13 files changed, 165 insertions, 12 deletions

diff --git a/usr/local/bin/3gstats.php b/usr/local/bin/3gstats.php
index daf0500..cc385fc 100755
--- a/usr/local/bin/3gstats.php
+++ b/usr/local/bin/3gstats.php
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -f
+#!/usr/local/bin/php-cgi -f
 <?php
 
 ini_set("max_execution_time", "0");
diff --git a/usr/local/bin/captiveportal_gather_stats.php b/usr/local/bin/captiveportal_gather_stats.php
index 11cb2b9..23d6b5d 100644
--- a/usr/local/bin/captiveportal_gather_stats.php
+++ b/usr/local/bin/captiveportal_gather_stats.php
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -q
+#!/usr/local/bin/php-cgi -q
 <?php
 /* $Id$ */
 /*
diff --git a/usr/local/bin/easyrule b/usr/local/bin/easyrule
index cf9e40a..8461a7a 100755
--- a/usr/local/bin/easyrule
+++ b/usr/local/bin/easyrule
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -q
+#!/usr/local/bin/php-cgi -q
 <?php
 /*
 	easyrule CLI Program
diff --git a/usr/local/bin/filterparser.php b/usr/local/bin/filterparser.php
index bec8016..fa60262 100755
--- a/usr/local/bin/filterparser.php
+++ b/usr/local/bin/filterparser.php
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -q
+#!/usr/local/bin/php-cgi -q
 <?php
 /* $Id$ */
 /*
diff --git a/usr/local/bin/mail.php b/usr/local/bin/mail.php
index 1e62b81..130d9e0 100755
--- a/usr/local/bin/mail.php
+++ b/usr/local/bin/mail.php
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -q
+#!/usr/local/bin/php-cgi -q
 <?php
 require_once("config.inc");
 require_once("globals.inc");
@@ -22,4 +22,4 @@ if (!empty($subject)) {
 } else {
 	send_smtp_message($message);
 }
-?>
\ No newline at end of file
+?>
diff --git a/usr/local/sbin/gmirror_status_check.php b/usr/local/sbin/gmirror_status_check.php
index 4f73baf..f19a5d1 100644
--- a/usr/local/sbin/gmirror_status_check.php
+++ b/usr/local/sbin/gmirror_status_check.php
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -f
+#!/usr/local/bin/php-cgi -f
 <?php
 /*
 	gmirror_status_check.php
diff --git a/usr/local/sbin/pfSsh.php b/usr/local/sbin/pfSsh.php
index 068198f..8bfc909 100755
--- a/usr/local/sbin/pfSsh.php
+++ b/usr/local/sbin/pfSsh.php
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -f
+#!/usr/local/bin/php-cgi -f
 
 <?php
 
diff --git a/usr/local/sbin/show_filter_reload_status.php b/usr/local/sbin/show_filter_reload_status.php
index daa35ad..e66c890 100755
--- a/usr/local/sbin/show_filter_reload_status.php
+++ b/usr/local/sbin/show_filter_reload_status.php
@@ -1,4 +1,4 @@
-#!/usr/local/bin/php -q
+#!/usr/local/bin/php-cgi -q
 <?php
 
