diff options
Diffstat (limited to 'web')
-rw-r--r-- | web/html/account.php | 6 | ||||
-rw-r--r-- | web/html/css/containers.css | 6 | ||||
-rw-r--r-- | web/html/css/fonts.css | 6 | ||||
-rw-r--r-- | web/html/hacker.php | 13 | ||||
-rw-r--r-- | web/html/index.php | 21 | ||||
-rw-r--r-- | web/html/logout.php | 20 | ||||
-rw-r--r-- | web/html/pkgmgmnt.php | 6 | ||||
-rw-r--r-- | web/html/pkgsearch.php | 6 | ||||
-rw-r--r-- | web/html/pkgsubmit.php | 7 | ||||
-rw-r--r-- | web/html/pkgvote.php | 6 | ||||
-rw-r--r-- | web/html/template.php | 1 | ||||
-rw-r--r-- | web/lang/hacker_po.inc | 24 | ||||
-rw-r--r-- | web/lang/logout_po.inc | 5 | ||||
-rw-r--r-- | web/lib/aur.inc | 95 |
14 files changed, 165 insertions, 57 deletions
diff --git a/web/html/account.php b/web/html/account.php index 6d402ca..4d2cd9f 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("account_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."<br/>\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/css/containers.css b/web/html/css/containers.css index 7322b3f..69ed1d9 100644 --- a/web/html/css/containers.css +++ b/web/html/css/containers.css @@ -174,6 +174,12 @@ vertical-align: top;
padding-left: 5;
}
+ td.text
+ {
+ color: #000;
+ font-family: verdana;
+ font-size: 12px;
+ }
th
{
text-align: left;
diff --git a/web/html/css/fonts.css b/web/html/css/fonts.css index 55cb226..fcf4644 100644 --- a/web/html/css/fonts.css +++ b/web/html/css/fonts.css @@ -40,6 +40,12 @@ font-family: monospace, fixed, terminal;
font-size: 12px;
}
+ span.error /* Content Text */
+ {
+ color: #900;
+ font-family: verdana;
+ font-size: 12px;
+ }
/* Font Attribute Change (#6c83b0)*/
span.blue
diff --git a/web/html/hacker.php b/web/html/hacker.php new file mode 100644 index 0000000..5d51834 --- /dev/null +++ b/web/html/hacker.php @@ -0,0 +1,13 @@ +<? +include("hacker_po.inc"); +include("aur.inc"); +set_lang(); +html_header(); + +print __("Your session id is invalid."); +print "<p>\n"; +print __("If this problem persists, please contact the site administrator."); +print "</p>\n"; + +html_footer("\$Id$"); +?> diff --git a/web/html/index.php b/web/html/index.php index 3bda551..ad7b73f 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -4,7 +4,7 @@ include("aur.inc"); set_lang(); check_sid(); -# Need to do the authentication prior to sending HTML +# Need to do the authentication prior to sending any HTML (including header) # $login_error = ""; if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) { @@ -23,14 +23,15 @@ if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) { $q = "SELECT ID, Suspended FROM Users "; $q.= "WHERE Email = '" . mysql_escape_string($_REQUEST["user"]) . "' "; $q.= "AND Passwd = '" . mysql_escape_string($_REQUEST["pass"]) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { $login_error = __("Incorrect password for username %s.", array($_REQUEST["user"])); - } - $row = mysql_fetch_row($result); - if ($row[1]) { - $login_error = __("Your account has been suspended."); + } else { + $row = mysql_fetch_row($result); + if ($row[1]) { + $login_error = __("Your account has been suspended."); + } } if (!$login_error) { @@ -42,7 +43,7 @@ if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) { $new_sid = new_sid(); $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) "; $q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); # Query will fail if $new_sid is not unique # if ($result) { @@ -69,19 +70,19 @@ html_header(); print "<table border='0' cellpadding='0' cellspacing='3' width='90%'>\n"; print "<tr>\n"; -print " <td align='left'>"; +print " <td align='left' valign='top'> <br/>"; print __("This is where the intro text will go."); print __("For now, it's just a place holder."); print __("It's more important to get the login functionality finished."); print __("After that, this can be filled in with more meaningful text."); print " </td>"; -print " <td align='right'>"; +print " <td align='right'> <br/>\n"; if (!isset($_COOKIE["AURSID"])) { # the user is not logged in, give them login widgets # print "<form action='/index.php' method='post'>\n"; if ($login_error) { - print $login_error . "<br/>\n"; + print "<span class='error'>" . $login_error . "</span><br/>\n"; } print "<table border='0' cellpadding='0' cellspacing='0' width='100%'>\n"; print "<tr>\n"; diff --git a/web/html/logout.php b/web/html/logout.php index 6757784..07a787a 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -2,17 +2,19 @@ include("aur.inc"); # access AUR common functions include("logout_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language -html_header(); # print out the HTML header - -# Any text you print out to the visitor, use the __() function -# for i18n support. See 'testpo.php' for more details. +# if they've got a cookie, log them out - need to do this before +# sending any HTML output. # -print __("Under construction...")