Age | Commit message (Collapse) | Author | Files | Lines |
|
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
|
|
Lukas: Add note to "UPGRADING".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Do this in preparation for the upcoming notification script removal.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
All of these are sourcing function libraries so we don't need to include
them more than once. Things that insert actual HTML into the output were
left calling include().
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
|
|
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
|
|
This includes only the requested language for each page and
makes top level language include files obsolete.
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
|
|
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
|
|
Utilise login form template.
Also cleaned up a couple notices.
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Signed-off-by: Simo Leone <simo@archlinux.org>
|
|
Verbose page titles again
Adds support for more verbose page titles based on current
page and action by user and removes sort by options from
search form as they're obsolete by column links.
Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
|
|
Added AUR_VERSION to config file, so now we should only need to
change one location. KISS ftw.
Signed-off-by: tardo <tardo@nagi-fanboi.net>
|
|
|
|
|
|
- Replaced all occurences of mysql_escape_string()
with mysql_real_escape_string().
|
|
|
|
|
|
also modified it slightly so that we no longer look at AURMaintainerUID for maintainer
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|