summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2012-02-19Fix some more XSS vulnerabilitiesLukas Fleischer3-3/+3
Escape strings properly using htmlspecialchars(). Seems like we missed these in former cleanups. Fixes FS#28515. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-12-17Set the title in the Trusted User pageAndrea Scarpino1-1/+4
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-03RPC: Do not return an error on 0 resultsLukas Fleischer1-1/+1
Return an empty array and set the result count to zero instead. Before: $ curl 'http://localhost/rpc.php?type=search&arg=raboof' {"type":"error","resultcount":0,"results":"No results found"} After: $ curl 'http://localhost/rpc.php?type=search&arg=raboof' {"type":"search","resultcount":0,"results":[]} Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02aurjson: add result count to JSON resultDave Reisner1-5/+6
We already ask for the result count, but only use it as a basis for testing query success or failure. Add the value to the JSON reply. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02web/README: Update instructionsAlexander Rødseth1-12/+14
Signed-off-by: Alexander Rødseth <rodseth@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02Add a new AUR_LOCATION settingDan McGee7-6/+14
This should be set to something like 'http://localhost' for development or 'https://aur.archlinux.org' in production. It ensures all links in the site stay in the development site and there is no sudden jump from development to production environments. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Merge branch 'maint'Lukas Fleischer0-0/+0
2011-10-25Escape wildcards in "LIKE" patternsLukas Fleischer4-13/+15
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer12-61/+67
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Escape wildcards in "LIKE" patternsLukas Fleischer4-13/+15
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer12-61/+66
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24send emails when delteing packagesFlorian Pritz1-0/+38
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Show last voted date on account details pageDan McGee2-3/+11
We already show it in the account listing page as well, so we should show it here too. Also use a standard date format; we weren't using this non-punctuated format anywhere else. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Add LastLogin column to Users tableDan McGee3-1/+12
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Require DB handle for most user account functionsDan McGee2-26/+15
This affects login the most, where we save about 4 calls to db_connect() by passing a single handle into functions where necessary. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Remove a boatload of inline table stylesDan McGee8-40/+35
Replacing with CSS styles where appropriate. A previously unused CSS style is tweaked in the stylesheet to match most of what was done via non-CSS styling. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Remove explicit utf8 declarations in table creationDan McGee1-2/+2
The create database statement sets the default character set of the database to UTF-8, so no need to do it down below. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24aurblup: update for pacman 4 revised libalpm APIDan McGee1-20/+23
Notable changes include the necessary handle object and the splitting of provides and replaces into alpm_depend_t objects. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24aurblup: remove use of alpm_list_getdata()Dan McGee1-7/+7
This is not strictly necessry as listitem->data is public. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24aurblup: style cleanupsDan McGee1-11/+16
Always use two lines for if statements, use a character constant rather than the 0 integer when NULL-terminating a string, and remove the unnecessary NULL check before free(value)- free(NULL) is a no-op and always safe. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24aurblup: remove ';' from queriesDan McGee1-5/+5
The semicolons are not necessary when performing queries via the MySQL API, so remove them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Move SUPPORTED_LANGS out of config.inc.phpDan McGee3-84/+84
This has no real business being here, and is a pain to update when new languages are shipped. Move it and the set_lang() function to translator.inc.php instead so it doesn't overwhelm the user-configurable settings file with static stuff. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-23RPC: Coerce numeric values into integersLukas Fleischer1-0/+12
Coerce following fields into integers to ensure json_encode() serializes them as integers: * ID * CategoryID * NumVotes * OutOfDate * FirstSubmitted * LastModified This means that there will be a minor API break. There's no better way to do this properly, though. Fixes FS#25693. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-23RPC: Provide out-of-date timestampLukas Fleischer1-3/+2
