summaryrefslogtreecommitdiffstats
path: root/web/html/pkgsubmit.php
AgeCommit message (Collapse)AuthorFilesLines
2013-03-05pkgsubmit.php: Simplify package name validationLukas Fleischer1-12/+6
Remove redundant filters -- single quotes are already removed in $pkgbuild_new and we do not pass the package name to a shell (additionally, the regular expression already checks for potentially evil characters). Also, move the $pkg_name extraction up to fix the split package check. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove unneeded database connection callscanyonknight1-1/+0
Since all database related functions will establish a connection when needed, there is no need to pre-emptively try and establish a database connection. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove unnecessary database connection parameter from all functionscanyonknight1-11/+11
All functions now have a database connection method that will use the same database connection. This imitates the functionality of passing a database connection as an argument and makes it redundant. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Add database wrapper class and new connection methodcanyonknight1-1/+1
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkgsubmit.php: Show a warning for split packagesLukas Fleischer1-0/+4
Display a special error message if the package is identified as split package. Currently, the AUR displays a very vague error message when a split package is submitted ("Invalid name: only lowercase letters are allowed"). This often caused confusion among package submitters, see FS#22834 and FS#32450. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-29pkgsubmit.php: Check that there is one directory in a tarballcanyonknight1-0/+4
Users are able to upload tarballs without a directory. The directory count for a tarball is available, so use it to display an error when there is not a single directory. This patch has no effect on users who generate their uploaded tarballs using makepkg. All other users must include a directory in their tarball. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkgsubmit.php: Fix package version not updatingcanyonknight1-1/+1
Parameters were not correct for a package update operation. Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c Fixes FS#31868 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03pkgsubmit.php: Fix PHP notice for depends processingcanyonknight1-2/+2
A foreach() is run without verifying an uploaded package has any depends. Fix the undefined index notice for packages uploaded with no depends. Similar to commit 857de725d1c87da005b4ab8e9a88222fd19aab4b. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Avoid use of "<b>"/"</b>"Lukas Fleischer1-1/+1
* Use "<label>"/"</label>" for form labels. * Use "<strong>"/"</strong>" for important text. * Use "<h4>"/"</h4>" for headings. * Drop "<b>"/"</b>" everywhere else. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Use echo shortcut syntaxLukas Fleischer1-9/+9
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to reduce noise in templates. Note that as of PHP 5.4.0, "<?=" is always available and no longer requires "short_open_tag" to be set. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23Print error message when maximum DB character length is exceededcanyonknight1-6/+29
Packages can currently be submitted with variables longer than the maximum allowed by the DB for that specific field. The string will be shortened without informing the user. This can result in unexpected oddities on submitted packages. Print error messages informing the user when the package name, URL, description, license, or version is too long. Also move the resolution of full package version (including epoch) to an earlier point in pkgsubmit.php Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23pkgsubmit.php: Make page friendlier for logged out userscanyonknight1-4/+4
Logged out users who navigate to /submit currently reach a page with only an error message. This adds the full navigation bar for users who errantly reach /submit before logging in. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15web/html/pkgsubmit.php: Remove stray "</div>"Lukas Fleischer1-1/+1
Regression introduced in f3ce74c714e3460bb3e3e786f626e397d3139062 when resolving conflicts. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual paths for package detailsLukas Fleischer1-1/+1
Extend the routing front/back ends to allow for using "/package/$pkgname/" for individual packages. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual path feature for linksLukas Fleischer1-2/+2
Use virtual paths in links (e.g. link to "/packages/" instead of "/packages.php" etc.) if the virtual path feature is enabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer1-0/+6
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-14pkgsubmit.php: Refactor source processing to fix PHP noticecanyonknight1-3/+3
A foreach() being run without checking to see if the uploaded PKGBUILD had any sources now no longer causes an undefined index notice when there are no sources. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-11pkgsubmit.php: Remove stray "</div>" tagcanyonknight1-1/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkgsubmit.php: Improve file upload error messagescanyonknight1-2/+17
* Currently, $_FILES showing a filesize of zero is interpreted as no file was uploaded, despite other errors potentially being the cause. * The $_FILES superglobal stores what the actual error was, so use it. This includes file write problems, empty uploads, partial uploads, and upload_max_filesize being exceeded. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkgsubmit.php: Pull out DB codecanyonknight1-48/+11
* Move DB code in pkgsubmit.php to new functions in aur.inc.php and pkgfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Refactor package submission formLukas Fleischer1-28/+24
* Adjust style to match the overall layout. * Use proper HTML tags and double quotes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-07-06Remove all traces of "pgboxtitle"Lukas Fleischer1-3/+1
Using a div container to format heading is ridiculous. Use "<h2></h2>" instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-3/+11
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-19web/html/pkgsubmit.php: Revamp tarball validationLukas Fleischer1-12/+14
* Reorder checks. * Use simple string functions instead of regular expressions. * Check for type flags before validating paths. The latter ensures we don't treat tarball keywords/flags as directories. This avoids problems with bsdtar inserting PaxHeader attributes into the archive which look something like the following to Archive_Tar: PaxHeader/xcursor-protozoa xcursor-protozoa/ xcursor-protozoa/PaxHeader/PKGBUILD xcursor-protozoa/PKGBUILD This only occurs on certain filesystems (e.g. jfs), but the tarball is by no means invalid. When extracted, it will only contain the PKGBUILD within a single subdirectory. Addresses FS#28802. Thanks-to: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer1-14/+14
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer1-14/+14
