Age | Commit message (Collapse) | Author | Files | Lines |
|
Fixes broken account suspension system.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This one is not a specific dialect, so "nb" (Norwegian Bokmål) is the
better name to use here.
Thanks-to: Alexander Rødseth <rodseth@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This makes the difference between Portuguese (Brazil) and Portuguese
(Portugal) a bit clearer. Also, "pt_PT" is way more up to date than
"pt".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Escape each output string using htmlspecialchars(). These aren't
exploitable; it's still better to escape them properly.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Escape strings properly using htmlspecialchars(). Seems like we missed
these in former cleanups. Fixes FS#28515.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
|
|
Reported-by: Thomas Bächler <thomas@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Do not move the package to the incoming package directory and fail to
create proper database entries if some AUR upload helper doesn't provide
a category. We got several failing constraints here, such as:
Cannot add or update a child row: a foreign key constraint fails
(`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY
(`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO
ACTION)
Instead, default to "1" (which is "none", or "keep category" for
existing packages) if no category is supplied.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This is way more convenient if you follow a HTTP link. Implements
FS#25757.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Info queries using package IDs were no longer working due to commit
c6d84b3a8df10c522d79c754d4f73cb2a352586f, which introduced a table join
in process_query(), thus making the "ID" column ambiguous. Fix this by
explicitly specifying the table to use. Fixes FS#25696.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This makes the "Category" label as well as "Change category" button on
the package details page translatable. Fixes FS#25692.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We discussed this on aur-dev. We shouldn't specify a territory unless
translations are specific to a variant of the Greek language.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Thanks-to: Jesse Jaara <jesse.jaara@gmail.com>
Thanks-to: Jelle van der Waa <jelle@vdwaa.nl>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
As discussed on the mailing list, enable "secure" and "httponly" for
session cookies to prevent them from being transferred over insecure
connections.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
If this is enabled, do not show the login form and display a note
suggesting to switch to a secure connection if a user accesses the site
via HTTP.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
These were never used in the function. Where they are used is in the
pkg_details.php template, so move them closer to their actual usage so
as not to confuse poor programmers such as myself.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add BEGIN and COMMIT statements where it makes sense to do so. This
allows the entire package creation or update process to be atomic and
not be seen until it is complete.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Allows handle reuse if one is available.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This prevents needless calls to db_connect() if we already have a
reference to a handle we can pass into a function. Although the current
underlying implementation using mysql_connect() will return the same
connection if all parameters are the same, this might not be true if we
switch to a more modern (e.g. PDO) interface.
In the face of safe transactions, it is extremely important all actions
are being taken over the same connection to the database.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Merge all comments and votes of deleted packages into another package if
the "Merge with" field is used. Duplicate votes (votes from a user who
already voted on the target package or voted on more than one of the
deleted packages) are discarded.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This allows for merging comments and votes of deleted packages into
another one which is useful if a package needs to be renamed.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Describe what this function actually does: Return the ID of a package
with a given name and return NULL if such a package doesn't exist.
The function name is chosen in a fashion similar to other functions from
"pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This implements the following scheme:
* /packages/cower/ --> /packages/co/cower/
* /packages/j/ --> /packages/j/j/
* /packages/zqy/ --> /packages/zq/zqy/
We take up to the first two characters of each package name as a
intermediate subdirectory, and then the full package name lives
underneath that. Shorter named packages live in a single letter
directory.
Why, you ask? Well because earlier today the AUR hit 32,000 entries in
the unsupported/ directory, making new package uploads impossible. While
some might argue we shouldn't have so many damn packages in the repos,
we should be able to handle this case.
Why two characters instead of one? Our two biggest two-char groups, 'pe'
and 'py', both start with 'p', and have nearly 2000 packages each. Go
Python and Perl.
Still needed is a "move the existing data" script, as well as a set of
rewrite rules for those wishing to preserve backward compatible URLs for
any helper programs doing the wrong thing and relying on them.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We shouldn't require this as it is a new config parameter and it causes
PHP warnings to be spewed everywhere.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Do not try to insert a falsey value into the database in case of
"depends=()".
