summaryrefslogtreecommitdiffstats
path: root/web/html/pkgsubmit.php
AgeCommit message (Collapse)AuthorFilesLines
2014-08-06Add PCRE_DOLLAR_ENDONLY to preg_match()Lukas Fleischer1-2/+2
When using preg_match() to check for a match that starts at the beginning of the string and ends at the last character of the string, we do not want to allow an additional newline character to sneak in. Amongst other potential loopholes, adding the PCRE_DOLLAR_ENDONLY modifier prevents users from registering with user names that end with a newline character. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-07-23Drop support for source packages without .AURINFOLukas Fleischer1-26/+4
Disallow uploading source tarballs that do not contain .AURINFO. Also, drop the PKGBUILD parser which is no longer needed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-06Check permissions when uploading source packagesLukas Fleischer1-0/+6
All files contained in the source tarball must have permissions of 644 or 755. All directories must have permissions of 755. Implements FS#27754. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-06pkgsubmit.php: Style fixesLukas Fleischer1-8/+4
Move some elseif statements to the same line as the closing brace. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-03Fix parsing of array overridesLukas Fleischer1-1/+1
If a depends (makedepends, checkdepends, optdepends, conflicts, provides, replaces, license, groups, source) line appears in a package section, it replaces the corresponding array from the pkgbase section. If there is a single "depends = " line in the package section, the depends array of that package is considered empty. This partly reverts the behavior introduced in commit 137a9ae (Fix parsing of array overrides, 2014-05-03). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-26pkgsubmit.php: Redirect to package base detailsLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-26Support multiple licenses per packageLukas Fleischer1-6/+14
Split out package licenses into two separate tables in order to support multiple licenses per package. The code on the package details page is adjusted accordingly. UPGRADING contains instructions on how to convert existing licenses in the database to the new layout. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-26Store package groups in the databaseLukas Fleischer1-1/+8
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-26Store conflicts, provides and replaces in the DBLukas Fleischer1-2/+16
Package conflicts, provides and replaces are now stored in the new PackageRelations table. The gendummydata script generates test entries for these relations. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-19Handle pkgbase array overrides gracefullyLukas Fleischer1-2/+2
Instead of overwriting arrays, such as depends, from the pkgbase section, new entries should be appended. Replace array_merge() with a mixture of array_merge_recursive() and array_replace_recursive() that merges array fields and replaces non-array fields. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-17Store {make,check,opt}depends in the databaseLukas Fleischer1-14/+22
In addition to parsing and storing dependencies of packages, store makedepends, checkdepends and optdepends. Every dependency (of any type) is displayed on the package details page. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Prefix package functions with pkg_/pkgbase_Lukas Fleischer1-10/+10
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Use snake case for all package functionsLukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Only parse PKGBUILD when requiredLukas Fleischer1-2/+2
Instead of always parsing the PKGBUILD, only invoke the parser when there is no meta data (.AURINFO) available. This speeds up the general case (packages including meta data). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Factor out PKGBUILD parsingLukas Fleischer1-141/+1
This is legacy code. Move it to a separate source file in order to clean up the submission code. The code will be removed altogether in an upcoming release. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Do not allow for overwriting arbitrary packagesLukas Fleischer1-21/+23
A package should only be overwritten if it already belongs to the package base that is trying to overwrite it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Add full support for the new .AURINFO formatLukas Fleischer1-116/+153
This adds full support for the new .AURINFO format used by mkaurball, including support for split packages. The old PKGBUILD parser is still available for compatibility reasons. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Add provisional support for package basesLukas Fleischer1-13/+14
This adds a PackageBases table to the database schema and moves the following fields from the Packages table to PackageBases: * CategoryID * NumVotes * OutOfDateTS * SubmittedTS * ModifiedTS * SubmitterUID * MaintainerUID It also fixes all database accesses to comply with the new layout. Having a separate PackageBases table is the first step to split package support. By now, we create one PackageBases entry per package (where the package base has the same name as the corresponding package). When adding full support for split packages later, the package base name will be derived from the pkgbase variable and a single package base will be shared amongst all packages built from one source package. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-17pkgsubmit.php: Improve visibility of errorsLukas Fleischer1-4/+4
Make use of the "errorlist" class instead of "pkgoutput" which is no longer defined in the CSS. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-17Add a warning for packages without .AURINFOLukas Fleischer1-0/+7
Display a deprecation warning when a package without meta data is submitted. The user can still decide to ignore that warning by resubmitting the package but doing so is not recommended. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-17Promote the use of mkaurballLukas Fleischer1-1/+1
mkaurball automatically adds .AURINFO meta data when building, so tell people to use that instead of `makepkg --source`. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-17Detect split packages from .AURINFOLukas Fleischer1-0/+6
There is an extension to the .AURINFO format that supports split packages. Since there is no support for split packages in the AUR so far, add a check to identify these cases. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-17Strip whitespace from .AURINFO linesLukas Fleischer1-0/+1
Indentation can be useful if one wants to structure an .AURINFO file. Remove leading and trailing whitespace from each line before parsing. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-17Rename "depend" field to "depends" in .AURINFOLukas Fleischer1-1/+1
This field has been renamed in a revision of the .AURINFO format. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-01-11Fix split package error handlingLukas Fleischer1-6/+7
