From 54786ab35ea25208aa864e01ac9edada73cb560a Mon Sep 17 00:00:00 2001
From: Ed Maste <emaste@FreeBSD.org>
Date: Wed, 28 Sep 2016 21:22:51 +0000
Subject: [PATCH] portsnap: only move expected snapshot contents from snap/ to
 files/

Previously it was possible to smuggle in addional files that would
be used by later portsnap runs. Now we only move those files expected
to be in the snapshot into files/ and require that there are no
unexpected files.

This was used by portsnap attacks 2, 3, and 4 in the "non-cryptanalytic
attacks against FreeBSD update components" anonymous gist.

Reported by:	anonymous gist
Reviewed by:	allanjude, delphij
MFC after:	ASAP
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D8052
---
 usr.sbin/portsnap/portsnap/portsnap.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/usr.sbin/portsnap/portsnap/portsnap.sh b/usr.sbin/portsnap/portsnap/portsnap.sh
index 3dcf618ab53a..501c530acd60 100644
--- a/usr.sbin/portsnap/portsnap/portsnap.sh
+++ b/usr.sbin/portsnap/portsnap/portsnap.sh
@@ -691,6 +691,13 @@ fetch_snapshot() {
 	fetch_index_sanity || return 1
 # Verify the snapshot contents
 	cut -f 2 -d '|' INDEX.new | fetch_snapshot_verify || return 1
+	cut -f 2 -d '|' tINDEX.new INDEX.new | sort -u > files.expected
+	find snap -mindepth 1 | sed -E 's^snap/(.*)\.gz^\1^' | sort > files.snap
+	if ! cmp -s files.expected files.snap; then
+		echo "unexpected files in snapshot."
+		return 1
+	fi
+	rm files.expected files.snap
 	echo "done."
 
 # Move files into their proper locations