Signed-off-by: Manuel <manutortosa@chakra-project.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Do not use split(), which has been deprecated as of PHP 5.3.0. As we
don't even require regular expressions here, just use explode() instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
There was too much voodoo going on in new_sid(). Just use uniqid() with
a random seed and the optional entropy parameter to generate MD5 input.
Use the remote IP address as a salt to reduce the chance of two clients
getting the same ID if they login at exactly the same time.
Thanks-to: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use PHP's filter extension to validate mail addresses. The filter
extension is enabled by default as of PHP 5.2.0.
Thanks-to: Florian Pritz <bluewind@xinu.at>
Thanks-to: Cédric Girard <girard.cedric@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The epoch field in PKGBUILD files was completely ignored until now,
and the final Version field for a package consisted only of
pkgver and pkgrel (example: 5.0-1)
This means that rpc.php reported the version incorrectly for packages
having epoch > 0.
One case where this was a problem is that it confused AUR helpers
wanting to examine all locally installed packages (with epoch > 0)
and search the AUR for an updated version.
The epoch field is taken into consideration now, and if not 0,
will be prepended to the final Version field (example: 1:5.0-1)
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Florian Pritz <bluewind@xinu.at>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We were doing some silly things here with an "ORDER BY Name, CategoryID"
clause, due to the fact that Name is unique, and thus any additional
ordering after Name will have no effect. Of course, the dumb as a box of
rocks MySQL query optimizer doesn't realize this, leading to full table
scans every time of ~30000 packages instead of using index scans for the
ordering and only retrieving the first 50 rows.
The biggest change is noted in the default sort order as it cuts down
the columns to one, but we can remove the redundant sort from other
orderings as well, even though those will still not be able to use an
index-driven query plan.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The use of header() to redirect after previous output was a design flaw.
Our only luck here was PHP's "output_buffering" config variable
defaulting to 4096, which kind of hid the bug for a long time.
Fixes FS#24580.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Provie a mechanism to specify cache type from NONE, APC, or MEMCACHE
based on a config variable.
If MEMCACHE type is selected, a list of servers can be specified to
provide multiserver support. Note that php-memcaced is required for
MEMCACHE support.
Lukas: Minor commenting style fixes.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Lukas: Add note to "UPGRADING".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
utilize the apc cache functionality in aur.inc to cache the rss feed
output. the cache will cache on a per-protocol basis (http/https) so
that urls are appropriate regardless of which url people hit.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
- move apc cache code to aur.inc (centralize)
- refactor the apc usage in stats.inc to utilize new code in aur.inc
Lukas: Small commenting style and spelling changes.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
- Undefined index: HTTPS in rss.php on line 8
- Undefined property: RSSCreator20::$cssStyleSheet in
feedcreator.class.php on line 591
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
- move request_method test to the top, and catch other request types
(HEAD, PUT, etc)
- change how html output is handled. instead of building a string, just
output the html
- set appropriate response header for incorrect request_method.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
after reading the discussion about the submitter field, i looked again
at my previous patch and realized that it was not very good at all.
hopefully this simplified version will be more acceptable.
the justification for this patch is that many third-party tools will
want to know how new a package is, or when it last changed. adding the
submitted and modified timestamps will allow users to get all the
relevant package data in a single query.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add etag and if-none-match conditional get support. This will allow
'smart client' to save network bandwidth, as they can save the etag hash
value for queries and test it later. Still an http request because this
patch specifically sets a cache lifetime of zero, and must-revalidate.
The benefit here is bandwidth savings. Caching based on expires headers
would likely be counter productive, as the api data can change rather
quickly...but etag is a nice compromise, and could be quite beneficial
for bandwidth recution in some scenarios.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
the query was being performed when $id was not set, resulting in an
invalid sql query being performed.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|