summaryrefslogtreecommitdiffstats
path: root/web
AgeCommit message (Collapse)AuthorFilesLines
2012-11-29Fix account privilege escalation vulnerabilitycanyonknight1-2/+2
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account editing and hijacking vulnerabilitycanyonknight2-3/+37
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-24index.php: Move voter page token check to switch control structurecanyonknight1-6/+4
Voter page token check takes place in the same way as other existing token checks. Move the check for consistency. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-24login.php: Properly link to logout page when already logged incanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-15pkgfuncs.inc.php: Rework query to avoid "Required by" duplicatescanyonknight1-1/+1
Packages with multiple DepConditions are returned multiple times in the "Required by" column. Limit SQL results to distinct packages. Fixes FS#32478 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07Release 2.0.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07pkg_details.php: Fix potential XSS for package names and dep conditionscanyonknight1-3/+3
Package names and dep conditions can be specially crafted for an XSS attack. Properly sanitize these variables on the package details page. In addition, avoid including dep conditions as part of a package link. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid use of "$_SERVER['REQUEST_URI']"Lukas Fleischer2-3/+3
Use the routing library to build proper URIs instead of relying on the "REQUEST_URI" server variable which can be manipulated and might return bogus URIs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid double slashes in notificationsLukas Fleischer1-3/+3
Both get_pkg_uri() and get_user_uri() should always return root-relative URLs -- do not prepend another "/". Fixes FS#32460. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04routing.inc.php: Return proper (non-virtual) URIsLukas Fleischer1-2/+2
Make sure we always return root-relative URIs in get_pkg_uri() and in get_user_uri() and prepend a slash ("/") if the virtual URL feature is disabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkgsubmit.php: Show a warning for split packagesLukas Fleischer1-0/+4
Display a special error message if the package is identified as split package. Currently, the AUR displays a very vague error message when a split package is submitted ("Invalid name: only lowercase letters are allowed"). This often caused confusion among package submitters, see FS#22834 and FS#32450. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkg_details.php: Remove plural from the adopt/disown buttonLukas Fleischer1-2/+2
Fixes FS#32455. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Add missing internationalization to a few stringsLukas Fleischer2-3/+3
Fixes FS#32449. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04header.php: Do not lowercase language selection entriesLukas Fleischer1-2/+2
Commit 091c2b5f5523773604699b914c19e6b02ce290bc introduced lower casing to the language drop-down list. Revert this and use htmlspecialchars() to escape language entries instead. Addresses FS#32453. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Release 2.0.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-30Return 404 for invalid account/package subpagesLukas Fleischer1-8/+26
Display an error page and return a 404 status code in the following cases: * An invalid package name is passed to the "packages" action. * An invalid user name is passed to the "account" action. * An invalid package action is passed. * An invalid account action is passed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-29pkgsubmit.php: Check that there is one directory in a tarballcanyonknight1-0/+4
Users are able to upload tarballs without a directory. The directory count for a tarball is available, so use it to display an error when there is not a single directory. This patch has no effect on users who generate their uploaded tarballs using makepkg. All other users must include a directory in their tarball. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28home.php: Remove unneeded tablesLukas Fleischer1-14/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28Implement word-wrap for package statisticsLukas Fleischer2-8/+12
Word-wrap labels in the package statistics box, just as we wrap package names in the "Recent Updates" box. Addresses FS#32160. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-27Add Archive_Tar class to lib/canyonknight3-0/+3066
Some AUR setups do not have PEAR available. While other setups have access to outdated Archive_Tar versions. Avoid these problems completely by including the necessary files for Archive_Tar in lib/. Remove Archive_Tar requirement from INSTALL doc. Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-10-22Release 2.0.0-rc2Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22aurjson.class.php: Limit number of RPC resultscanyonknight2-5/+21
With no limit to the number of results, memory_limit set to 32M can easily be exceeded for searches that have a large number of results. This results in an HTTP error 500 for those queries. Limit results to an amount set within config.inc.php to avoid exceeding memory_limit. Introduce new JSON error code for when the result limit is hit. Fixes FS#31849 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Use HTTPS links everywhere for Arch sitesDan McGee4-11/+11
The main site, wiki, and BBS are using HTTPS exclusively, so link directly to the correct protocol rather than forcing a redirect. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-21Link to the HTTPs login page in the headerLukas Fleischer2-0/+6
