summaryrefslogtreecommitdiffstats
path: root/web/lib/aurjson.class.php
AgeCommit message (Collapse)AuthorFilesLines
2016-03-01aurjson: Remove stray GROUP BY clauseLukas Fleischer1-1/+0
The IDs of packages are unique, so there is no need to group search results by package ID. Note that the GROUP BY statement in question was introduced in commit 3447dfc (Support versioned RPC queries, 2014-04-28) for no apparent reason and could even lead to errors in various DBMS. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-02-09aurjson: Add package base keywordsLukas Fleischer1-2/+16
Expose package base keywords through the RPC interface (version 5). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-12-13aurjson: Do not search by ID when argument is numericLukas Fleischer1-2/+2
When performing info or multiinfo queries, one can currently either pass package names or package IDs as parameters. As a consequence, it is impossible to search for packages with a numeric package name because numeric arguments are always treated as IDs. Since package IDs are not public anymore these days, simply remove the possibility to search by ID in revision 5 of the RPC interface. Fixes FS#47324. Suggested-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-10-24aurjson: Allow underscores in JSONP callback namesLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-10-09aurjson: Rename the search_by parameter to "by"Lukas Fleischer1-5/+9
This parameter is only supported by the search command. We do not need to repeat ourselves. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-10-04aurjson: Merge info and multiinfo commandsLukas Fleischer1-2/+5
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-10-04aurjson: Add "maintainer" search typeLukas Fleischer1-21/+22
Deprecate the msearch command and add a new search type to the search command. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-10-03Fix parameter processing in parse_multiinfo_args()Lukas Fleischer1-3/+2
Fixes a regression introduced in 94aeead (aurjson: Pass http_data array to all functions, 2015-06-28). Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-26aurjson.class.php: Sync error message with front-endLukas Fleischer1-1/+1
Instead of introducing a new message "You do not have the right to edit this comment." for the RPC interface, use "You are not allowed to edit this comment." which we already show in the front-end. Reported-by: Christoph Seitz <seitz.christoph@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-25aurjson.class.php: Fix "Undefined index" noticesLukas Fleischer1-4/+8
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-12Mitigate JSONP callback vulnerabilitiesLukas Fleischer1-2/+6
The callback parameter of the RPC interface currently allows for specifying a prefix of arbitrary length of the returned result. This can be exploited by certain attacks. As a countermeasure, this patch restricts the allowed character set for the callback name to letters, digits, underscores, parenthesis and dots. It also limits the length of the name to 128 characters. Furthermore, the reflected callback name is now always prepended with "/**/", which is a common workaround to protect against attacks such as Rosetta Flash. Fixes FS#46259. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-11rpc: msearch: Give orphans on empty maintainer argumentJohannes Löthberg1-2/+6
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08aurjson.class.php: Add missing PHPDocLukas Fleischer1-0/+17
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08aurjson.class.php: Add method get_comment_form()Marcel Korpel1-1/+48
This method will be used by the JavaScript comment editing and produces a form containing the comment. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Expose name-only search through the RPC interfaceJohannes Löthberg1-2/+17
Fixes FS#37317. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08aurjson: Pass http_data array to all functionsJohannes Löthberg1-15/+23
This is a preparatory patch that simplifies adding more arguments to the parse functions Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Delete unused variableJohannes Löthberg1-1/+0
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-07-04RPC: Add decimal_fields array for floating-point fieldsJohannes Löthberg1-0/+7
Fixes FS#45537. Signed-off-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Add the popularity field to the RPC interfaceLukas Fleischer1-1/+13
Implements FS#45422. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14Replace categories with keywordsLukas Fleischer1-4/+7
Remove package base categories. Instead, users can now specify up to twenty custom keywords that are taken into consideration when searching. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-11Reintroduce the URLPath fieldLukas Fleischer1-1/+1
In commit 74edb6f (Use Git repositories to store packages, 2014-06-06), the URLPath field was dropped from RPC package results. Reintroduce the field for backwards compatibility, even though it is no longer recommended to use snapshot tarballs. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-09aurjson.class.php: Exclude hidden package basesLukas Fleischer1-6/+13
Do not return packages belonging to hidden package bases in RPC results. Fixes FS#45271. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2014-12-27Use Git repositories to store packagesLukas Fleischer1-1/+0
* Remove package submission page from the web interface. * Replace PKGBUILD and tarball links with links to cgit. * Remove the "URLPath" field from RPC replies. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-10-24Use an INI-style configuration fileLukas Fleischer1-7/+6
Replace web/lib/config.inc.php with an INI-style configuration file. This allows us to get rid of several globals and makes it easier to use the same configuration file in external scripts. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-07-23Add typeahead suggest to the merge request formLukas Fleischer1-2/+26
Add the typeahead implementation we already use for the package search to the merge target text field. Instead of suggesting packages, suggest package base names. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-06-25Make results consistent in RPC repliesLukas Fleischer1-13/+28
Add RPC v3 which always returns a list of objects in RPC responses, regardless of the request type. An empty list is returned when an error occurs. The error message is moved to a separate "error" field. Fixes FS#40963. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-31aurjson: Add a PackageBaseID fieldLukas Fleischer1-2/+4
This is useful to tools that automatically generate requests to orphan, delete or merge packages. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-18aurjson: Fix multiinfo when using package IDsLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-28Use RPC API version 1 by defaultLukas Fleischer1-1/+1
