From ba798a7fceec6ad928e30ce77336abecb2ea264a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 5 Mar 2015 07:52:40 +0100
Subject: [PATCH] globals: changing the laws of UNIX is bad (1/many)

/tmp is unlikely to change.  If, however you decide to change
it to somewhere else the likelihood of someone else hardcoding
/tmp just to annoy you is so high that it simply makes no sense
to keep any softcoding in this regard.  More batches coming, but
since the usage is so widespread, I'll push it bit by bit.
---
 src/etc/inc/auth.inc               |  6 ++---
 src/etc/inc/authgui.inc            |  4 ++--
 src/etc/inc/config.console.inc     |  2 +-
 src/etc/inc/filter_log.inc         | 19 ++++++++-------
 src/etc/inc/gwlb.inc               | 29 ++++++++++-------------
 src/etc/inc/ipsec.attributes.php   |  9 ++++---
 src/etc/inc/notices.inc            | 38 +++++++++++++++---------------
 src/etc/inc/openvpn.attributes.php |  7 +++---
 src/etc/inc/openvpn.auth-user.php  |  5 ++--
 src/etc/inc/pkg-utils.inc          |  6 ++---
 src/etc/inc/services.inc           |  8 +++----
 11 files changed, 66 insertions(+), 67 deletions(-)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index cb8440bf5..2272f0ad2 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -103,9 +103,9 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
 // If the HTTP_REFERER is something other than ourselves then disallow.
 if(function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) {
 	if($_SERVER['HTTP_REFERER']) {
-		if(file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) {
-			if($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) {
-				unlink("{$g['tmp_path']}/setupwizard_lastreferrer");
+		if(file_exists('/tmp/setupwizard_lastreferrer')) {
+			if($_SERVER['HTTP_REFERER'] == file_get_contents('/tmp/setupwizard_lastreferrer')) {
+				unlink('/tmp/setupwizard_lastreferrer');
 				header("Refresh: 1; url=index.php");
 				echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n        \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">";
 				echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>";
diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index 113615e52..62168b247 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -150,9 +150,9 @@ function display_login_form()
 				isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = gettext("unknown reason");
 				printf("showajaxmessage('" . gettext("Invalid login (%s).") . "')", $login_error);
 			}
-			if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) {
+			if (file_exists('/tmp/webconfigurator.lock')) {
 				// TODO: add the IP from the user who did lock the device
-				$whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock");
+				$whom = file_get_contents('/tmp/webconfigurator.lock');
 				printf("showajaxmessage('" . gettext("This device is currently being maintained by: %s.") . "');", $whom);
 			}
 		}
diff --git a/src/etc/inc/config.console.inc b/src/etc/inc/config.console.inc
index 2a272946a..7c3c56882 100644
--- a/src/etc/inc/config.console.inc
+++ b/src/etc/inc/config.console.inc
@@ -405,7 +405,7 @@ EODD;
 
 		echo gettext(" done!") . "\n";
 
-		touch("{$g['tmp_path']}/assign_complete");
+		touch('/tmp/assign_complete');
 
 	}
 }
diff --git a/src/etc/inc/filter_log.inc b/src/etc/inc/filter_log.inc
index a19a785a5..108c25b1a 100644
--- a/src/etc/inc/filter_log.inc
+++ b/src/etc/inc/filter_log.inc
@@ -1,8 +1,9 @@
 <?php
+
 /*
 	Copyritgh (C) 2014 Deciso B.V.
 	Copyright (C) Scott Ullrich
-	Copyright (C) 2009 Jim Pingle <myfirstname>@<mylastname>.org
+	Copyright (C) 2009 Jim Pingle
 	All rights reserved.
 