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Remove a boatload of inline table stylesDan McGee1-1/+1
Replacing with CSS styles where appropriate. A previously unused CSS style is tweaked in the stylesheet to match most of what was done via non-CSS styling. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05Merge branch 'maint'Lukas Fleischer1-3/+15
2011-09-05web/html/pkgsubmit.php: Deal with unset category IDLukas Fleischer1-3/+15
Do not move the package to the incoming package directory and fail to create proper database entries if some AUR upload helper doesn't provide a category. We got several failing constraints here, such as: Cannot add or update a child row: a foreign key constraint fails (`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY (`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO ACTION) Instead, default to "1" (which is "none", or "keep category" for existing packages) if no category is supplied. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Use "%s" instead of "%h" in format stringsLukas Fleischer1-1/+1
Use the standard string type specifier instead of "%h" in format strings. Both specifiers are treated equally in __() so we shouldn't break anything here. This also allows us to replace the hacky substitution algorithm in __() by vsprintf(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Make package creation and update atomicDan McGee1-1/+5
Add BEGIN and COMMIT statements where it makes sense to do so. This allows the entire package creation or update process to be atomic and not be seen until it is complete. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Rename package_exists() to pkgid_from_name()Lukas Fleischer1-2/+2
Describe what this function actually does: Return the ID of a package with a given name and return NULL if such a package doesn't exist. The function name is chosen in a fashion similar to other functions from "pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee1-3/+4
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-07-29Fix empty depends database insertLukas Fleischer1-11/+16
Do not try to insert a falsey value into the database in case of "depends=()". Signed-off-by: Manuel <manutortosa@chakra-project.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-28Replace split() invocations with explode()Lukas Fleischer1-1/+1
Do not use split(), which has been deprecated as of PHP 5.3.0. As we don't even require regular expressions here, just use explode() instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Honor epoch field in PKGBUILD files.Slavi Pantaleev1-6/+10
The epoch field in PKGBUILD files was completely ignored until now, and the final Version field for a package consisted only of pkgver and pkgrel (example: 5.0-1) This means that rpc.php reported the version incorrectly for packages having epoch > 0. One case where this was a problem is that it confused AUR helpers wanting to examine all locally installed packages (with epoch > 0) and search the AUR for an updated version. The epoch field is taken into consideration now, and if not 0, will be prepended to the final Version field (example: 1:5.0-1) Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-3/+3
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-27SQL: treat all UID/ID values as numbers, not stringsDan McGee1-1/+1
Ensure we are not quoting these values in any of our SQL queries. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-24pkgsubmit.php: Ensure the session is linked to a valid user.Lukas Fleischer1-3/+8
Prevent race conditions that may occur when either the session or the user is deleted before we extract the actual user identifier. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-24pkgsubmit.php: Remove redundant uid_from_sid() invocations.Lukas Fleischer1-3/+1
uid_from_sid() is called once at the very beginning of the script, storing the actual user identifier in "$uid". No need to fire up another query. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-05Remove File_Find PEAR module from code base.Lukas Fleischer1-1/+0
We removed the code depending on this a long time ago - drop it and add some note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Remove Dummy Package conceptDan McGee1-13/+4
Instead, we just store dependencies directly in the PackageDepends table. Since we don't use this info anywhere besides the package details page, there is little value in precalculating what is in the AUR vs. what is not. An upgrade path is provided via several SQL statements in the UPGRADING document. There should be no user-visible change from this, but the DB schema gets a bit more sane and we no longer have loads of junk packages in our tables that are never shown to the end user. This should also help the MySQL query planner in several cases as we no longer have to be careful to exclude dummy packages on every query. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Always set ModifiedTS including new packagesDan McGee1-1/+1
Set it equal to the SubmittedTS field, which will be our indication the package is new when we show the logo on the front page of the AUR. This results in the ability to remove the use of the unindexable GREATEST() function from the AUR code everywhere we had to use it before to handle the 0 timestamp case. Note that there is no race condition here in calling UNIX_TIMESTAMP() twice- it always returns the time at the beginning of statment execution: mysql> select unix_timestamp(), sleep(2), unix_timestamp(); +------------------+----------+------------------+ | unix_timestamp() | sleep(2) | unix_timestamp() | +------------------+----------+------------------+ | 1300851746 | 0 | 1300851746 | +------------------+----------+------------------+ 1 row in set (2.00 sec) Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Submission process code refactorDan McGee1-61/+35
We had a ton of duplicate code shared between the insert and update cases. Do a refactor so we can pull this stuff out below the if/else block and only need it there once, saving some headaches. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Be more restrictive with source tarball contents.Lukas Fleischer1-2/+13
Reject tarballs containing more than one directory or files outside a directory. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix PHP notice when submitting an empty file.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix strict standards warnings in "web/html/pkgsubmit.php".Lukas Fleischer1-2/+2
end() expects a reference but we pass a function return value here. Using list() is a bit hacky as well as it expects a 0-based array whereas unpack() returns a 1-based array - thus we use "list(, $foo)". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Check if submitted files are in GZIP format.Lukas Fleischer1-2/+16
This is quite hacky but this way we can ensure users get comprehensible error messages when trying to upload ".tar.xz" or ".tar.bz2" files. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Define "Packages.SubmitterUID" and "Packages.MaintainerUID" as "NULL".Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-25Reject blacklisted packages on initial submission only.Lukas Fleischer1-9/+9
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>