quote($_COOKIE["AURSID"]); $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); if (!$row[0]) { # Invalid SessionID - hacker alert! # $failed = 1; } else { $last_update = $row[0]; if ($last_update + $LOGIN_TIMEOUT <= $row[1]) { $failed = 2; } } if ($failed == 1) { # clear out the hacker's cookie, and send them to a naughty page # why do you have to be so harsh on these people!? # setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } elseif ($failed == 2) { # session id timeout was reached and they must login again. # delete_session_id($_COOKIE["AURSID"], $dbh); setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true); unset($_COOKIE['AURSID']); } else { # still logged in and haven't reached the timeout, go ahead # and update the idle timestamp # Only update the timestamp if it is less than the # current time plus $LOGIN_TIMEOUT. # # This keeps 'remembered' sessions from being # overwritten. if ($last_update < time() + $LOGIN_TIMEOUT) { $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]); $dbh->exec($q); } } } return; } # Verify the supplied token matches the expected token for POST forms # function check_token() { if (isset($_POST['token'])) { return ($_POST['token'] == $_COOKIE['AURSID']); } else { return false; } } # verify that an email address looks like it is legitimate # function valid_email($addy) { // check against RFC 3696 if (filter_var($addy, FILTER_VALIDATE_EMAIL) === false) { return false; } // check dns for mx, a, aaaa records list($local, $domain) = explode('@', $addy); if (!(checkdnsrr($domain, 'MX') || checkdnsrr($domain, 'A') || checkdnsrr($domain, 'AAAA'))) { return false; } return true; } # generate a (hopefully) unique session id # function new_sid() { return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true)); } # obtain the username if given their Users.ID # function username_from_id($id="", $dbh=NULL) { if (!$id) { return ""; } if(!$dbh) { $dbh = db_connect(); } $q = "SELECT Username FROM Users WHERE ID = " . $dbh->quote($id); $result = $dbh->query($q); if (!$result) { return "None"; } $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } # obtain the username if given their current SID # function username_from_sid($sid="", $dbh=NULL) { if (!$sid) { return ""; } if(!$dbh) { $dbh = db_connect(); } $q = "SELECT Username "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); $result = $dbh->query($q); if (!$result) { return ""; } $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } # obtain the email address if given their current SID # function email_from_sid($sid="", $dbh=NULL) { if (!$sid) { return ""; } if(!$dbh) { $dbh = db_connect(); } $q = "SELECT Email "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); $result = $dbh->query($q); if (!$result) { return ""; } $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } # obtain the account type if given their current SID # Return either "", "User", "Trusted User", "Developer" # function account_from_sid($sid="", $dbh=NULL) { if (!$sid) { return ""; } if(!$dbh) { $dbh = db_connect(); } $q = "SELECT AccountType "; $q.= "FROM Users, AccountTypes, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND AccountTypes.ID = Users.AccountTypeID "; $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); $result = $dbh->query($q); if (!$result) { return ""; } $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } # obtain the Users.ID if given their current SID # function uid_from_sid($sid="", $dbh=NULL) { if (!$sid) { return ""; } if(!$dbh) { $dbh = db_connect(); } $q = "SELECT Users.ID "; $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); $result = $dbh->query($q); if (!$result) { return 0; } $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } # connect to the database # function db_connect() { try { $dbh = new PDO(AUR_db_DSN_prefix . ":" . AUR_db_host . ";dbname=" . AUR_db_name, AUR_db_user, AUR_db_pass); } catch (PDOException $e) { echo "Error - Could not connect to AUR database: " . $e->getMessage(); } $dbh->exec("SET NAMES 'utf8' COLLATE 'utf8_general_ci';"); return $dbh; } # common header # function html_header($title="") { global $LANG; global $SUPPORTED_LANGS; $title = htmlspecialchars($title, ENT_QUOTES); include('header.php'); return; } # common footer # function html_footer($ver="") { include('footer.php'); return; } # check to see if the user can submit a package # function can_submit_pkg($name="", $sid="", $dbh=NULL) { if (!$name || !$sid) {return 0;} if(!$dbh) { $dbh = db_connect(); } $q = "SELECT MaintainerUID "; $q.