 	Redistribution and use in source and binary forms, with or without
@@ -286,10 +287,11 @@ function find_rule_by_number($rulenum, $type="block") {
 	if ($type == "rdr")
 		$_gb = exec("/sbin/pfctl -vvPsn -a \"miniupnpd\" | /usr/bin/egrep " . escapeshellarg("^@{$rulenum}"), $buffer);
 	else {
-		if (file_exists("{$g['tmp_path']}/rules.debug"))
-			$_gb = exec("/sbin/pfctl -vvPnf {$g['tmp_path']}/rules.debug 2>/dev/null | /usr/bin/egrep " . escapeshellarg($lookup_pattern), $buffer);
-		else
-			$_gb = exec("/sbin/pfctl -vvPsr | /usr/bin/egrep " . escapeshellarg($lookup_pattern), $buffer);
+		if (file_exists('/tmp/rules.debug')) {
+			$_gb = exec('/sbin/pfctl -vvPnf /tmp/rules.debug 2>/dev/null | /usr/bin/egrep ' . escapeshellarg($lookup_pattern), $buffer);
+		} else {
+			$_gb = exec('/sbin/pfctl -vvPsr | /usr/bin/egrep ' . escapeshellarg($lookup_pattern), $buffer);
+		}
 	}
 	if (is_array($buffer))
 		return $buffer[0];
@@ -313,10 +315,11 @@ function buffer_rules_load() {
 		}
 	}
 	unset($buffer, $_gb);
-	if (file_exists("{$g['tmp_path']}/rules.debug"))
-		$_gb = exec("/sbin/pfctl -vvPnf {$g['tmp_path']}/rules.debug 2>/dev/null | /usr/bin/egrep '^@[0-9]+\([0-9]+\)[[:space:]].*[[:space:]]log[[:space:]]' | /usr/bin/egrep -v '^@[0-9]+\([0-9]+\)[[:space:]](nat|rdr|binat|no|scrub)'", $buffer);
-	else
+	if (file_exists('/tmp/rules.debug')) {
+		$_gb = exec("/sbin/pfctl -vvPnf /tmp/rules.debug 2>/dev/null | /usr/bin/egrep '^@[0-9]+\([0-9]+\)[[:space:]].*[[:space:]]log[[:space:]]' | /usr/bin/egrep -v '^@[0-9]+\([0-9]+\)[[:space:]](nat|rdr|binat|no|scrub)'", $buffer);
+	} else {
 		$_gb = exec("/sbin/pfctl -vvPsr | /usr/bin/egrep '^@[0-9]+\([0-9]+\)[[:space:]].*[[:space:]]log[[:space:]]'", $buffer);
+	}
 
 	if (is_array($buffer)) {
 		foreach ($buffer as $line) {
diff --git a/src/etc/inc/gwlb.inc b/src/etc/inc/gwlb.inc
index 438c836f4..1e419ed33 100644
--- a/src/etc/inc/gwlb.inc
+++ b/src/etc/inc/gwlb.inc
@@ -1,4 +1,5 @@
 <?php
+
 /*
   Copyright (C) 2008 Bill Marquette, Seth Mos
   Copyright (C) 2010 Ermal Luçi
@@ -24,11 +25,8 @@
   CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
   ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   POSSIBILITY OF SUCH DAMAGE.
+*/
 
-	pfSense_BUILDER_BINARIES:	/sbin/route	/usr/local/sbin/apinger
-	pfSense_MODULE:	routing
-
- */
 require_once("config.inc");
 require_once("rrd.inc");
 
@@ -339,11 +337,8 @@ EOD;
 	@file_put_contents("{$g['varetc_path']}/apinger.conf", $apingerconfig);
 	unset($apingerconfig);
 
-	if (is_dir("{$g['tmp_path']}"))
-		chmod("{$g['tmp_path']}", 01777);
-	if (!is_dir("{$g['vardb_path']}/rrd"))
-		mkdir("{$g['vardb_path']}/rrd", 0775);
-
+	@chmod('/tmp', 01777);
+	@mkdir("{$g['vardb_path']}/rrd", 0775);
 	@chown("{$g['vardb_path']}/rrd", "nobody");
 
 	/* Restart apinger process */
@@ -698,13 +693,13 @@ function return_gateways_array($disabled = false, $localhost = false, $inactive
 	if ($found_defaultv4 == 0 || $found_defaultv6 == 0) {
 		foreach ($gateways_arr as &$gateway) {
 			if (($gateway['friendlyiface'] == "wan") && ($found_defaultv4 == 0) && (!isset($gateway['ipprotocol']) || ($gateway['ipprotocol'] == "inet"))) {
-				if (file_exists("{$g['tmp_path']}/{$gateway['interface']}_defaultgw")) {
+				if (file_exists("/tmp/{$gateway['interface']}_defaultgw")) {
 					$gateway['defaultgw'] = true;
 					$found_defaultv4 = 1;
 				}
 			}
 			if (($gateway['friendlyiface'] == "wan") && ($found_defaultv6 == 0) && ($gateway['ipprotocol'] == "inet6")) {
-				if (file_exists("{$g['tmp_path']}/{$gateway['interface']}_defaultgwv6")) {
+				if (file_exists("/tmp/{$gateway['interface']}_defaultgwv6")) {
 					$gateway['defaultgw'] = true;
 					$found_defaultv6 = 1;
 				}
@@ -975,11 +970,11 @@ function get_interface_gateway($interface, &$dynamic = false) {
 	// for dynamic interfaces we handle them through the $interface_router file.
 	if (!is_ipaddrv4($gw) && !is_ipaddrv4($gwcfg['ipaddr'])) {
 		$realif = get_real_interface($interface);
-		if (file_exists("{$g['tmp_path']}/{$realif}_router")) {
-				$gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_router"), " \n");
+		if (file_exists("/tmp/{$realif}_router")) {
+				$gw = trim(file_get_contents("/tmp/{$realif}_router"), " \n");
 			$dynamic = true;
 		}
-		if (file_exists("{$g['tmp_path']}/{$realif}_defaultgw"))
+		if (file_exists("/tmp/{$realif}_defaultgw"))
 			$dynamic = "default";
 
