From 237a4570e2a2bbfd39520886f56c5240e6ed4bec Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Tue, 5 Aug 2014 23:52:03 +0200 Subject: Add PCRE_DOLLAR_ENDONLY to preg_match() When using preg_match() to check for a match that starts at the beginning of the string and ends at the last character of the string, we do not want to allow an additional newline character to sneak in. Amongst other potential loopholes, adding the PCRE_DOLLAR_ENDONLY modifier prevents users from registering with user names that end with a newline character. Signed-off-by: Lukas Fleischer --- web/html/pkgsubmit.php | 4 ++-- web/lib/acctfuncs.inc.php | 2 +- web/lib/pkgreqfuncs.inc.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'web') diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 7d89425..8a48df2 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -193,7 +193,7 @@ if ($uid): /* Validate package base name. */ if (!$error) { $pkgbase_name = $pkgbase_info['pkgbase']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkgbase_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkgbase_name)) { $error = __("Invalid name: only lowercase letters are allowed."); } @@ -209,7 +209,7 @@ if ($uid): /* Validate package names. */ $pkg_name = $pi['pkgname']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkg_name)) { $error = __("Invalid name: only lowercase letters are allowed."); break; } diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 254f0e2..e3ff494 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -544,7 +544,7 @@ function valid_username($user) { if (strlen($user) < USERNAME_MIN_LEN || strlen($user) > USERNAME_MAX_LEN) { return false; - } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/i", $user)) { + } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/Di", $user)) { return false; } diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 5924959..98fb0cb 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,7 +91,7 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; - if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) { + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } -- cgit v1.2.3-54-g00ecf From 0613a637b39420deb0b34c8831aa2c31fa63ee7f Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Wed, 6 Aug 2014 00:08:46 +0200 Subject: Fix notification handling on submission and adoption Automatically add users to the notification list when adopting a package. This used to work bug was broken by 03c6304 (Rework permission handling, 2014-07-15). Fixes FS#41426. Signed-off-by: Lukas Fleischer --- web/html/pkgsubmit.php | 2 +- web/lib/pkgbasefuncs.inc.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'web') diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 8a48df2..a11fb5b 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -380,7 +380,7 @@ if ($uid): * notification list. */ if ($was_orphan) { - pkgbase_notify(account_from_sid($_COOKIE["AURSID"]), array($base_id), true); + pkgbase_notify(array($base_id), true); } end_atomic_commit(); diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index 946209b..1ac0b47 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -617,7 +617,7 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { $dbh->exec($q); if ($action) { - pkgbase_notify(account_from_sid($_COOKIE["AURSID"]), $base_ids); + pkgbase_notify($base_ids); return array(true, __("The selected packages have been adopted.")); } else { return array(true, __("The selected packages have been disowned.")); -- cgit v1.2.3-54-g00ecf From d61b34f2557eb38142c879cbe2dea8598873dfb3 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 8 Aug 2014 11:32:06 +0200 Subject: Fix the return value of save_salt() Return true if and only if the SQL query was executed successfully. Logins with an unsalted password no longer fail now. Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web') diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 82730bb..81cbf69 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -471,7 +471,7 @@ function save_salt($user_id, $passwd) { $hash = salted_hash($passwd, $salt); $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", "; $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id; - $result = $dbh->exec($q); + return $dbh->exec($q); } /** -- cgit v1.2.3-54-g00ecf From 218ccf51e38ad9b0654aa509f2bf8eec44d69c07 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 8 Aug 2014 11:47:06 +0200 Subject: Add permission checks to the request feature * Only show the request form to users that are logged in. * Only show the close request form to Trusted Users and developers. * Check for a valid login in pkgreq_file(). Signed-off-by: Lukas Fleischer --- web/html/pkgreq.php | 8 ++++++++ web/lib/credentials.inc.php | 2 ++ web/lib/pkgreqfuncs.inc.php | 4 ++++ 3 files changed, 14 insertions(+) (limited to 'web') diff --git a/web/html/pkgreq.php b/web/html/pkgreq.php index 03b31b8..ccb0acd 100644 --- a/web/html/pkgreq.php +++ b/web/html/pkgreq.php @@ -9,9 +9,17 @@ set_lang(); check_sid(); if (isset($base_id)) { + if (!has_credential(CRED_PKGREQ_FILE)) { + header('Location: /'); + exit(); + } html_header(__("File Request")); include('pkgreq_form.php'); } elseif (isset($pkgreq_id)) { + if (!has_credential(CRED_PKGREQ_CLOSE)) { + header('Location: /'); + exit(); + } html_header(__("Close Request")); $pkgbase_name = pkgreq_get_pkgbase_name($pkgreq_id); include('pkgreq_close_form.php'); diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index efc203d..0c428f2 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -18,6 +18,7 @@ define("CRED_PKGBASE_NOTIFY", 13); define("CRED_PKGBASE_SUBMIT_BLACKLISTED", 14); define("CRED_PKGBASE_UNFLAG", 15); define("CRED_PKGBASE_VOTE", 16); +define("CRED_PKGREQ_FILE", 23); define("CRED_PKGREQ_CLOSE", 17); define("CRED_PKGREQ_LIST", 18); define("CRED_TU_ADD_VOTE", 19); @@ -48,6 +49,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: + case CRED_PKGREQ_FILE: return ($atype == 'User' || $atype == 'Trusted User' || $atype == 'Developer' || $atype == 'Trusted User & Developer'); diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 98fb0cb..9207043 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,6 +91,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; + if (!has_credential(CRED_PKGREQ_FILE)) { + return array(false, __("You must be logged in to file package requests.")); + } + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } -- cgit v1.2.3-54-g00ecf