= "FROM Packages WHERE Name = " . $dbh->quote($name); $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); if (!$row[0]) { return 1; } $my_uid = uid_from_sid($sid, $dbh); if ($row[0] === NULL || $row[0] == $my_uid) { return 1; } return 0; } # recursive delete directory # function rm_tree($dirname) { if (empty($dirname) || !is_dir($dirname)) return; foreach (scandir($dirname) as $item) { if ($item != '.' && $item != '..') { $path = $dirname . '/' . $item; if (is_file($path) || is_link($path)) { unlink($path); } else { rm_tree($path); } } } rmdir($dirname); return; } # Recursive chmod to set group write permissions # function chmod_group($path) { if (!is_dir($path)) return chmod($path, 0664); $d = dir($path); while ($f = $d->read()) { if ($f != '.' && $f != '..') { $fullpath = $path.'/'.$f; if (is_link($fullpath)) continue; elseif (!is_dir($fullpath)) { if (!chmod($fullpath, 0664)) return FALSE; } elseif(!chmod_group($fullpath)) return FALSE; } } $d->close(); if(chmod($path, 0775)) return TRUE; else return FALSE; } # obtain the uid given a Users.Username # function uid_from_username($username="", $dbh=NULL) { if (!$username) { return ""; } if(!$dbh) { $dbh = db_connect(); } $q = "SELECT ID FROM Users WHERE Username = " . $dbh->quote($username); $result = $dbh->query($q); if (!$result) { return "None"; } $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } # obtain the uid given a Users.Email # function uid_from_email($email="", $dbh=NULL) { if (!$email) { return ""; } if(!$dbh) { $dbh = db_connect(); } $q = "SELECT ID FROM Users WHERE Email = " . $dbh->quote($email); $result = $dbh->query($q); if (!$result) { return "None"; } $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } # check user privileges # function check_user_privileges() { $type = account_from_sid($_COOKIE['AURSID']); return ($type == 'Trusted User' || $type == 'Developer'); } /** * Generate clean url with edited/added user values * * Makes a clean string of variables for use in URLs based on current $_GET and * list of values to edit/add to that. Any empty variables are discarded. * * ex. print "http://example.com/test.php?" . mkurl("foo=bar&bar=baz") * * @param string $append string of variables and values formatted as in URLs * ex. mkurl("foo=bar&bar=baz") * @return string clean string of variables to append to URL, urlencoded */ function mkurl($append) { $get = $_GET; $append = explode('&', $append); $uservars = array(); $out = ''; foreach ($append as $i) { $ex = explode('=', $i); $uservars[$ex[0]] = $ex[1]; } foreach ($uservars as $k => $v) { $get[$k] = $v; } foreach ($get as $k => $v) { if ($v !== '') { $out .= '&' . urlencode($k) . '=' . urlencode($v); } } return substr($out, 5); } function get_salt($user_id, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } $q = "SELECT Salt FROM Users WHERE ID = " . $user_id; $result = $dbh->query($q); if ($result) { $row = $result->fetch(PDO::FETCH_NUM); return $row[0]; } return; } function save_salt($user_id, $passwd, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } $salt = generate_salt(); $hash = salted_hash($passwd, $salt); $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", "; $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id; $result = $dbh->exec($q); } function generate_salt() { return md5(uniqid(mt_rand(), true)); } function salted_hash($passwd, $salt) { if (strlen($salt) != 32) { trigger_error('Salt does not look like an md5 hash', E_USER_WARNING); } return md5($salt . $passwd); } function parse_comment($comment) { $url_pattern = '/(\b(?:https?|ftp):\/\/[\w\/\#~:.?+=&%@!\-;,]+?' . '(?=[.:?\-;,]*(?:[^\w\/\#~:.?+=&%@!\-;,]|$)))/iS'; $matches = preg_split($url_pattern, $comment, -1, PREG_SPLIT_DELIM_CAPTURE); $html = ''; for ($i = 0; $i < count($matches); $i++) { if ($i % 2) { # convert links $html .= '' . htmlspecialchars($matches[$i]) . ''; } else { # convert everything else $html .= nl2br(htmlspecialchars($matches[$i])); } } return $html; } function begin_atomic_commit($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } $dbh->beginTransaction(); } function end_atomic_commit($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } $dbh->commit(); } function last_insert_id($dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } return $dbh->lastInsertId(); } function latest_pkgs($numpkgs, $dbh=NULL) { if(!$dbh) { $dbh = db_connect(); } $q = "SELECT * FROM Packages "; $q.= "ORDER BY SubmittedTS DESC "; $q.= "LIMIT " .intval($numpkgs); $result = $dbh->query($q); if ($result) { while ($row = $result->fetch(PDO::FETCH_ASSOC)) { $packages[] = $row; } } return $packages; }