 	}
@@ -1005,11 +1000,11 @@ function get_interface_gateway_v6($interface, &$dynamic = false) {
 	// for dynamic interfaces we handle them through the $interface_router file.
 	if (!is_ipaddrv6($gw) && !is_ipaddrv6($gwcfg['ipaddrv6'])) {
 			$realif = get_real_interface($interface);
-			if (file_exists("{$g['tmp_path']}/{$realif}_routerv6")) {
-				$gw = trim(file_get_contents("{$g['tmp_path']}/{$realif}_routerv6"), " \n");
+			if (file_exists("/tmp/{$realif}_routerv6")) {
+				$gw = trim(file_get_contents("/tmp/{$realif}_routerv6"), " \n");
 				$dynamic = true;
 			}
-			if (file_exists("{$g['tmp_path']}/{$realif}_defaultgwv6"))
+			if (file_exists("/tmp/{$realif}_defaultgwv6"))
 				$dynamic = "default";
 
 	}
diff --git a/src/etc/inc/ipsec.attributes.php b/src/etc/inc/ipsec.attributes.php
index 7729a428d..723a5ccf1 100644
--- a/src/etc/inc/ipsec.attributes.php
+++ b/src/etc/inc/ipsec.attributes.php
@@ -1,6 +1,7 @@
 <?php
+
 /*
-        Copyright (C) 2011-2012         Ermal Luçi
+        Copyright (C) 2011-2012 Ermal Luçi
         All rights reserved.
 
         Redistribution and use in source and binary forms, with or without
@@ -177,8 +178,6 @@ $rules = parse_cisco_acl($attributes);
 if (!empty($rules)) {
 	$pid = posix_getpid();
 	@file_put_contents("/tmp/ipsec_{$pid}{$common_name}.rules", $rules);
-	mwexec("/sbin/pfctl -a " . escapeshellarg("ipsec/{$common_name}") . " -f {$g['tmp_path']}/ipsec_{$pid}" . escapeshellarg($common_name) . ".rules");
-	@unlink("{$g['tmp_path']}/ipsec_{$pid}{$common_name}.rules");
+	mwexec("/sbin/pfctl -a " . escapeshellarg("ipsec/{$common_name}") . " -f /tmp/ipsec_{$pid}" . escapeshellarg($common_name) . ".rules");
+	@unlink("/tmp/ipsec_{$pid}{$common_name}.rules");
 }
-
-?>
diff --git a/src/etc/inc/notices.inc b/src/etc/inc/notices.inc
index c5ee52d32..d04144b5e 100644
--- a/src/etc/inc/notices.inc
+++ b/src/etc/inc/notices.inc
@@ -1,8 +1,8 @@
 <?php
 
 /*
- * Copyright (C) 2009 Scott Ullrich (sullrich@gmail.com)
- * Copyright (C) 2005 Colin Smith (ethethlay@gmail.com)
+ * Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>
+ * Copyright (C) 2005 Colin Smith <ethethlay@gmail.com>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31,8 +31,6 @@
 require_once("globals.inc");
 require_once("led.inc");
 