 $last_text = "";
diff --git a/usr/local/share/pfSense/post_upgrade_command b/usr/local/share/pfSense/post_upgrade_command
new file mode 100755
index 0000000..097bc5c
--- /dev/null
+++ b/usr/local/share/pfSense/post_upgrade_command
@@ -0,0 +1,64 @@
+#!/bin/sh
+
+/etc/rc.conf_mount_rw
+
+PFSENSETYPE=`cat /etc/platform`
+
+if [ "${PFSENSETYPE}" = "pfSense" -o "${PFSENSETYPE}" = "nanobsd" ]; then
+	touch /conf/needs_package_sync
+fi
+
+# Detect interactive logins and display the shell
+detect_command='[ -n "$SSH_TTY" -o "$TERM" = "cons25" ] && exec /etc/rc.initial'
+echo "${detect_command}" > ${CVS_CO_DIR}/root/.shrc
+echo "${detect_command}" >> ${CVS_CO_DIR}/root/.profile
+
+if [ "${PFSENSETYPE}" = "nanobsd" ]; then
+	ROOT=/tmp/${1}/
+else
+	ROOT=/
+fi
+
+# Now turn on or off serial console as needed
+echo "Checking for ${ROOT}usr/local/share/pfSense/post_upgrade_command.php... " >> /conf/upgrade_log.txt
+if [ -x ${ROOT}usr/local/share/pfSense/post_upgrade_command.php ]; then
+	echo "Running ${ROOT}usr/local/share/pfSense/post_upgrade_command.php $1" >> /conf/upgrade_log.txt
+	${ROOT}usr/local/share/pfSense/post_upgrade_command.php $1 >> /conf/upgrade_log.txt 2>&1
+fi
+
+# Remove any previous MD5 sum files
+rm -f /root/*.md5 >/dev/null 2>&1
+
+# Fixup permissions on installed files
+if [ -f ${ROOT}usr/local/share/pfSense/base.mtree ]; then
+	if [ -x "/tmp/mtree.old" ]; then
+		MTREE_BIN=/tmp/mtree.old
+	else
+		MTREE_BIN=/usr/sbin/mtree
+	fi
+	${MTREE_BIN} -U -e -q -f ${ROOT}usr/local/share/pfSense/base.mtree -p ${ROOT} > /conf/mtree.log
+fi
+
+# Make sure to preserve existing time zone
+if [ "${PFSENSETYPE}" = "nanobsd" -a -f /etc/localtime ]; then
+	/bin/cp -p /etc/localtime ${ROOT}etc/localtime 2>/dev/null
+fi
+
+# Files may contain spaces
+oIFS=${IFS}
+IFS="
+"
+# Obsolete files - nanobsd doesn't need it since a new image is installed
+# on the other partition
+if [ "${PFSENSETYPE}" != "nanobsd" -a -f /etc/pfSense.obsoletedfiles ]; then
+	for f in $(cat /etc/pfSense.obsoletedfiles); do
+		if [ -n "${f}" -a -f "${f}" ]; then
+			rm -f "${f}"
+		elif [ -n "${f}" -a -d "${f}" ]; then
+			rm -rf "${f}"
+		fi
+	done
+fi
+
+# Restore IFS
+IFS=${oIFS}
diff --git a/usr/local/share/pfSense/post_upgrade_command.php b/usr/local/share/pfSense/post_upgrade_command.php
new file mode 100755
index 0000000..4a0215a
--- /dev/null
+++ b/usr/local/share/pfSense/post_upgrade_command.php
@@ -0,0 +1,31 @@
+#!/usr/local/bin/php-cgi -f
+<?php
+
+	/* upgrade embedded users serial console */
+	require_once("globals.inc");
+	require_once("config.inc");
+	require_once("functions.inc");
+
+	if (file_exists("/usr/local/bin/git") && isset($config['system']['gitsync']['synconupgrade'])) {
+		if (!empty($config['system']['gitsync']['repositoryurl'])) {
+			exec("cd /root/pfsense/pfSenseGITREPO/pfSenseGITREPO && git config remote.origin.url " . escapeshellarg($config['system']['gitsync']['repositoryurl']));
+		}
+		if (!empty($config['system']['gitsync']['branch'])) {
+			system("pfSsh.php playback gitsync " . escapeshellarg($config['system']['gitsync']['branch']) . " --upgrading");
+		}
+	}
+
+	$newslicedir = "";
+	if (isset($argv[1]) && $argv[1] != "") {
+		$newslicedir = '/tmp/' . $argv[1];
+	}
+
+	if ($g['enableserial_force'] || file_exists("{$newslicedir}/enableserial_force")) {
+		$config['system']['enableserial'] = true;
+		write_config();
+	}
+
+	system("echo \"Adding serial port settings ({$newslicedir})...\" >> /conf/upgrade_log.txt");
+	setup_serial_port("upgrade", $newslicedir);
+
+?>
diff --git a/usr/local/share/pfSense/pre_upgrade_command b/usr/local/share/pfSense/pre_upgrade_command
new file mode 100644
index 0000000..2ad365f
--- /dev/null
+++ b/usr/local/share/pfSense/pre_upgrade_command
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+/etc/rc.conf_mount_rw
+
+# Record the previous version
+PRIOR_VERSION=`uname -r | cut -d'.' -f1`
+echo $PRIOR_VERSION > /tmp/pre_upgrade_version
+
+# De-activate sync on root filesystem. See ticket #4523
+# Back up original fstab
+/bin/cp /etc/fstab /etc/fstab.orig
+# De-activate sync on the root slice only. This will not match NanoBSD since it already has sync,noatime
+/usr/bin/sed -i '' 's/^\(\/.*[[:space:]]*\/[[:space:]]*ufs[[:space:]]*\)rw,sync\([[:space:]]*[[:digit:]][[:space:]]*[[:digit:]]\)$/\1rw\2/' /etc/fstab
+
+# Hack to workaround ticket #3749
+if [ ${PRIOR_VERSION} -le 8 ] && grep -q 'sh /etc/rc.reboot' /etc/rc.firmware; then
+	PROC=$(ps axwww | grep '/etc/rc.firmware *pfSenseupgrade')
+	PID=''
+	IMG=''
+	if [ -n "${PROC}" ]; then
+		PID=$(echo "${PROC}" | awk '{print $1}')
+		IMG=$(echo "${PROC}" | sed 's,^.*pfSenseupgrade *,,')
+	fi
+
+	if [ -n "${PID}" -a -n "${IMG}" -a -f "${IMG}" ]; then
+		cp -fp /bin/sh /tmp/sh.old
+		kill ${PID} >/dev/null 2>&1
+		kill -9 ${PID} >/dev/null 2>&1
+		sed -i '' -e 's,sh /,/tmp/sh.old /,' \
+			  -e 's,/usr/sbin/mtree,/tmp/mtree.old,' /etc/rc.firmware
+		# To avoid restarting rc.firmware twice because of #4328
+		sed -i '' -e '/^restore_chflags()/, /^}/ s/mtree *-PU/mtree -P/' /etc/rc.firmware
+		/etc/rc.firmware pfSenseupgrade "${IMG}"
+		exit
+	fi
+fi
+
+# One more hack to workaround #4328
+if grep -q 'mtree *-PU' /etc/rc.firmware; then
+	PROC=$(ps axwww | grep '/etc/rc.firmware *pfSenseupgrade')
+	PID=''
+	IMG=''
+	if [ -n "${PROC}" ]; then
+		PID=$(echo "${PROC}" | awk '{print $1}')
+		IMG=$(echo "${PROC}" | sed 's,^.*pfSenseupgrade *,,')
+	fi
+
+	if [ -n "${PID}" -a -n "${IMG}" -a -f "${IMG}" ]; then
+		kill ${PID} >/dev/null 2>&1
+		kill -9 ${PID} >/dev/null 2>&1
+		sed -i '' -e '/^restore_chflags()/, /^}/ s/mtree *-PU/mtree -P/' /etc/rc.firmware
+		/etc/rc.firmware pfSenseupgrade "${IMG}"
+		exit
+	fi
+fi
+
+rm /boot/kernel/*
+
diff --git a/usr/local/www/diag_authentication.php b/usr/local/www/diag_authentication.php
index 18dcfcc..503f5a3 100644
--- a/usr/local/www/diag_authentication.php
+++ b/usr/local/www/diag_authentication.php
@@ -83,9 +83,10 @@ if ($_POST) {
 	}
 