."<br/>\n"; +if (isset($_COOKIE["AURSID"])) { + $q = "DELETE FROM Sessions WHERE SessionID = '"; + $q.= mysql_escape_string($_COOKIE["AURSID"]) . "'"; + setcookie("AURSID", "", time() - (60*60*24*30), "/"); +} + +html_header(); # print out the HTML header +print __("You have been successfully logged out.")."<br/>\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgmgmnt.php b/web/html/pkgmgmnt.php index 0988e51..b1768db 100644 --- a/web/html/pkgmgmnt.php +++ b/web/html/pkgmgmnt.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("mgmnt_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."<br/>\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgsearch.php b/web/html/pkgsearch.php index d23a602..f5ef888 100644 --- a/web/html/pkgsearch.php +++ b/web/html/pkgsearch.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("search_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."<br/>\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index fc36da5..c9465a1 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -1,6 +1,8 @@ <? include("aur.inc"); # access AUR common functions include("submit_po.inc"); # use some form of this for i18n support +set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -10,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."<br/>\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgvote.php b/web/html/pkgvote.php index e111937..594ec16 100644 --- a/web/html/pkgvote.php +++ b/web/html/pkgvote.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("vote_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."<br/>\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/template.php b/web/html/template.php index a61ba6f..9ae001e 100644 --- a/web/html/template.php +++ b/web/html/template.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("template_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header diff --git a/web/lang/hacker_po.inc b/web/lang/hacker_po.inc new file mode 100644 index 0000000..183cee6 --- /dev/null +++ b/web/lang/hacker_po.inc @@ -0,0 +1,24 @@ +<? +# INSTRUCTIONS TO TRANSLATORS +# +# This file contains the i18n translations for a subset of the +# Arch Linux User-community Repository (AUR). This is a PHP +# script, and as such, you MUST pay great attention to the syntax. +# If your text contains any double-quotes ("), you MUST escape +# them with the backslash character (\). +# + +include_once("translator.inc"); +global $_t; + +$_t["en"]["Your session id is invalid."] = "Your session id is invalid."; +# $_t["es"]["Your session id is invalid."] = "--> Traducción española aquí. <--"; +# $_t["fr"]["Your session id is invalid."] = "--> Traduction française ici. <--"; +# $_t["de"]["Your session id is invalid."] = "--> Deutsche Übersetzung hier. <--"; + +$_t["en"]["If this problem persists, please contact the site administrator."] = "If this problem persists, please contact the site administrator."; +# $_t["es"]["If this problem persists, please contact the site administrator."] = "--> Traducción española aquí. <--"; +# $_t["fr"]["If this problem persists, please contact the site administrator."] = "--> Traduction française ici. <--"; +# $_t["de"]["If this problem persists, please contact the site administrator."] = "--> Deutsche Übersetzung hier. <--"; + +?>
\ No newline at end of file diff --git a/web/lang/logout_po.inc b/web/lang/logout_po.inc index 438f50d..dab1dda 100644 --- a/web/lang/logout_po.inc +++ b/web/lang/logout_po.inc @@ -16,4 +16,9 @@ $_t["en"]["Under construction..."] = "Under construction..."; # $_t["fr"]["Under construction..."] = "--> Traduction française ici. <--"; # $_t["de"]["Under construction..."] = "--> Deutsche Übersetzung hier. <--"; +$_t["en"]["You have been successfully logged out."] = "You have been successfully logged out."; +# $_t["es"]["You have been successfully logged out."] = "--> Traducción española aquí. <--"; +# $_t["fr"]["You have been successfully logged out."] = "--> Traduction française ici. <--"; +# $_t["de"]["You have been successfully logged out."] = "--> Deutsche Übersetzung hier. <--"; + ?>
