fix remote admin reset password vuln. full disclosure posted @ seclists

tweak, ok merdely@, sthen@

www/wordpress/Makefile

@@ -1,9 +1,8 @@
-# $OpenBSD: Makefile,v 1.19 2009/07/24 17:29:52 merdely Exp $
+# $OpenBSD: Makefile,v 1.20 2009/08/11 23:43:17 martynas Exp $
 
 COMMENT =	standard compliant weblog
 
-DISTNAME =	wordpress-2.8.2
-PKGNAME =	${DISTNAME}p0
+DISTNAME =	wordpress-2.8.3
 CATEGORIES =	www
 
 HOMEPAGE =	http://wordpress.org/
@@ -19,18 +18,21 @@ MASTER_SITES =	${HOMEPAGE}
 
 RUN_DEPENDS =	:php5-mysql-*:www/php5/extensions,-mysql
 
-EXTRACT_ONLY =
 NO_BUILD =	Yes
 NO_REGRESS =	Yes
 PKG_ARCH =	*
 
-PREFIX =		/var/www
+PREFIX =	/var/www
 INSTDIR =	${PREFIX}/wordpress
+WRKDIST =	${WRKDIR}/wordpress
 
 SUBST_VARS =	INSTDIR
 
+pre-configure:
+	find ${WRKDIST} -name "*.orig" -execdir rm {} \;
+
 do-install:
-	@cd ${PREFIX} && tar zxf ${FULLDISTDIR}/${DISTNAME}${EXTRACT_SUFX}
-	@chown -R ${SHAREOWN}:${SHAREGRP} ${PREFIX}/*
+	${INSTALL_DATA_DIR} ${PREFIX}/wordpress
+	cd ${WRKSRC} && pax -rw * ${PREFIX}/wordpress
 
 .include <bsd.port.mk>

www/wordpress/distinfo

@@ -1,5 +1,5 @@
-MD5 (wordpress-2.8.2.tar.gz) = j96MSqPk2Gzp3cp83Adpog==
-RMD160 (wordpress-2.8.2.tar.gz) = 7pdIwDVMPRsonI2fLRDyHVIcUYk=
-SHA1 (wordpress-2.8.2.tar.gz) = yJasQ1iqfonOrs58+gBxwksJyAs=
-SHA256 (wordpress-2.8.2.tar.gz) = smJA8GJQj7/IePLLq1TKTLrIl5wXccCJwplwsNJ26Ks=
-SIZE (wordpress-2.8.2.tar.gz) = 2078041
+MD5 (wordpress-2.8.3.tar.gz) = Dt+1FF9LJG7tcmRjVcReoA==
+RMD160 (wordpress-2.8.3.tar.gz) = WBPhyKqsNVc0uR4D6PvfbxEPuH8=
+SHA1 (wordpress-2.8.3.tar.gz) = ZpzfEaFygyEoPHJKAgfrN2U8r3M=
+SHA256 (wordpress-2.8.3.tar.gz) = jbcwzy6FIQOWeh/OSSlLZRaHRjQUdLf4tJln0qNGHFk=
+SIZE (wordpress-2.8.3.tar.gz) = 2078634

www/wordpress/patches/patch-wp-login_php

@@ -0,0 +1,12 @@
+$OpenBSD: patch-wp-login_php,v 1.1 2009/08/11 23:43:17 martynas Exp $
+--- wp-login.php.orig	Thu Jun  4 01:15:22 2009
++++ wp-login.php	Tue Aug 11 14:20:43 2009
+@@ -187,7 +187,7 @@ function reset_password($key) {
+ 
+ 	$key = preg_replace('/[^a-z0-9]/i', '', $key);
+ 
+-	if ( empty( $key ) )
++	if ( empty( $key ) || is_array( $key ) )
+ 		return new WP_Error('invalid_key', __('Invalid key'));
+ 
+ 	$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));