summaryrefslogtreecommitdiffstats
path: root/web
AgeCommit message (Collapse)AuthorFilesLines
2011-10-25Escape wildcards in "LIKE" patternsLukas Fleischer4-13/+15
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-25Wrap mysql_real_escape_string() in a functionLukas Fleischer12-61/+67
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Conflicts: web/lib/aur.inc.php
2011-10-24Escape wildcards in "LIKE" patternsLukas Fleischer4-13/+15
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-10-24Wrap mysql_real_escape_string() in a functionLukas Fleischer12-61/+66
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24send emails when delteing packagesFlorian Pritz1-0/+38
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Show last voted date on account details pageDan McGee2-3/+11
We already show it in the account listing page as well, so we should show it here too. Also use a standard date format; we weren't using this non-punctuated format anywhere else. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Add LastLogin column to Users tableDan McGee1-1/+4
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Require DB handle for most user account functionsDan McGee2-26/+15
This affects login the most, where we save about 4 calls to db_connect() by passing a single handle into functions where necessary. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Remove a boatload of inline table stylesDan McGee8-40/+35
Replacing with CSS styles where appropriate. A previously unused CSS style is tweaked in the stylesheet to match most of what was done via non-CSS styling. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-10-24Move SUPPORTED_LANGS out of config.inc.phpDan McGee3-84/+84
This has no real business being here, and is a pain to update when new languages are shipped. Move it and the set_lang() function to translator.inc.php instead so it doesn't overwhelm the user-configurable settings file with static stuff. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-23RPC: Coerce numeric values into integersLukas Fleischer1-0/+12
Coerce following fields into integers to ensure json_encode() serializes them as integers: * ID * CategoryID * NumVotes * OutOfDate * FirstSubmitted * LastModified This means that there will be a minor API break. There's no better way to do this properly, though. Fixes FS#25693. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-23RPC: Provide out-of-date timestampLukas Fleischer1-3/+2
Convert the "OutOfDate" field to provide a timestamp instead of a boolean flag in JSON results. We don't really care about backward compatibility here, as most AUR helpers would break anyway when trying to parse RPC responses after the data type overhaul that should come with one of the following patches. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05Merge branch 'maint'Lukas Fleischer2-6/+18
2011-09-05web/template/login_form.php: Escape the request URILukas Fleischer1-1/+1
Reported-by: Thomas Bächler <thomas@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05web/html/pkgsubmit.php: Deal with unset category IDLukas Fleischer1-3/+15
Do not move the package to the incoming package directory and fail to create proper database entries if some AUR upload helper doesn't provide a category. We got several failing constraints here, such as: Cannot add or update a child row: a foreign key constraint fails (`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY (`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO ACTION) Instead, default to "1" (which is "none", or "keep category" for existing packages) if no category is supplied. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-09-05Link to current page in the login bar HTTPs linkLukas Fleischer1-2/+2
This is way more convenient if you follow a HTTP link. Implements FS#25757. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22Merge branch 'maint'Lukas Fleischer2-4/+4
2011-08-22Provide more examples on the RPC info pageLukas Fleischer1-2/+9
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22RPC: Fix info queries when using package IDsLukas Fleischer1-1/+1
Info queries using package IDs were no longer working due to commit c6d84b3a8df10c522d79c754d4f73cb2a352586f, which introduced a table join in process_query(), thus making the "ID" column ambiguous. Fix this by explicitly specifying the table to use. Fixes FS#25696. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-22Add missing __() to category info in package detailsLukas Fleischer1-3/+3
This makes the "Category" label as well as "Change category" button on the package details page translatable. Fixes FS#25692. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20web/lib/translator.inc.php: Use vsprintf() in __()Lukas Fleischer1-14/+5
Remove hacky substitution code from __() and use vsprintf() instead which will deal with all sorts of format strings properly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Use "%s" instead of "%h" in format stringsLukas Fleischer4-10/+10
Use the standard string type specifier instead of "%h" in format strings. Both specifiers are treated equally in __() so we shouldn't break anything here. This also allows us to replace the hacky substitution algorithm in __() by vsprintf(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Release 1.9.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Replace "el_GR" translation by "el"Lukas Fleischer1-1/+1
We discussed this on aur-dev. We shouldn't specify a territory unless translations are specific to a variant of the Greek language. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-20Add Portuguese (Brazilian) translationLukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-13Add Finnish and Dutch translationsLukas Fleischer1-0/+2
Thanks-to: Jesse Jaara <jesse.jaara@gmail.com> Thanks-to: Jelle van der Waa <jelle@vdwaa.nl> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-12Use secure and httponly session cookiesLukas Fleischer3-4/+4
As discussed on the mailing list, enable "secure" and "httponly" for session cookies to prevent them from being transferred over insecure connections. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add a configuration setting to disallow HTTP loginLukas Fleischer3-3/+17
If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Remove unnecessary atype and uid lookup from package_details()Dan McGee2-3/+2
These were never used in the function. Where they are used is in the pkg_details.php template, so move them closer to their actual usage so as not to confuse poor programmers such as myself. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Use 'true' instead of 'True' everywhereDan McGee2-9/+9
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Make package creation and update atomicDan McGee1-1/+5
Add BEGIN and COMMIT statements where it makes sense to do so. This allows the entire package creation or update process to be atomic and not be seen until it is complete. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11pkgfuncs.inc.php: allow all DB funcs to take handle argDan McGee1-61/+102