\ No newline at end of file diff --git a/web/lib/aur.inc b/web/lib/aur.inc index a333576..54ec5ef 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -3,18 +3,24 @@ include_once("aur_po.inc"); # Define global variables # -$PASS_PHRASE = "Dustyissocool"; -$SUPPORTED_LANGS = array( +$LOGIN_TIMEOUT = 10; # number of idle seconds before timeout +$SUPPORTED_LANGS = array( # what languages we have translations for "en" => 1, # English "es" => 1, # Español "de" => 1, # Deutsch "fr" => 1, # Français ); +# debugging variables +# +$QBUG = 1; # toggle query logging to /tmp/aurq.log +$DBUG = 1; # use dbug($msg) to log to /tmp/aurd.log + # see if the visitor is already logged in # function check_sid() { global $_COOKIE; + global $LOGIN_TIMEOUT; if (isset($_COOKIE["AURSID"])) { $failed = 0; @@ -23,28 +29,45 @@ function check_sid() { $dbh = db_connect(); $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; $q.= "WHERE SessionID = '" . mysql_escape_string($_COOKIE["AURSID"]) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { + # Invalid SessionID - hacker alert! + # $failed = 1; } else { - if ($row[0] + 10 >= $row[1]) { - $failed = 1; + $row = mysql_fetch_row($result); + if ($row[0] + $LOGIN_TIMEOUT <= $row[1]) { + dbug("login timeout reached"); + $failed = 2; } } - if ($failed) { + if ($failed == 1) { + # clear out the hacker's cookie, and send them to a naughty page + # + setcookie("AURSID", "", time() - (60*60*24*30), "/"); + header("Location: /hacker.php"); + + } elseif ($failed == 2) { # visitor's session id either doesn't exist, or the timeout # was reached and they must login again, send them back to # the main page where they can log in again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; $q.= mysql_escape_string($_COOKIE["AURSID"]) . "'"; - mysql_query($q, $dbh); + db_query($q, $dbh); setcookie("AURSID", "", time() - (60*60*24*30), "/"); header("Location: /timeout.php"); + + } else { + # still logged in and haven't reached the timeout, go ahead + # and update the idle timestamp + # + $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; + $q.= "WHERE SessionID = '".mysql_escape_string($_COOKIE["AURSID"])."'"; + db_query($q, $dbh); } } - return; } @@ -81,7 +104,7 @@ function username_from_sid($sid="") { $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND SessionID = '" . mysql_escape_string($sid) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { return ""; } @@ -111,6 +134,26 @@ function db_connect() { return $handle; } +# wrapper function around db_query in case we want to put +# query logging/debuggin in. +# +function db_query($query="", $db_handle="") { + global $QBUG; + if (!$query) { + return FALSE; + } + if (!$db_handle) { + $db_handle = db_connect(); + } + if ($QBUG) { + $fp = fopen("/tmp/aurq.log", "a"); + fwrite($fp, $query . "\n"); + fclose($fp); + } + $result = mysql_query($query, $db_handle); + return $result; +} + # set up the visitor's language # function set_lang() { @@ -152,6 +195,7 @@ function set_lang() { # common header # function html_header() { + global $_COOKIE; print "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"; print "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n"; print "<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">"; @@ -205,14 +249,20 @@ function html_header() { print " <a href='/account.php'>".__("Accounts")."</a> "; print " <span class='black'> - </span> "; print " <a href='/pkgsearch.php'>".__("Packages")."</a> "; - print " <span class='black'> - </span> "; - print " <a href='/pkgvote.php'>".__("Vote")."</a> "; - print " <span class='black'> - </span> "; - print " <a href='/pkgmgmnt.php'>".__("Manage")."</a> "; - print " <span class='black'> - </span> "; - print " <a href='/pkgsubmit.php'>".__("Submit")."</a> "; - print " <span class='black'> - </span> "; - print " <a href='/logout.php'>".__("Logout")."</a> "; + if (isset($_COOKIE["AURSID"])) { + # Only display these items if the visitor is logged in. This should + # be a safe check because check_sid() has been called prior to + # html_header(). + # + print " <span class='black'> - </span> "; + print " <a href='/pkgvote.php'>".__("Vote")."</a> "; + print " <span class='black'> - </span> "; + print " <a href='/pkgmgmnt.php'>".__("Manage")."</a> "; + print " <span class='black'> - </span> "; + print " <a href='/pkgsubmit.php'>".__("Submit")."</a> "; + print " <span class='black'> - </span> "; + print " <a href='/logout.php'>".__("Logout")."</a> "; + } print " <span class='black'>:.</span></span>"; print " </td>"; print " </tr>"; @@ -237,10 +287,19 @@ function html_footer($ver="") { print "<tr><td align='right'><span class='fix'>".$ver."</span></td></tr>\n"; print "</table>\n"; } - print "<\p>\n"; + print "</p>\n"; print "</body>\n</html>"; return; } +# debug logging +# +function dbug($msg) { + $fp = fopen("/tmp/aurd.log", "a"); + fwrite($fp, $msg . "\n"); + fclose($fp); + return; +} + # vim: ts=2 sw=2 noet ft=php ?> |