-$notice_path = $g['tmp_path'] . '/notices';
-
 /****f* notices/file_notice
  * NAME
  *   file_notice
@@ -49,7 +47,6 @@ function file_notice($id, $notice, $category = "General", $url = "", $priority =
 	 * $priority - A notice's priority. Higher numbers indicate greater severity.
 	 *	       0 = informational, 1 = warning, 2 = error, etc. This may also be arbitrary,
 	 */
-	global $notice_path;
 	if(!$queue = get_notices()) $queue = array();
 	$queuekey = time();
 	$toqueue = array(
@@ -60,9 +57,9 @@ function file_notice($id, $notice, $category = "General", $url = "", $priority =
 				'priority'	=> $priority,
 			);
 	$queue[$queuekey] = $toqueue;
-	$queueout = fopen($notice_path, "w");
+	$queueout = fopen('/tmp/notices', 'w');
 	if(!$queueout) {
-		log_error(printf(gettext("Could not open %s for writing"), $notice_path));
+		log_error(printf(gettext("Could not open %s for writing"), '/tmp/notices'));
 		return;
 	}
 	fwrite($queueout, serialize($queue));
@@ -87,11 +84,12 @@ function file_notice($id, $notice, $category = "General", $url = "", $priority =
  * RESULT
  *   Returns a specific notices text
  ******/
-function get_notices($category = "all") {
+function get_notices($category = 'all')
+{
 	global $g;
 
-	if(file_exists("{$g['tmp_path']}/notices")) {
-		$queue = unserialize(file_get_contents("{$g['tmp_path']}/notices"));
+	if (file_exists('/tmp/notices')) {
+		$queue = unserialize(file_get_contents('/tmp/notices'));
 		if(!$queue) return false;
 		if($category != 'all') {
 			foreach($queue as $time => $notice) {
@@ -115,9 +113,10 @@ function get_notices($category = "all") {
  * RESULT
  *   Removes a notice from the list
  ******/
-function close_notice($id) {
-	global $notice_path;
+function close_notice($id)
+{
 	require_once("util.inc");
+
 	/* soekris */
 	if(file_exists("/dev/led/error"))
 		exec("/bin/echo 0 > /dev/led/error");
@@ -126,7 +125,7 @@ function close_notice($id) {
 	$ids = array();
 	if(!$notices = get_notices()) return;
 	if($id == "all") {
-		unlink_if_exists($notice_path);
+		unlink_if_exists('/tmp/notices');
 		return;
 	}
 	foreach(array_keys($notices) as $time) {
@@ -145,11 +144,11 @@ function close_notice($id) {
 		}
 	}
 	if(count($notices) != 0) {
-		$queueout = fopen($notice_path, "w");
+		$queueout = fopen('/tmp/notices', 'w');
 		fwrite($queueout, serialize($notices));
 		fclose($queueout);
 	} else {
-		unlink_if_exists($notice_path);
+		unlink_if_exists('/tmp/notices');
 	}
 
 	return;
@@ -165,7 +164,7 @@ function close_notice($id) {
  ******/
 function dump_xml_notices() {
 	require_once("xmlparse.inc");
-	global $notice_path, $listtags;
+	global $listtags;
 	$listtags[] = 'notice';
 	if(!$notices = get_notices()) return;
 	foreach($notices as $time => $notice) {
@@ -235,11 +234,12 @@ function print_notice_box($category = "all") {
  * RESULT
  *   returns true if notices are pending, false if they are not
  ******/
-function are_notices_pending($category = "all") {
-	global $notice_path;
-	if(file_exists($notice_path)) {
+function are_notices_pending($category = 'all')
+{
+	if (file_exists('/tmp/notices')) {
 		return true;
 	}
+
 	return false;
 }
 
diff --git a/src/etc/inc/openvpn.attributes.php b/src/etc/inc/openvpn.attributes.php
index 59cc58e60..3ad9803a1 100644
--- a/src/etc/inc/openvpn.attributes.php
+++ b/src/etc/inc/openvpn.attributes.php
@@ -1,6 +1,7 @@
 <?php
+
 /*
-        Copyright (C) 2011-2012         Ermal Luçi
+        Copyright (C) 2011-2012 Ermal Luçi
         All rights reserved.
 
         Redistribution and use in source and binary forms, with or without
@@ -179,8 +180,8 @@ $rules = parse_cisco_acl($attributes);
 if (!empty($rules)) {
 	$pid = posix_getpid();
 	@file_put_contents("/tmp/ovpn_{$pid}{$common_name}.rules", $rules);
-	mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f {$g['tmp_path']}/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
-	@unlink("{$g['tmp_path']}/ovpn_{$pid}{$common_name}.rules");
+	mwexec("/sbin/pfctl -a " . escapeshellarg("openvpn/{$common_name}") . " -f /tmp/ovpn_{$pid}" . escapeshellarg($common_name) . ".rules");
+	@unlink("/tmp/ovpn_{$pid}{$common_name}.rules");
 }
 