 	if (!$input_errors) {
-		if (authenticate_user($_POST['username'], $_POST['password'], $authcfg)) {
+		$attributes = array();
+		if (authenticate_user($_POST['username'], $_POST['password'], $authcfg, $attributes)) {
 			$savemsg = gettext("User") . ": " . $_POST['username'] . " " . gettext("authenticated successfully.");
-			$groups = getUserGroups($_POST['username'], $authcfg);
+			$groups = getUserGroups($_POST['username'], $authcfg, $attributes);
 			$savemsg .= "&nbsp;" . gettext("This user is a member of groups") . ": <br />";
 			$savemsg .= "<ul>";
 			foreach ($groups as $group)
diff --git a/usr/local/www/status.php b/usr/local/www/status.php
index d339930..e8c92fe 100755
--- a/usr/local/www/status.php
+++ b/usr/local/www/status.php
@@ -86,7 +86,6 @@ function doCmdT($title, $command) {
 				$line = preg_replace("/<ipsecpsk>.*?<\\/ipsecpsk>/", "<ipsecpsk>xxxxx</ipsecpsk>", $line);
 				$line = preg_replace("/<md5-hash>.*?<\\/md5-hash>/", "<md5-hash>xxxxx</md5-hash>", $line);
 				$line = preg_replace("/<md5password>.*?<\\/md5password>/", "<md5password>xxxxx</md5password>", $line);
-				$line = preg_replace("/<nt-hash>.*?<\\/nt-hash>/", "<nt-hash>xxxxx</nt-hash>", $line);
 				$line = preg_replace("/<radius_secret>.*?<\\/radius_secret>/", "<radius_secret>xxxxx</radius_secret>", $line);
 				$line = preg_replace("/<ldap_bindpw>.*?<\\/ldap_bindpw>/", "<ldap_bindpw>xxxxx</ldap_bindpw>", $line);
 				$line = preg_replace("/<passwordagain>.*?<\\/passwordagain>/", "<passwordagain>xxxxx</passwordagain>", $line);