summaryrefslogtreecommitdiffstats
path: root/web/html
AgeCommit message (Collapse)AuthorFilesLines
2012-11-29Fix account editing and hijacking vulnerabilitycanyonknight1-3/+8
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-24index.php: Move voter page token check to switch control structurecanyonknight1-6/+4
Voter page token check takes place in the same way as other existing token checks. Move the check for consistency. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-24login.php: Properly link to logout page when already logged incanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid use of "$_SERVER['REQUEST_URI']"Lukas Fleischer1-2/+2
Use the routing library to build proper URIs instead of relying on the "REQUEST_URI" server variable which can be manipulated and might return bogus URIs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkgsubmit.php: Show a warning for split packagesLukas Fleischer1-0/+4
Display a special error message if the package is identified as split package. Currently, the AUR displays a very vague error message when a split package is submitted ("Invalid name: only lowercase letters are allowed"). This often caused confusion among package submitters, see FS#22834 and FS#32450. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Add missing internationalization to a few stringsLukas Fleischer1-1/+1
Fixes FS#32449. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-30Return 404 for invalid account/package subpagesLukas Fleischer1-8/+26
Display an error page and return a 404 status code in the following cases: * An invalid package name is passed to the "packages" action. * An invalid user name is passed to the "account" action. * An invalid package action is passed. * An invalid account action is passed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-29pkgsubmit.php: Check that there is one directory in a tarballcanyonknight1-0/+4
Users are able to upload tarballs without a directory. The directory count for a tarball is available, so use it to display an error when there is not a single directory. This patch has no effect on users who generate their uploaded tarballs using makepkg. All other users must include a directory in their tarball. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28home.php: Remove unneeded tablesLukas Fleischer1-14/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28Implement word-wrap for package statisticsLukas Fleischer1-0/+4
Word-wrap labels in the package statistics box, just as we wrap package names in the "Recent Updates" box. Addresses FS#32160. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Use HTTPS links everywhere for Arch sitesDan McGee2-6/+6
The main site, wiki, and BBS are using HTTPS exclusively, so link directly to the correct protocol rather than forcing a redirect. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20home.php: Fix XHTML tag errorscanyonknight1-2/+3
* Add missing <p> tag * Move <h4> outside of a <p> tag * Rename an id to avoid a conflict with an already existing id Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Sync CSS with archwebLukas Fleischer1-11/+39
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Display an error page if a virtual path doesn't existLukas Fleischer2-0/+18
Give user feedback instead of bailing out with an empty HTTP response body. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkgsubmit.php: Fix package version not updatingcanyonknight1-1/+1
Parameters were not correct for a package update operation. Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c Fixes FS#31868 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11Remove character limit on password lengthcanyonknight2-3/+3
As all new passwords are hashed and therefore stored in the database at the same length, this limitation is no longer needed. Fixes FS#31855 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-10tu.php: Fix page showing a user hasn't voted when they havecanyonknight1-2/+5
An ended vote details page will report a user hasn't voted even when they have. This is a result of faulty logic that only checks if a user has voted if the vote is still running. Regression with commit c15441762c6f6ab4438eaf2854c0ee3146a98b30 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03pkgsubmit.php: Fix PHP notice for depends processingcanyonknight1-2/+2
A foreach() is run without verifying an uploaded package has any depends. Fix the undefined index notice for packages uploaded with no depends. Similar to commit 857de725d1c87da005b4ab8e9a88222fd19aab4b. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-28Move package merging to a separate pagecanyonknight2-0/+50
Package actions now have a separate box on the package details page. Add a package merge link in that box. Link leads to a new page (pkgmerge.php) that can be used to confirm package merging. A separate page with confirmation is used to avoid CSRFs. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-28Move package deletion to a separate pagecanyonknight2-0/+47
Package actions now have a separate box on the package details page. Make a package deletion link in that box. Link leads to a new page (pkgdel.php) that can be used to confirm package deletion. A separate page with confirmation is used to avoid CSRFs. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Avoid use of "<b>"/"</b>"Lukas Fleischer3-10/+9
* Use "<label>"/"</label>" for form labels. * Use "<strong>"/"</strong>" for important text. * Use "<h4>"/"</h4>" for headings. * Drop "<b>"/"</b>" everywhere else. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24Use echo shortcut syntaxLukas Fleischer8-54/+54
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to reduce noise in templates. Note that as of PHP 5.4.0, "<?=" is always available and no longer requires "short_open_tag" to be set. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-21rss.php: Update links to reflect URL changescanyonknight1-2/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-19Sync search result statistics with archwebLukas Fleischer1-0/+4
* Use archweb classes for search result statistics. * Add some space between page numbers. * Display current page number instead of current item range. * Hide page numbers if the result fits into a single page. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-19Wrap long lines in the "Recent Updates" sidebarLukas Fleischer1-0/+4
* Sync the sidebar layout with archweb, use the "pkg-name" class to wrap long package names. * Move the "New!" logo to a separate column to make sure it isn't wrapped to a new line on its own. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Fix category selectionLukas Fleischer1-1/+1