Allows handle reuse if one is available. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11aur.inc.php: allow all functions using DB to take handle as argDan McGee1-25/+49
This prevents needless calls to db_connect() if we already have a reference to a handle we can pass into a function. Although the current underlying implementation using mysql_connect() will return the same connection if all parameters are the same, this might not be true if we switch to a more modern (e.g. PDO) interface. In the face of safe transactions, it is extremely important all actions are being taken over the same connection to the database. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Allow for merging deleted packages into existing onesLukas Fleischer3-2/+18
Merge all comments and votes of deleted packages into another package if the "Merge with" field is used. Duplicate votes (votes from a user who already voted on the target package or voted on more than one of the deleted packages) are discarded. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-11Add "mergepkgid" argument to pkg_delete()Lukas Fleischer1-1/+30
This allows for merging comments and votes of deleted packages into another one which is useful if a package needs to be renamed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2011-08-11Rename package_exists() to pkgid_from_name()Lukas Fleischer2-3/+3
Describe what this function actually does: Return the ID of a package with a given name and return NULL if such a package doesn't exist. The function name is chosen in a fashion similar to other functions from "pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Segment the upload directory by package name prefixDan McGee3-5/+6
This implements the following scheme: * /packages/cower/ --> /packages/co/cower/ * /packages/j/ --> /packages/j/j/ * /packages/zqy/ --> /packages/zq/zqy/ We take up to the first two characters of each package name as a intermediate subdirectory, and then the full package name lives underneath that. Shorter named packages live in a single letter directory. Why, you ask? Well because earlier today the AUR hit 32,000 entries in the unsupported/ directory, making new package uploads impossible. While some might argue we shouldn't have so many damn packages in the repos, we should be able to handle this case. Why two characters instead of one? Our two biggest two-char groups, 'pe' and 'py', both start with 'p', and have nearly 2000 packages each. Go Python and Perl. Still needed is a "move the existing data" script, as well as a set of rewrite rules for those wishing to preserve backward compatible URLs for any helper programs doing the wrong thing and relying on them. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-08-10Allow SQL_DEBUG to be undefinedDan McGee1-1/+1
We shouldn't require this as it is a new config parameter and it causes PHP warnings to be spewed everywhere. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-07-29Fix empty depends database insertLukas Fleischer1-11/+16
Do not try to insert a falsey value into the database in case of "depends=()". Signed-off-by: Manuel <manutortosa@chakra-project.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-28Replace split() invocations with explode()Lukas Fleischer1-1/+1
Do not use split(), which has been deprecated as of PHP 5.3.0. As we don't even require regular expressions here, just use explode() instead. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Simplify session ID generationLukas Fleischer1-10/+1
There was too much voodoo going on in new_sid(). Just use uniqid() with a random seed and the optional entropy parameter to generate MD5 input. Use the remote IP address as a salt to reduce the chance of two clients getting the same ID if they login at exactly the same time. Thanks-to: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Stricter email address validationLukas Fleischer1-1/+1
Use PHP's filter extension to validate mail addresses. The filter extension is enabled by default as of PHP 5.2.0. Thanks-to: Florian Pritz <bluewind@xinu.at> Thanks-to: Cédric Girard <girard.cedric@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Honor epoch field in PKGBUILD files.Slavi Pantaleev1-6/+10
The epoch field in PKGBUILD files was completely ignored until now, and the final Version field for a package consisted only of pkgver and pkgrel (example: 5.0-1) This means that rpc.php reported the version incorrectly for packages having epoch > 0. One case where this was a problem is that it confused AUR helpers wanting to examine all locally installed packages (with epoch > 0) and search the AUR for an updated version. The epoch field is taken into consideration now, and if not 0, will be prepended to the final Version field (example: 1:5.0-1) Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25fix incompatibility with php short open tagsFlorian Pritz2-5/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25README: fix pacman callFlorian Pritz1-1/+1
Signed-off-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-25Use sane ORDER BY clauses in package list queriesDan McGee1-4/+4
We were doing some silly things here with an "ORDER BY Name, CategoryID" clause, due to the fact that Name is unique, and thus any additional ordering after Name will have no effect. Of course, the dumb as a box of rocks MySQL query optimizer doesn't realize this, leading to full table scans every time of ~30000 packages instead of using index scans for the ordering and only retrieving the first 50 rows. The biggest change is noted in the default sort order as it cuts down the columns to one, but we can remove the redundant sort from other orderings as well, even though those will still not be able to use an index-driven query plan. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22Do not redirect on single search resultsLukas Fleischer1-29/+22
The use of header() to redirect after previous output was a design flaw. Our only luck here was PHP's "output_buffering" config variable defaulting to 4096, which kind of hid the bug for a long time. Fixes FS#24580. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22Make cache type selectable based on config valueelij3-46/+92
Provie a mechanism to specify cache type from NONE, APC, or MEMCACHE based on a config variable. If MEMCACHE type is selected, a list of servers can be specified to provide multiserver support. Note that php-memcaced is required for MEMCACHE support. Lukas: Minor commenting style fixes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22rename *.inc files to *.inc.php and adjust imports and referenceselij21-32/+32
Lukas: Add note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-06-22make rss.php use the apc cache instead of a cache fileelij1-5/+13
utilize the apc cache functionality in aur.inc to cache the rss feed output. the cache will cache on a per-protocol basis (http/https) so that urls are appropriate regardless of which url people hit. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>