summaryrefslogtreecommitdiffstats
path: root/web/html/account.php
AgeCommit message (Collapse)AuthorFilesLines
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-5/+7
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer1-1/+1
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-2/+2
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-13Remove "New Package Notify" option from user account settings.Lukas Fleischer1-4/+4
Do this in preparation for the upcoming notification script removal. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in account pagesDan McGee1-18/+20
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2009-08-11Use include_once where applicableDan McGee1-1/+1
All of these are sourcing function libraries so we don't need to include them more than once. Things that insert actual HTML into the output were left calling include(). Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2009-01-19Use new conglomerated translation files.Loui Chang1-3/+1
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-12-21Introduce function include_lang for translations.Loui Chang1-6/+7
This includes only the requested language for each page and makes top level language include files obsolete. Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-06-17Remove all vim mode lines. Add HACKING file.Loui Chang1-1/+1
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
2008-03-23Put login into its own function.Loui Chang1-1/+1
Utilise login form template. Also cleaned up a couple notices. Signed-off-by: Loui Chang <louipc.ist@gmail.com> Signed-off-by: Simo Leone <simo@archlinux.org>
2008-01-20Support for verbose page titlesCallan Barrett1-1/+1
Verbose page titles again Adds support for more verbose page titles based on current page and action by user and removes sort by options from search form as they're obsolete by column links. Signed-off-by: Callan Barrett <wizzomafizzo@gmail.com>
2007-10-02Fixed version strings.tardo1-1/+1
Added AUR_VERSION to config file, so now we should only need to change one location. KISS ftw. Signed-off-by: tardo <tardo@nagi-fanboi.net>
2007-09-24More changes to page styles.eliott1-0/+7
2007-09-20patch from eliott to convert all <? to <?phppjmattal1-1/+1
2007-09-20- Applied a patch from Loui to fix session removal.swiergot1-1/+1
- Replaced all occurences of mysql_escape_string() with mysql_real_escape_string().
2006-08-08added dsa's header include patchpjmattal1-0/+3
2006-08-01added dsa's "My Packages" patchpjmattal1-0/+1
2005-06-10Added Simo's patch for #2579, adding user info pagepjmattal1-2/+21
also modified it slightly so that we no longer look at AURMaintainerUID for maintainer
2005-04-23Fix user existence checks; whacks bug#2585simo1-2/+2
2005-01-25started working on package delete supporteric1-1/+1
2004-09-10continuing with pkgsubmit, added vim instructions to php fileseric1-1/+1
2004-06-24getting closer to printing package search results - also fixed some XHTML stufferic1-3/+3
2004-06-23account adding/editing is workingeric1-5/+57
2004-06-22pulled out account functions into separate include fileeric1-367/+29
2004-06-21working on the accounts stufferic1-3/+403
2004-06-20finished the login/logout/session stufferic1-4/+2
2004-06-19finished tweaking language selectioneric1-0/+18