summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2011-08-12Use secure and httponly session cookiesLukas Fleischer3-4/+4
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add a configuration setting to disallow HTTP loginLukas Fleischer3-3/+17
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11UPGRADING: Add note on backward compatible package URLsLukas Fleischer1-0/+17
Thanks-to: Dave Reisner <d@falconindy.com> Thanks-to: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11UPGRADING: Mention the upload directory transform scriptLukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Remove unnecessary atype and uid lookup from package_details()Dan McGee2-3/+2
These were never used in the function. Where they are used is in the pkg_details.php template, so move them closer to their actual usage so as not to confuse poor programmers such as myself. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Use 'true' instead of 'True' everywhereDan McGee2-9/+9
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Make package creation and update atomicDan McGee1-1/+5
Add BEGIN and COMMIT statements where it makes sense to do so. This allows the entire package creation or update process to be atomic and not be seen until it is complete. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11pkgfuncs.inc.php: allow all DB funcs to take handle argDan McGee1-61/+102
Allows handle reuse if one is available. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11aur.inc.php: allow all functions using DB to take handle as argDan McGee1-25/+49
This prevents needless calls to db_connect() if we already have a reference to a handle we can pass into a function. Although the current underlying implementation using mysql_connect() will return the same connection if all parameters are the same, this might not be true if we switch to a more modern (e.g. PDO) interface. In the face of safe transactions, it is extremely important all actions are being taken over the same connection to the database. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Allow for merging deleted packages into existing onesLukas Fleischer3-2/+18
Merge all comments and votes of deleted packages into another package if the "Merge with" field is used. Duplicate votes (votes from a user who already voted on the target package or voted on more than one of the deleted packages) are discarded. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add "mergepkgid" argument to pkg_delete()Lukas Fleischer1-1/+30
This allows for merging comments and votes of deleted packages into another one which is useful if a package needs to be renamed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-11Rename package_exists() to pkgid_from_name()Lukas Fleischer3-4/+4
Describe what this function actually does: Return the ID of a package with a given name and return NULL if such a package doesn't exist. The function name is chosen in a fashion similar to other functions from "pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Add a upload directory transform scriptDan McGee1-0/+58
This goes with the previous patch that moves uploads into segmented subdirectories. To actually run, follow the DRYRUN instructions. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee4-13/+21
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Allow SQL_DEBUG to be undefinedDan McGee1-1/+1
We shouldn't require this as it is a new config parameter and it causes PHP warnings to be spewed everywhere. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10scripts/cleanup: use native PHP onlyDan McGee1-9/+11
No need to shell out to the system here. Also fix the script so it actually works. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-07-29Fix empty depends database insertLukas Fleischer1-11/+16
Do not try to insert a falsey value into the database in case of "depends=()". Signed-off-by: Manuel <manutortosa@chakra-project.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-28Replace split() invocations with explode()Lukas Fleischer1-1/+1
Do not use split(), which has been deprecated as of PHP 5.3.0. As we don't even require regular expressions here, just use explode() instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-28aurblup: use implicit make rules and adjust CFLAGSDan McGee2-5/+1
We don't need to add rules for implicit .c -> .o conversions. Also add -O2 to the CFLAGS as gcc doesn't print many warnings unless at least some level of optimization is used. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-28aurblup: mark all functions and global variables staticDan McGee1-23/+23
These don't need visibility outside of this compilation unit. This also allows a C compiler to inline and optimize as it sees fit. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-28aurblup: blacklist processing query changesDan McGee2-21/+5
* Do all list building and freeing outside of the transaction to keep it as short as possible. * Remove ability to blacklist without transactions as we now only support InnoDB/transactional engines with proper relations. * No need to turn autocommit off; BEGIN TRANSACTION operates regardless of this setting. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Simplify session ID generationLukas Fleischer1-10/+1
There was too much voodoo going on in new_sid(). Just use uniqid() with a random seed and the optional entropy parameter to generate MD5 input. Use the remote IP address as a salt to reduce the chance of two clients getting the same ID if they login at exactly the same time. Thanks-to: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Stricter email address validationLukas Fleischer1-1/+1
Use PHP's filter extension to validate mail addresses. The filter extension is enabled by default as of PHP 5.2.0. Thanks-to: Florian Pritz <bluewind@xinu.at> Thanks-to: Cédric Girard <girard.cedric@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Honor epoch field in PKGBUILD files.Slavi Pantaleev1-6/+10
The epoch field in PKGBUILD files was completely ignored until now, and the final Version field for a package consisted only of pkgver and pkgrel (example: 5.0-1) This means that rpc.php reported the version incorrectly for packages having epoch > 0. One case where this was a problem is that it confused AUR helpers wanting to examine all locally installed packages (with epoch > 0) and search the AUR for an updated version. The epoch field is taken into consideration now, and if not 0, will be prepended to the final Version field (example: 1:5.0-1) Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25fix incompatibility with php short open tagsFlorian Pritz2-5/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25README: fix pacman callFlorian Pritz1-1/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Use sane ORDER BY clauses in package list queriesDan McGee1-4/+4
