>http://en.securitylab.ru/lab/PT-2013-41</url>
+    </references>
+    <dates>
+      <discovery>2013-11-26</discovery>
+      <entry>2013-12-16</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="44d0f8dc-6607-11e3-bb11-0025900931f8">
     <topic>zabbix -- shell command injection vulnerability</topic>
     <affects>
diff --git a/www/phpmyfaq/Makefile b/www/phpmyfaq/Makefile
index 6cea7390d3cd..c8e27005d0b5 100644
--- a/www/phpmyfaq/Makefile
+++ b/www/phpmyfaq/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	phpmyfaq
-PORTVERSION=	2.8.2
+PORTVERSION=	2.8.4
 CATEGORIES=	www
 MASTER_SITES=	http://www.phpmyfaq.de/download/
 
@@ -11,20 +11,20 @@ COMMENT=	A multilingual, completely database-driven FAQ-system
 
 WRKSRC=		${WRKDIR}/${PORTNAME}
 
+NEED_ROOT=	yes
+
 USE_PHP=	filter json mysql pcre pdf session xml xmlrpc xmlwriter zlib
 FAQ_DIR=	attachments data images inc pdf xml
 NO_BUILD=	YES
 WANT_PHP_WEB=	YES
+NO_ARCH=	YES
 
-NO_STAGE=	yes
 do-install:
-	-${MKDIR} ${WWWDIR}
-	@cd ${WRKSRC} && ${COPYTREE_SHARE} \* ${WWWDIR}
+	@${MKDIR} ${STAGEDIR}${WWWDIR}
+	@cd ${WRKSRC} && ${COPYTREE_SHARE} \* ${STAGEDIR}${WWWDIR}
 .for i in ${FAQ_DIR}
-	-@${MKDIR} ${WWWDIR}/${i}
-	@${CHMOD} 777 ${WWWDIR}/${i}
+	@${MKDIR} ${STAGEDIR}${WWWDIR}/${i}
+	@${CHOWN} ${WWWOWN}:${WWWGRP} ${STAGEDIR}${WWWDIR}/${i} ${STAGEDIR}${WWWDIR}/config
 .endfor
-	@${CHOWN} -R ${WWWOWN}:${WWWGRP} ${WWWDIR}
-	@${CAT} ${PKGMESSAGE}
 
 .include <bsd.port.mk>
diff --git a/www/phpmyfaq/distinfo b/www/phpmyfaq/distinfo
index bdf0eafea35f..6bfd084d6807 100644
--- a/www/phpmyfaq/distinfo
+++ b/www/phpmyfaq/distinfo
@@ -1,2 +1,2 @@
-SHA256 (phpmyfaq-2.8.2.tar.gz) = 2ab6452da45dacd3bd771597671371881a4c9d13352b4c70d608b686779c3db6
-SIZE (phpmyfaq-2.8.2.tar.gz) = 3896352
+SHA256 (phpmyfaq-2.8.4.tar.gz) = da4762ce824a973f0303762e9028ea9c7e1b1b0bc0f7721388046bd1c35b0164
+SIZE (phpmyfaq-2.8.4.tar.gz) = 3903889
diff --git a/www/phpmyfaq/pkg-plist b/www/phpmyfaq/pkg-plist
index 3a096a7af929..c0bfcdc89a06 100644
--- a/www/phpmyfaq/pkg-plist
+++ b/www/phpmyfaq/pkg-plist
@@ -1,3 +1,16 @@
+@exec mkdir -p %D/www/phpmyfaq/attachments
+@exec mkdir -p %D/www/phpmyfaq/data
+@exec mkdir -p %D/www/phpmyfaq/images
+@exec mkdir -p %D/www/phpmyfaq/inc
+@exec mkdir -p %D/www/phpmyfaq/pdf
+@exec mkdir -p %D/www/phpmyfaq/xml
+@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/attachments
+@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/config
+@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/data
+@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/images
+@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/inc
+@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/pdf
+@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/xml
 %%WWWDIR%%/_.htaccess
 %%WWWDIR%%/_httpd.ini
 %%WWWDIR%%/_lighttpd.conf
@@ -24,6 +37,7 @@
 %%WWWDIR%%/admin/assets/font/fontawesome-webfont.svg
 %%WWWDIR%%/admin/assets/font/fontawesome-webfont.ttf
 %%WWWDIR%%/admin/assets/font/fontawesome-webfont.woff
+%%WWWDIR%%/admin/assets/js/record.js
 %%WWWDIR%%/admin/assets/js/uploadcheck.js
 %%WWWDIR%%/admin/assets/js/user.js
 %%WWWDIR%%/admin/assets/less/style.less
@@ -876,6 +890,7 @@
 %%WWWDIR%%/assets/template/default/favicon.ico
 %%WWWDIR%%/assets/template/default/glossary.tpl
 %%WWWDIR%%/assets/template/default/images/arrow.gif
+%%WWWDIR%%/assets/template/default/indexPassword.tpl
 %%WWWDIR%%/assets/template/default/index.tpl
 %%WWWDIR%%/assets/template/default/indexLogin.tpl
 %%WWWDIR%%/assets/template/default/indexMaintenance.tpl
@@ -1264,7 +1279,7 @@
 @dirrm %%WWWDIR%%/xml
 @dirrm %%WWWDIR%%/services/twitter
 @dirrm %%WWWDIR%%/services
-@dirrmtry %%WWWDIR%%/pdf
+@dirrm %%WWWDIR%%/pdf
 @dirrm %%WWWDIR%%/multisite
 @dirrm %%WWWDIR%%/lang
 @dirrm %%WWWDIR%%/install
@@ -1357,16 +1372,16 @@
 @dirrm %%WWWDIR%%/inc/PMF/Attachment
 @dirrm %%WWWDIR%%/inc/PMF
 @dirrm %%WWWDIR%%/inc
-@dirrmtry %%WWWDIR%%/images
+@dirrm %%WWWDIR%%/images
 @dirrm %%WWWDIR%%/feed/topten
 @dirrm %%WWWDIR%%/feed/openquestions
 @dirrm %%WWWDIR%%/feed/news
 @dirrm %%WWWDIR%%/feed/latest
 @dirrm %%WWWDIR%%/feed/category
 @dirrm %%WWWDIR%%/feed
-@dirrmtry %%WWWDIR%%/data
-@dirrmtry %%WWWDIR%%/config
-@dirrmtry %%WWWDIR%%/attachments
+@dirrm %%WWWDIR%%/data
+@dirrm %%WWWDIR%%/config
+@dirrm %%WWWDIR%%/attachments
 @dirrm %%WWWDIR%%/assets/template/default/less
 @dirrm %%WWWDIR%%/assets/template/default/images
 @dirrm %%WWWDIR%%/assets/template/default/css