Convert the "OutOfDate" field to provide a timestamp instead of a boolean flag in JSON results. We don't really care about backward compatibility here, as most AUR helpers would break anyway when trying to parse RPC responses after the data type overhaul that should come with one of the following patches. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05Merge branch 'maint'Lukas Fleischer3-11/+28
2011-09-05Update message catalogLukas Fleischer1-5/+10
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05web/template/login_form.php: Escape the request URILukas Fleischer1-1/+1
Reported-by: Thomas Bächler <thomas@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05web/html/pkgsubmit.php: Deal with unset category IDLukas Fleischer1-3/+15
Do not move the package to the incoming package directory and fail to create proper database entries if some AUR upload helper doesn't provide a category. We got several failing constraints here, such as: Cannot add or update a child row: a foreign key constraint fails (`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY (`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO ACTION) Instead, default to "1" (which is "none", or "keep category" for existing packages) if no category is supplied. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05Link to current page in the login bar HTTPs linkLukas Fleischer1-2/+2
This is way more convenient if you follow a HTTP link. Implements FS#25757. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22Merge branch 'maint'Lukas Fleischer3-6/+6
2011-08-22Provide more examples on the RPC info pageLukas Fleischer1-2/+9
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22RPC: Fix info queries when using package IDsLukas Fleischer1-1/+1
Info queries using package IDs were no longer working due to commit c6d84b3a8df10c522d79c754d4f73cb2a352586f, which introduced a table join in process_query(), thus making the "ID" column ambiguous. Fix this by explicitly specifying the table to use. Fixes FS#25696. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22Add missing __() to category info in package detailsLukas Fleischer1-3/+3
This makes the "Category" label as well as "Change category" button on the package details page translatable. Fixes FS#25692. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22UPGRADING: Fix rewrite rulesLukas Fleischer1-2/+2
Do not attempt to rewrite "/packages/fo/foo/foo.tar.gz". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20web/lib/translator.inc.php: Use vsprintf() in __()Lukas Fleischer1-14/+5
Remove hacky substitution code from __() and use vsprintf() instead which will deal with all sorts of format strings properly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Use "%s" instead of "%h" in format stringsLukas Fleischer4-10/+10
Use the standard string type specifier instead of "%h" in format strings. Both specifiers are treated equally in __() so we shouldn't break anything here. This also allows us to replace the hacky substitution algorithm in __() by vsprintf(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Release 1.9.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Replace "el_GR" translation by "el"Lukas Fleischer4-838/+874
We discussed this on aur-dev. We shouldn't specify a territory unless translations are specific to a variant of the Greek language. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Add Portuguese (Brazilian) translationLukas Fleischer3-0/+861
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Translation updates from TransifexLukas Fleischer8-578/+610
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-19UPGRADING: Add note on aurblup config changesLukas Fleischer1-0/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-19aurblup: Update config.h.protoDan McGee1-3/+10
* Switch to x86_64 architecture by default * Add more repositories (including multilib) * Update default configuration path to include .php file extension Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-13Rebuild message catalog and translationsLukas Fleischer23-483/+614
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-13Add Finnish and Dutch translationsLukas Fleischer4-0/+1701
Thanks-to: Jesse Jaara <jesse.jaara@gmail.com> Thanks-to: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-13Translation updates from TransifexLukas Fleischer20-4957/+1371
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-13po/POTFILES: Fix library file pathsLukas Fleischer1-3/+3
Regression introduced in 888db089c515270fd5cd9a9bedd217110f43bc4c. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-13po/Makefile: Fix version file pathLukas Fleischer1-1/+1
We broke this in 888db089c515270fd5cd9a9bedd217110f43bc4c when adding the ".php" extension to all inclusion files. Seems like we forgot to do this in the Makefile. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-12Use secure and httponly session cookiesLukas Fleischer3-4/+4
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add a configuration setting to disallow HTTP loginLukas Fleischer3-3/+17
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11UPGRADING: Add note on backward compatible package URLsLukas Fleischer1-0/+17
Thanks-to: Dave Reisner <d@falconindy.com> Thanks-to: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>