We were doing some silly things here with an "ORDER BY Name, CategoryID" clause, due to the fact that Name is unique, and thus any additional ordering after Name will have no effect. Of course, the dumb as a box of rocks MySQL query optimizer doesn't realize this, leading to full table scans every time of ~30000 packages instead of using index scans for the ordering and only retrieving the first 50 rows. The biggest change is noted in the default sort order as it cuts down the columns to one, but we can remove the redundant sort from other orderings as well, even though those will still not be able to use an index-driven query plan. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Fix performance issues with new PackageDepends lookupsDan McGee2-4/+7
We do a lookup by DepName in the package details view, but I made the silly mistake of forgetting this index addition in the upgrade steps. Lukas: Fix numbering in "UPGRADING". Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22Do not redirect on single search resultsLukas Fleischer1-29/+22
The use of header() to redirect after previous output was a design flaw. Our only luck here was PHP's "output_buffering" config variable defaulting to 4096, which kind of hid the bug for a long time. Fixes FS#24580. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22Make cache type selectable based on config valueelij3-46/+92
Provie a mechanism to specify cache type from NONE, APC, or MEMCACHE based on a config variable. If MEMCACHE type is selected, a list of servers can be specified to provide multiserver support. Note that php-memcaced is required for MEMCACHE support. Lukas: Minor commenting style fixes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij24-34/+37
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22make rss.php use the apc cache instead of a cache fileelij1-5/+13
utilize the apc cache functionality in aur.inc to cache the rss feed output. the cache will cache on a per-protocol basis (http/https) so that urls are appropriate regardless of which url people hit. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22refactor apc code and move to aur.incelij2-55/+66
- move apc cache code to aur.inc (centralize) - refactor the apc usage in stats.inc to utilize new code in aur.inc Lukas: Small commenting style and spelling changes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-29Cleanup RPC usage output a bitLukas Fleischer1-15/+11
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-29Properly encode ampersands in the RPC usage outputLukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-29fix two issues (php notice level) with html/rss.phpelij1-1/+3
- Undefined index: HTTPS in rss.php on line 8 - Undefined property: RSSCreator20::$cssStyleSheet in feedcreator.class.php on line 591 Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-29restructure the html/rpc.php endpointelij1-28/+33
- move request_method test to the top, and catch other request types (HEAD, PUT, etc) - change how html output is handled. instead of building a string, just output the html - set appropriate response header for incorrect request_method. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17add first submitted and last modified to rpc outputkachelaqa1-1/+2
after reading the discussion about the submitter field, i looked again at my previous patch and realized that it was not very good at all. hopefully this simplified version will be more acceptable. the justification for this patch is that many third-party tools will want to know how new a package is, or when it last changed. adding the submitted and modified timestamps will allow users to get all the relevant package data in a single query. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17add support for etag and conditional get (if-none-match)elij1-1/+29
Add etag and if-none-match conditional get support. This will allow 'smart client' to save network bandwidth, as they can save the etag hash value for queries and test it later. Still an http request because this patch specifically sets a cache lifetime of zero, and must-revalidate. The benefit here is bandwidth savings. Caching based on expires headers would likely be counter productive, as the api data can change rather quickly...but etag is a nice compromise, and could be quite beneficial for bandwidth recution in some scenarios. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17fix case where user does not existelij1-0/+3
the query was being performed when $id was not set, resulting in an invalid sql query being performed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17test return value from db_query before assuming it is validelij7-68/+135
make the sql query form consistent in usage by cleaning up instances where db_query's result was not inspected before attempting to fetch row data from the handle Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-09Added label tags for login form fields.Karlis Lauva1-5/+6
Lukas: Use tabs for indentation instead of spaces. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27UPGRADING: Add note on merging config file changes.Lukas Fleischer1-0/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27add SQL_DEBUG variable and database loggingelij2-0/+16
add a hook to db_query to log all sql queries when SQL_DEBUG is set Additionally, provide better logging for sql error situations (provide backtrace as well as error message). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27create variable before referencing it with .=elij1-0/+1
fixes php notice level error: Undefined variable: whovoted in ../tu.php Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27stats: capitalize FROM in all SQL queriesDan McGee1-6/+6
Matches our normal code conventions. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27SQL: treat all UID/ID values as numbers, not stringsDan McGee4-15/+15
Ensure we are not quoting these values in any of our SQL queries. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27SQL: use standard LIMIT/OFFSET syntaxDan McGee4-4/+4
Increases compatibility with standard SQL dialect. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-24pkgsubmit.php: Ensure the session is linked to a valid user.Lukas Fleischer1-3/+8
Prevent race conditions that may occur when either the session or the user is deleted before we extract the actual user identifier. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-24pkgsubmit.php: Remove redundant uid_from_sid() invocations.Lukas Fleischer1-3/+1
uid_from_sid() is called once at the very beginning of the script, storing the actual user identifier in "$uid". No need to fire up another query. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>