Change the login link so that it points directly to the HTTPs version of the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20home.php: Fix XHTML tag errorscanyonknight1-2/+3
* Add missing <p> tag * Move <h4> outside of a <p> tag * Rename an id to avoid a conflict with an already existing id Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20account_details.php: Fix XHTML tags being closed incorrectlycanyonknight1-7/+7
Replace incorrect </td> tags with </th> tags Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20account_edit_form.php: Fix some XHTML errorscanyonknight1-7/+9
* Add </option> close tags * Add VI delimiter to selected option * Add quotes to language codes Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20tu_list.php: Remove stray "</span>" tagscanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20pkg_comment_form.php: Remove reference to "call" attributecanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20pkg_details.php: Add missing XHTML close tagscanyonknight1-2/+4
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Sync CSS with archwebLukas Fleischer1-11/+39
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Display an error page if a virtual path doesn't existLukas Fleischer2-0/+18
Give user feedback instead of bailing out with an empty HTTP response body. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-14pkg_search_results.php: Mark out-of-date packagesLukas Fleischer1-1/+1
Highlight the version number of out-of-date packages on the package search results page using the "flagged" class from archweb. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-14pkg_search_results.php: Move version to a separate columnLukas Fleischer1-1/+3
Synchronize the column layout with archweb. This also allows for easily highlighting the version number of out-of-date packages. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkg_comments.php: Move delete button to same line as poster infocanyonknight1-1/+3
The delete button is currently on a separate line. Change some logic to allow for the button to be on the same line as poster info. Reported-by: Dave Reisner <d@falconindy.com> Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkg_comment_form.php: Remove redundant label for the comment boxcanyonknight1-2/+0
Comment box already uses <h2> tag. Additional label is not needed. Also remove label for form submit button. Reported-by: Dave Reisner <d@falconindy.com> Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkgsubmit.php: Fix package version not updatingcanyonknight1-1/+1
Parameters were not correct for a package update operation. Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c Fixes FS#31868 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkgfuncs.inc.php: Fix blacklisting functionalitycanyonknight1-1/+1
An array that contains whether the package is blacklisted is being improperly used for a comparison. Use fetchColumn() to avoid the array completely and compare a value directly. Regression with e171f6f34eeacf35cf7142b4788d43e7d0978546 Fixes FS#31867 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11Remove character limit on password lengthcanyonknight4-6/+5
As all new passwords are hashed and therefore stored in the database at the same length, this limitation is no longer needed. Fixes FS#31855 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-10Change logo link for consistency with Archwebcanyonknight1-1/+1
Fixes FS#27669 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-10tu.php: Fix page showing a user hasn't voted when they havecanyonknight1-2/+5
An ended vote details page will report a user hasn't voted even when they have. This is a result of faulty logic that only checks if a user has voted if the vote is still running. Regression with commit c15441762c6f6ab4438eaf2854c0ee3146a98b30 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-08Refactor TU voters listLukas Fleischer2-4/+8
* Change voters_list() to return an array of voters instead of generating HTML code in the library call. * Change the template to generate HTML code for the list of voters instead of displaying the library's return value. * Use HTML lists. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-04pkg_search_results.php: Word-wrap package descriptionLukas Fleischer1-1/+1
Implements FS#31803. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-04Release 2.0.0-rc1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-04Sync account details page with archwebLukas Fleischer1-54/+52
Synchronize the layout of the account details page with the developer profiles page from archweb. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-04Sync account editing page with archwebLukas Fleischer1-105/+76
Synchronize the layout of the account editing page with the profiles page from archweb. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-04pkgfuncs.inc.php: Document all functions using PHPDoc formatcanyonknight1-40/+263
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03pkgsubmit.php: Fix PHP notice for depends processingcanyonknight1-2/+2
A foreach() is run without verifying an uploaded package has any depends. Fix the undefined index notice for packages uploaded with no depends. Similar to commit 857de725d1c87da005b4ab8e9a88222fd19aab4b. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03Do not notify if status is unchanged in pkg_flag()Lukas Fleischer1-2/+6
Check if a package actually changed its status before sending an email to prevent from spamming. Addresses FS#31745. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-03pkgfuncs.inc.php: Fix undefined variable noticeLukas Fleischer1-0/+1
Fixes a undefined variable notice in getvotes() that popped up when a package without any votes was requested. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>