summaryrefslogtreecommitdiffstats
path: root/web/lib/aur.inc.php
AgeCommit message (Collapse)AuthorFilesLines
2012-09-20Remove unused chmod_group() functioncanyonknight1-28/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Migrate all DB code to use PDOcanyonknight1-101/+53
All DB code currently uses the quickly aging mysql_* functions. These functions are strongly discouraged and may eventually be deprecated. Transition all code to utilize the PDO data access abstraction layer. PDO allows for consistent query code across multiple databases. This could potentially allow for someone to use a database other than MySQL with minimal code changes. All functions and behaviors are reproduced as faithfully as possible with PDO equivalents and some changes in code. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17aur.inc.php: Include routing backendLukas Fleischer1-0/+1
This needs to be available on every page since it is needed for get_uri() and get_pkg_uri() and "web/html/index.php" isn't executed if the virtual path feature is disabled. Reported-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer1-0/+10
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-14aur.inc.php: Use delete_session_id() where appropriatecanyonknight1-3/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06aur.inc.php: Remove old and unused make_seed functioncanyonknight1-7/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06rss.php: Pull out DB codecanyonknight1-0/+19
* Move DB code in rss.php to new function in aur.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkgsubmit.php: Pull out DB codecanyonknight1-0/+21
* Move DB code in pkgsubmit.php to new functions in aur.inc.php and pkgfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Move login form to a separate pageLukas Fleischer1-10/+0
Do not show the login form on every page. Move it to a separate login page and add a link to the navigation bar. Also, add a logout link for logged-in users. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-0/+10
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Unify function declaration styleLukas Fleischer1-16/+8
Always put the opening brace on the same line as the beginning of the function declaration. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-21valid_email :: check if domain part is realBlackEagle1-1/+12
this can be used as an intermediate 'patch' util there is a validation system in place. the extra check is to verify that the domain part of a correctly formatted email address is existing and in use. this will not at all stop spammers since they can use bogus emails with valid domain parts Lukas: Minor formatting changes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02Add a new AUR_LOCATION settingDan McGee1-0/+1
This should be set to something like 'http://localhost' for development or 'https://aur.archlinux.org' in production. It ensures all links in the site stay in the development site and there is no sudden jump from development to production environments. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-25Escape wildcards in "LIKE" patternsLukas Fleischer1-0/+5
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer1-12/+18
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Escape wildcards in "LIKE" patternsLukas Fleischer1-0/+5
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer1-12/+17
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Move SUPPORTED_LANGS out of config.inc.phpDan McGee1-56/+0
This has no real business being here, and is a pain to update when new languages are shipped. Move it and the set_lang() function to translator.inc.php instead so it doesn't overwhelm the user-configurable settings file with static stuff. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-12Use secure and httponly session cookiesLukas Fleischer1-2/+2
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add a configuration setting to disallow HTTP loginLukas Fleischer1-2/+5
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11aur.inc.php: allow all functions using DB to take handle as argDan McGee1-25/+49
This prevents needless calls to db_connect() if we already have a reference to a handle we can pass into a function. Although the current underlying implementation using mysql_connect() will return the same connection if all parameters are the same, this might not be true if we switch to a more modern (e.g. PDO) interface. In the face of safe transactions, it is extremely important all actions are being taken over the same connection to the database. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Allow SQL_DEBUG to be undefinedDan McGee1-1/+1
We shouldn't require this as it is a new config parameter and it causes PHP warnings to be spewed everywhere. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Simplify session ID generationLukas Fleischer1-10/+1
There was too much voodoo going on in new_sid(). Just use uniqid() with a random seed and the optional entropy parameter to generate MD5 input. Use the remote IP address as a salt to reduce the chance of two clients getting the same ID if they login at exactly the same time. Thanks-to: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Stricter email address validationLukas Fleischer1-1/+1
Use PHP's filter extension to validate mail addresses. The filter extension is enabled by default as of PHP 5.2.0. Thanks-to: Florian Pritz <bluewind@xinu.at> Thanks-to: Cédric Girard <girard.cedric@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22Make cache type selectable based on config valueelij1-46/+1
Provie a mechanism to specify cache type from NONE, APC, or MEMCACHE based on a config variable. If MEMCACHE type is selected, a list of servers can be specified to provide multiserver support. Note that php-memcaced is required for MEMCACHE support. Lukas: Minor commenting style fixes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-0/+593
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>