Do not remove parentheses from the pkgname to make sure the split package detection works properly. Also, fix a regression introduced in 4bb6e88 (pkgsubmit.php: Simplify package name validation, 2013-03-05) that resulted in the split package error message never showing up. Fixes FS#37496. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-03-09pkgsubmit.php: Parse .AURINFO metadataLukas Fleischer1-4/+33
This allows for adding a metadata file called ".AURINFO" to source tarballs to overwrite specific PKGBUILD fields. .AURINFO files are parsed line by line. The syntax for each line is "key = value", where key is any of the following field names: * pkgname * pkgver * pkgdesc * url * license * depend Multiple "depend" lines can be specified to add multiple dependencies. This format closely matches the .PKGINFO format that is used for binary packages in pacman/libalpm. It can be extended by field name prefixes or sections to support split packages later. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-03-05pkgsubmit.php: Move URL protocol check downLukas Fleischer1-14/+12
Move all PKGBUILD field validations to a central location. Also, change $pkgbuild[] to $new_pkgbuild[] in order to parse evaluated PKGBUILD fields instead of raw ones. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-03-05pkgsubmit.php: Simplify package name validationLukas Fleischer1-12/+6
Remove redundant filters -- single quotes are already removed in $pkgbuild_new and we do not pass the package name to a shell (additionally, the regular expression already checks for potentially evil characters). Also, move the $pkg_name extraction up to fix the split package check. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove unneeded database connection callscanyonknight1-1/+0
Since all database related functions will establish a connection when needed, there is no need to pre-emptively try and establish a database connection. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove unnecessary database connection parameter from all functionscanyonknight1-11/+11
All functions now have a database connection method that will use the same database connection. This imitates the functionality of passing a database connection as an argument and makes it redundant. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Add database wrapper class and new connection methodcanyonknight1-1/+1
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkgsubmit.php: Show a warning for split packagesLukas Fleischer1-0/+4
Display a special error message if the package is identified as split package. Currently, the AUR displays a very vague error message when a split package is submitted ("Invalid name: only lowercase letters are allowed"). This often caused confusion among package submitters, see FS#22834 and FS#32450. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-29pkgsubmit.php: Check that there is one directory in a tarballcanyonknight1-0/+4
Users are able to upload tarballs without a directory. The directory count for a tarball is available, so use it to display an error when there is not a single directory. This patch has no effect on users who generate their uploaded tarballs using makepkg. All other users must include a directory in their tarball. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkgsubmit.php: Fix package version not updatingcanyonknight1-1/+1
Parameters were not correct for a package update operation. Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c Fixes FS#31868 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03pkgsubmit.php: Fix PHP notice for depends processingcanyonknight1-2/+2
A foreach() is run without verifying an uploaded package has any depends. Fix the undefined index notice for packages uploaded with no depends. Similar to commit 857de725d1c87da005b4ab8e9a88222fd19aab4b. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Avoid use of "<b>"/"</b>"Lukas Fleischer1-1/+1
* Use "<label>"/"</label>" for form labels. * Use "<strong>"/"</strong>" for important text. * Use "<h4>"/"</h4>" for headings. * Drop "<b>"/"</b>" everywhere else. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Use echo shortcut syntaxLukas Fleischer1-9/+9
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to reduce noise in templates. Note that as of PHP 5.4.0, "<?=" is always available and no longer requires "short_open_tag" to be set. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23Print error message when maximum DB character length is exceededcanyonknight1-6/+29
Packages can currently be submitted with variables longer than the maximum allowed by the DB for that specific field. The string will be shortened without informing the user. This can result in unexpected oddities on submitted packages. Print error messages informing the user when the package name, URL, description, license, or version is too long. Also move the resolution of full package version (including epoch) to an earlier point in pkgsubmit.php Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23pkgsubmit.php: Make page friendlier for logged out userscanyonknight1-4/+4
Logged out users who navigate to /submit currently reach a page with only an error message. This adds the full navigation bar for users who errantly reach /submit before logging in. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15web/html/pkgsubmit.php: Remove stray "</div>"Lukas Fleischer1-1/+1
Regression introduced in f3ce74c714e3460bb3e3e786f626e397d3139062 when resolving conflicts. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual paths for package detailsLukas Fleischer1-1/+1
Extend the routing front/back ends to allow for using "/package/$pkgname/" for individual packages. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual path feature for linksLukas Fleischer1-2/+2
Use virtual paths in links (e.g. link to "/packages/" instead of "/packages.php" etc.) if the virtual path feature is enabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer1-0/+6
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-14pkgsubmit.php: Refactor source processing to fix PHP noticecanyonknight1-3/+3
A foreach() being run without checking to see if the uploaded PKGBUILD had any sources now no longer causes an undefined index notice when there are no sources. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-11pkgsubmit.php: Remove stray "</div>" tagcanyonknight1-1/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkgsubmit.php: Improve file upload error messagescanyonknight1-2/+17
* Currently, $_FILES showing a filesize of zero is interpreted as no file was uploaded, despite other errors potentially being the cause. * The $_FILES superglobal stores what the actual error was, so use it. This includes file write problems, empty uploads, partial uploads, and upload_max_filesize being exceeded. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkgsubmit.php: Pull out DB codecanyonknight1-48/+11
* Move DB code in pkgsubmit.php to new functions in aur.inc.php and pkgfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Refactor package submission formLukas Fleischer1-28/+24
* Adjust style to match the overall layout. * Use proper HTML tags and double quotes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06Remove all traces of "pgboxtitle"Lukas Fleischer1-3/+1
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-3/+11
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>