Most AUR helpers don't support the new format yet. Use version 1 of the API by default. In order to use the new format, "v=2" can be appended to the list of GET parameters. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-28Support versioned RPC queriesLukas Fleischer1-17/+45
This adds a backwards compatibility mode for the old RPC API. The old format can be requested by explicitly adding "v=1" to the list of GET parameters. Note that due to internal changes, the old format only returns the first license that belongs to a package. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-28aurjson.class.php: Style fixesLukas Fleischer1-347/+349
* Fix braces, indentation and comment style. * Remove some superfluous comments. * Reword some comments. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-28Add a version tag to RPC repliesLukas Fleischer1-1/+6
This is needed for clients to quickly differentiate between different versions of the RPC API. The version number should be bumped whenever there is a change that breaks backwards compatibility. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-28Add more fields to RPC info repliesLukas Fleischer1-0/+53
This patch adds the following fields to info and multiinfo replies: * Depends * MakeDepends * CheckDepends * OptDepends * Conflicts * Provides * Replaces * Groups * License Each of these fields is an array. Note that since collecting all these fields is CPU-intensive, they are not included in replies to search queries. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-27Fix the RPC interfaceLukas Fleischer1-10/+12
* Fix the SQL query to conform to the new database layout. * Remove the license field from replies. The license field is now stored in a separate table and no longer returned on search queries. * Add a "PackageBase" field that contains the name of the package base of every package in the result. * Fix the source tarball URL. The URL is now built based on the package base name instead of the package name. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-09-02Specify charset in Content-Type header when returning JSON data from API.Chris Down1-0/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Add database wrapper class and new connection methodcanyonknight1-1/+1
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Implemented typeahead suggestMarcel Korpel1-1/+21
Use Twitter Bootstrap JavaScript framework for typeahead support. Add a new "suggest" JSON method, which returns the first 20 packages that match the beginning characters of a query. canyonknight: Link format change, commit message Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22aurjson.class.php: Limit number of RPC resultscanyonknight1-5/+17
With no limit to the number of results, memory_limit set to 32M can easily be exceeded for searches that have a large number of results. This results in an HTTP error 500 for those queries. Limit results to an amount set within config.inc.php to avoid exceeding memory_limit. Introduce new JSON error code for when the result limit is hit. Fixes FS#31849 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Migrate all DB code to use PDOcanyonknight1-14/+12
All DB code currently uses the quickly aging mysql_* functions. These functions are strongly discouraged and may eventually be deprecated. Transition all code to utilize the PDO data access abstraction layer. PDO allows for consistent query code across multiple databases. This could potentially allow for someone to use a database other than MySQL with minimal code changes. All functions and behaviors are reproduced as faithfully as possible with PDO equivalents and some changes in code. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-03RPC: Do not return an error on 0 resultsLukas Fleischer1-1/+1
Return an empty array and set the result count to zero instead. Before: $ curl 'http://localhost/rpc.php?type=search&arg=raboof' {"type":"error","resultcount":0,"results":"No results found"} After: $ curl 'http://localhost/rpc.php?type=search&arg=raboof' {"type":"search","resultcount":0,"results":[]} Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02aurjson: add result count to JSON resultDave Reisner1-5/+6
We already ask for the result count, but only use it as a basis for testing query success or failure. Add the value to the JSON reply. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Escape wildcards in "LIKE" patternsLukas Fleischer1-2/+1
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer1-4/+4
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-23RPC: Coerce numeric values into integersLukas Fleischer1-0/+12
Coerce following fields into integers to ensure json_encode() serializes them as integers: * ID * CategoryID * NumVotes * OutOfDate * FirstSubmitted * LastModified This means that there will be a minor API break. There's no better way to do this properly, though. Fixes FS#25693. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-23RPC: Provide out-of-date timestampLukas Fleischer1-3/+2
Convert the "OutOfDate" field to provide a timestamp instead of a boolean flag in JSON results. We don't really care about backward compatibility here, as most AUR helpers would break anyway when trying to parse RPC responses after the data type overhaul that should come with one of the following patches. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22RPC: Fix info queries when using package IDsLukas Fleischer1-1/+1
Info queries using package IDs were no longer working due to commit c6d84b3a8df10c522d79c754d4f73cb2a352586f, which introduced a table join in process_query(), thus making the "ID" column ambiguous. Fix this by explicitly specifying the table to use. Fixes FS#25696. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee1-1/+1
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij1-1/+1
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17add first submitted and last modified to rpc outputkachelaqa1-1/+2
after reading the discussion about the submitter field, i looked again at my previous patch and realized that it was not very good at all. hopefully this simplified version will be more acceptable. the justification for this patch is that many third-party tools will want to know how new a package is, or when it last changed. adding the submitted and modified timestamps will allow users to get all the relevant package data in a single query. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-05-17add support for etag and conditional get (if-none-match)elij1-1/+29
Add etag and if-none-match conditional get support. This will allow 'smart client' to save network bandwidth, as they can save the etag hash value for queries and test it later. Still an http request because this patch specifically sets a cache lifetime of zero, and must-revalidate. The benefit here is bandwidth savings. Caching based on expires headers would likely be counter productive, as the api data can change rather quickly...but etag is a nice compromise, and could be quite beneficial for bandwidth recution in some scenarios. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>