From ebd5696f1cded00cb94303d4326e9ba575238390 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 19 Dec 2023 10:51:25 +0100
Subject: [PATCH] firmware: lock down FreeBSD repo and fix minor annoyance

---
 plist                                         |  1 +
 src/etc/inc/system.inc                        |  5 +--
 .../scripts/firmware/repos/FreeBSD.php        | 33 +++++++++++++++++++
 3 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100755 src/opnsense/scripts/firmware/repos/FreeBSD.php

diff --git a/plist b/plist
index 3f37a962d..e39c0db29 100644
--- a/plist
+++ b/plist
@@ -1009,6 +1009,7 @@
 /usr/local/opnsense/scripts/firmware/register.php
 /usr/local/opnsense/scripts/firmware/reinstall.sh
 /usr/local/opnsense/scripts/firmware/remove.sh
+/usr/local/opnsense/scripts/firmware/repos/FreeBSD.php
 /usr/local/opnsense/scripts/firmware/repos/OPNsense.php
 /usr/local/opnsense/scripts/firmware/repos/README
 /usr/local/opnsense/scripts/firmware/resync.sh
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 4527a7d4a..84a4b228a 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -834,11 +834,12 @@ function system_firmware_configure($verbose = false)
     natsort($scripts);
 
     foreach ($scripts as $script) {
-        if (is_executable($script)) {
+        $basename = basename($script);
+        if (is_executable($script) && $basename != 'README') {
             /* run the script in passthru() but avoid standard output from this side */
             passthru($script . '> /dev/null');
             /* make a note about repo being handled */
-            service_log(' ' . preg_replace('/\..*?$/', ' ', basename($script)));
+            service_log(' ' . preg_replace('/\..*?$/', '', $basename));
         }
     }
 
diff --git a/src/opnsense/scripts/firmware/repos/FreeBSD.php b/src/opnsense/scripts/firmware/repos/FreeBSD.php
new file mode 100755
index 000000000..299f10397
--- /dev/null
+++ b/src/opnsense/scripts/firmware/repos/FreeBSD.php
@@ -0,0 +1,33 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2023 Franco Fichtner <franco@opnsense.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+$conf = '/usr/local/etc/pkg/repos/FreeBSD.conf';
+
+/* ensure that FreeBSD repo is off to avoid obvious breakage */
+@copy($conf . '.sample', $conf);