 ?>
diff --git a/src/etc/inc/openvpn.auth-user.php b/src/etc/inc/openvpn.auth-user.php
index 36b0588bb..d4ffa8aec 100644
--- a/src/etc/inc/openvpn.auth-user.php
+++ b/src/etc/inc/openvpn.auth-user.php
@@ -160,8 +160,9 @@ if (isset($attributes['framed_ip'])) {
 //      }
 }
 
-if (!empty($content))
-        @file_put_contents("{$g['tmp_path']}/{$username}", $content);
+if (!empty($content)) {
+        @file_put_contents("/tmp/{$username}", $content);
+}
 
 syslog(LOG_NOTICE, "user '{$username}' authenticated\n");
 closelog();
diff --git a/src/etc/inc/pkg-utils.inc b/src/etc/inc/pkg-utils.inc
index 554d23d83..8ae0dbd8d 100644
--- a/src/etc/inc/pkg-utils.inc
+++ b/src/etc/inc/pkg-utils.inc
@@ -2,7 +2,7 @@
 
 /*
  * Copyright (C) 2010 Ermal Luci
- * Copyright (C) 2005-2006 Colin Smith (ethethlay@gmail.com)
+ * Copyright (C) 2005-2006 Colin Smith <ethethlay@gmail.com>
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -55,7 +55,7 @@ if (!function_exists("pkg_debug")) {
 			return;
 
 		if (!$fd_log) {
-			if (!$fd_log = fopen("{$g['tmp_path']}/pkg_mgr_{$package}.log", "w"))
+			if (!$fd_log = fopen("/tmp/pkg_mgr_{$package}.log", "w"))
 				update_output_window("Warning, could not open log for writing.");
 		}
 		@fwrite($fd_log, $msg);
@@ -473,7 +473,7 @@ function pkg_fetch_recursive($pkgname, $filename, $dependlevel = 0, $base_url =
 			$pkgstaging = "-o {$pkgstagingdir}/instmp.XXXXXX";
 			$fetchdir = $pkgstagingdir;
 		} else {
-			$fetchdir = $g['tmp_path'];
+			$fetchdir = '/tmp';
 		}
 
 		/* FreeBSD has no PBI's hosted, so fall back to our own URL for now. (Maybe fail to PC-BSD?) */
diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc
index 5281d1dba..dbdacd0bf 100644
--- a/src/etc/inc/services.inc
+++ b/src/etc/inc/services.inc
@@ -287,7 +287,7 @@ function services_dhcpd_configure($family = "all", $blacklist = array()) {
 	global $config, $g;
 
 	/* configure DHCPD chroot once */
-	$fd = fopen("{$g['tmp_path']}/dhcpd.sh","w");
+	$fd = fopen('/tmp/dhcpd.sh', 'w');
 	fwrite($fd, "/bin/mkdir -p {$g['dhcpd_chroot_path']}\n");
 	fwrite($fd, "/bin/mkdir -p {$g['dhcpd_chroot_path']}/dev\n");
 	fwrite($fd, "/bin/mkdir -p {$g['dhcpd_chroot_path']}/etc\n");
@@ -306,7 +306,7 @@ function services_dhcpd_configure($family = "all", $blacklist = array()) {
 	if (!trim($status))
 		fwrite($fd, "/sbin/mount -t devfs devfs {$g['dhcpd_chroot_path']}/dev\n");
 	fclose($fd);
-	mwexec("/bin/sh {$g['tmp_path']}/dhcpd.sh");
+	mwexec('/bin/sh /tmp/dhcpd.sh');
 
 	if ($family == "all" || $family == "inet")
 		services_dhcpdv4_configure();
@@ -1345,7 +1345,7 @@ EOD;
         }
 	$igmpconf .= "\n";
 
-        $igmpfl = fopen($g['tmp_path'] . "/igmpproxy.conf", "w");
+        $igmpfl = fopen('/tmp/igmpproxy.conf', 'w');
         if (!$igmpfl) {
                 log_error(gettext("Could not write Igmpproxy configuration file!"));
                 return;
@@ -1355,7 +1355,7 @@ EOD;
 	unset($igmpconf);
 
 	/* NOTE: -d4 means everything LOG_WARNING and smaller */
-        mwexec("/usr/local/sbin/igmpproxy -d4 -c {$g['tmp_path']}/igmpproxy.conf");
+        mwexec('/usr/local/sbin/igmpproxy -d4 -c /tmp/igmpproxy.conf');
         log_error(gettext("Started IGMP proxy service."));
 
         return 0;