Add a package ID parameter to pkg_change_category() instead of relying on the "ID" or "N" GET parameters. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Do not set GET parameters in the routing frameworkLukas Fleischer2-13/+19
Setting GET parameters manually is bad style and causes some strange side effects when using virtual URLs and mkurl(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18index.php: Fix undefined variable noticeLukas Fleischer1-1/+4
Spotted when browsing the package details page while being logged out. Reported-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Overhaul ability to edit own accountcanyonknight2-26/+11
* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Use URL rewriting for user account update pagecanyonknight1-0/+2
The "UpdateAccount" page displays information as to whether an account update was successful. All POST account info goes to this page, so use it with sane URLs. Before: AUR_URL/account/?Action=UpdateAccount&U=userfoo After: AUR_URL/account/userfoo/update Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Use URL rewriting for user editing pagecanyonknight1-1/+9
Allows for easier account editing and saner URLs. Update account editing links to use new URL. Before: AUR_URL/account/?Action=DisplayAccount&U=userfoo After: AUR_URL/account/userfoo/edit Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Use URL rewriting for user info pagecanyonknight2-1/+7
Navigation to the "AccountInfo" page should only require a user to know the username of the account they are looking for. Update all AUR links that use the user info page to reflect the new URL. Before: AUR_URL/account/?Action=AccountInfo&U=userfoo After: AUR_URL/account/userfoo Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Remove unused image "titlelogo.png"canyonknight1-0/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Use the "new" icon from archweb for the recent updates tablecanyonknight3-2/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18logout.php: Fix PHP undefined variable noticecanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23Fix broken package search on front pagecanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23Print error message when maximum DB character length is exceededcanyonknight1-6/+29
Packages can currently be submitted with variables longer than the maximum allowed by the DB for that specific field. The string will be shortened without informing the user. This can result in unexpected oddities on submitted packages. Print error messages informing the user when the package name, URL, description, license, or version is too long. Also move the resolution of full package version (including epoch) to an earlier point in pkgsubmit.php Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-08-23pkgsubmit.php: Make page friendlier for logged out userscanyonknight1-4/+4
Logged out users who navigate to /submit currently reach a page with only an error message. This adds the full navigation bar for users who errantly reach /submit before logging in. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-18Use virtual paths for voters pageLukas Fleischer1-0/+6
Link to "/packages/$pkgname/voters/" instead of using "/voters/" and a get parameter to request a specific package by ID. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-18voters.php: Use "<ul></ul>" for the list of votersLukas Fleischer1-5/+5
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-18voters.php: Do not re-include librariesLukas Fleischer1-2/+2
Use include_once() instead of include(). Otherwise, a fatal error is shown if the virtual path feature is used since "web/lib/aur.inc.php" is already included in the routing front end. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17routing.inc.php: rtrim() path in get_route()Lukas Fleischer1-1/+1
Return the correct route -- even if a "/" is appended to the URI. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17aur.inc.php: Include routing backendLukas Fleischer1-2/+0
This needs to be available on every page since it is needed for get_uri() and get_pkg_uri() and "web/html/index.php" isn't executed if the virtual path feature is disabled. Reported-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17Add virtual path support for package actionsLukas Fleischer1-1/+31
This allows for using following URLs: * /package/$pkg_name/flag: Flag a package out-of-date * /package/$pkg_name/unflag: Unflag a package * /package/$pkg_name/notify: Enable comment notifications * /package/$pkg_name/unnotify: Disable comment notifications * /package/$pkg_name/vote: Vote for the package * /package/$pkg_name/unvote: Remove vote Note that this code is very hackish and should be refactored once we drop support for legacy URLs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15web/html/pkgsubmit.php: Remove stray "</div>"Lukas Fleischer1-1/+1
Regression introduced in f3ce74c714e3460bb3e3e786f626e397d3139062 when resolving conflicts. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual paths for package detailsLukas Fleischer3-3/+11
Extend the routing front/back ends to allow for using "/package/$pkgname/" for individual packages. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Use virtual path feature for linksLukas Fleischer8-16/+16
Use virtual paths in links (e.g. link to "/packages/" instead of "/packages.php" etc.) if the virtual path feature is enabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-15Add routing front/back endsLukas Fleischer2-120/+155
This adds a URL mapping library that can be used to implement virtual paths. Also, "web/html/index.php" is moved to "web/html/home.php" and "web/html/index.php" becomes a routing front end that maps virtual paths to corresponding files. To enable the virtual path feature, all requests need to be redirected to the "index.php" routing script. If you use lighttpd, following rewrite rule can be used: url.rewrite = ( "^(.*)$" => "/index.php/$1" ) A similar rule can be used for Apache (using mod_rewrite). Note that the current routing front end only works if PATH_INFO is provided. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer5-43/+56
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-14pkgsubmit.php: Refactor source processing to fix PHP noticecanyonknight1-3/+3
A foreach() being run without checking to see if the uploaded PKGBUILD had any sources now no longer causes an undefined index notice when there are no sources. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>