Age | Commit message (Collapse) | Author | Files | Lines |
|
A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.
Add check so that all users cannot increase their own account
permissions.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.
This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.
Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Voter page token check takes place in the same way as other
existing token checks. Move the check for consistency.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Packages with multiple DepConditions are returned multiple
times in the "Required by" column.
Limit SQL results to distinct packages.
Fixes FS#32478
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package names and dep conditions can be specially crafted for an XSS
attack. Properly sanitize these variables on the package details page.
In addition, avoid including dep conditions as part of a package link.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use the routing library to build proper URIs instead of relying on the
"REQUEST_URI" server variable which can be manipulated and might return
bogus URIs.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Both get_pkg_uri() and get_user_uri() should always return root-relative
URLs -- do not prepend another "/".
Fixes FS#32460.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Make sure we always return root-relative URIs in get_pkg_uri() and in
get_user_uri() and prepend a slash ("/") if the virtual URL feature is
disabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Display a special error message if the package is identified as split
package.
Currently, the AUR displays a very vague error message when a split
package is submitted ("Invalid name: only lowercase letters are
allowed"). This often caused confusion among package submitters, see
FS#22834 and FS#32450.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#32455.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#32449.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Commit 091c2b5f5523773604699b914c19e6b02ce290bc introduced lower casing
to the language drop-down list. Revert this and use htmlspecialchars()
to escape language entries instead.
Addresses FS#32453.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Display an error page and return a 404 status code in the following
cases:
* An invalid package name is passed to the "packages" action.
* An invalid user name is passed to the "account" action.
* An invalid package action is passed.
* An invalid account action is passed.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Users are able to upload tarballs without a directory.
The directory count for a tarball is available, so use it to
display an error when there is not a single directory.
This patch has no effect on users who generate their uploaded
tarballs using makepkg. All other users must include a directory
in their tarball.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Word-wrap labels in the package statistics box, just as we wrap package
names in the "Recent Updates" box.
Addresses FS#32160.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Some AUR setups do not have PEAR available. While other setups
have access to outdated Archive_Tar versions. Avoid these
problems completely by including the necessary files for
Archive_Tar in lib/.
Remove Archive_Tar requirement from INSTALL doc.
Signed-off-by: canyonknight <canyonknight@gmail.com>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.
Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.
Fixes FS#31849
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The main site, wiki, and BBS are using HTTPS exclusively, so link
directly to the correct protocol rather than forcing a redirect.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Change the login link so that it points directly to the HTTPs version of
the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Add missing <p> tag
* Move <h4> outside of a <p> tag
* Rename an id to avoid a conflict with an already existing id
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Replace incorrect </td> tags with </th> tags
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Add </option> close tags
* Add VI delimiter to selected option
* Add quotes to language codes
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Give user feedback instead of bailing out with an empty HTTP response
body.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Highlight the version number of out-of-date packages on the package
search results page using the "flagged" class from archweb.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Synchronize the column layout with archweb. This also allows for
easily highlighting the version number of out-of-date packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The delete button is currently on a separate line. Change some logic
to allow for the button to be on the same line as poster info.
Reported-by: Dave Reisner <d@falconindy.com>
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Comment box already uses <h2> tag. Additional label is not needed.
Also remove label for form submit button.
Reported-by: Dave Reisner <d@falconindy.com>
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Parameters were not correct for a package update operation.
Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c
Fixes FS#31868
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
An array that contains whether the package is blacklisted is
being improperly used for a comparison. Use fetchColumn() to
avoid the array completely and compare a value directly.
Regression with e171f6f34eeacf35cf7142b4788d43e7d0978546
Fixes FS#31867
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
As all new passwords are hashed and therefore stored in the database
at the same length, this limitation is no longer needed.
Fixes FS#31855
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#27669
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
An ended vote details page will report a user hasn't voted even when
they have. This is a result of faulty logic that only checks if a user
has voted if the vote is still running.
Regression with commit c15441762c6f6ab4438eaf2854c0ee3146a98b30
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Change voters_list() to return an array of voters instead of
generating HTML code in the library call.
* Change the template to generate HTML code for the list of voters
instead of displaying the library's return value.
* Use HTML lists.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Implements FS#31803.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Synchronize the layout of the account details page with the developer
profiles page from archweb.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Synchronize the layout of the account editing page with the profiles
page from archweb.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
A foreach() is run without verifying an uploaded package has any depends.
Fix the undefined index notice for packages uploaded with no depends.
Similar to commit 857de725d1c87da005b4ab8e9a88222fd19aab4b.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Check if a package actually changed its status before sending an email
to prevent from spamming. Addresses FS#31745.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes a undefined variable notice in getvotes() that popped up when a
package without any votes was requested.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|