diff --git a/web/html/account.php b/web/html/account.php index 6d402cae..4d2cd9f6 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("account_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."
\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/css/containers.css b/web/html/css/containers.css index 7322b3f1..69ed1d96 100644 --- a/web/html/css/containers.css +++ b/web/html/css/containers.css @@ -174,6 +174,12 @@ vertical-align: top; padding-left: 5; } + td.text + { + color: #000; + font-family: verdana; + font-size: 12px; + } th { text-align: left; diff --git a/web/html/css/fonts.css b/web/html/css/fonts.css index 55cb2261..fcf46441 100644 --- a/web/html/css/fonts.css +++ b/web/html/css/fonts.css @@ -40,6 +40,12 @@ font-family: monospace, fixed, terminal; font-size: 12px; } + span.error /* Content Text */ + { + color: #900; + font-family: verdana; + font-size: 12px; + } /* Font Attribute Change (#6c83b0)*/ span.blue diff --git a/web/html/hacker.php b/web/html/hacker.php new file mode 100644 index 00000000..5d518340 --- /dev/null +++ b/web/html/hacker.php @@ -0,0 +1,13 @@ +\n"; +print __("If this problem persists, please contact the site administrator."); +print "

\n"; + +html_footer("\$Id$"); +?> diff --git a/web/html/index.php b/web/html/index.php index 3bda5511..ad7b73f0 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -4,7 +4,7 @@ include("aur.inc"); set_lang(); check_sid(); -# Need to do the authentication prior to sending HTML +# Need to do the authentication prior to sending any HTML (including header) # $login_error = ""; if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) { @@ -23,14 +23,15 @@ if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) { $q = "SELECT ID, Suspended FROM Users "; $q.= "WHERE Email = '" . mysql_escape_string($_REQUEST["user"]) . "' "; $q.= "AND Passwd = '" . mysql_escape_string($_REQUEST["pass"]) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { $login_error = __("Incorrect password for username %s.", array($_REQUEST["user"])); - } - $row = mysql_fetch_row($result); - if ($row[1]) { - $login_error = __("Your account has been suspended."); + } else { + $row = mysql_fetch_row($result); + if ($row[1]) { + $login_error = __("Your account has been suspended."); + } } if (!$login_error) { @@ -42,7 +43,7 @@ if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) { $new_sid = new_sid(); $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) "; $q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); # Query will fail if $new_sid is not unique # if ($result) { @@ -69,19 +70,19 @@ html_header(); print "\n"; print "\n"; -print " "; -print "
"; +print "  
"; print __("This is where the intro text will go."); print __("For now, it's just a place holder."); print __("It's more important to get the login functionality finished."); print __("After that, this can be filled in with more meaningful text."); print " 		"; +print "  
\n"; if (!isset($_COOKIE["AURSID"])) { # the user is not logged in, give them login widgets # print "
\n"; if ($login_error) { - print $login_error . "
\n"; + print "" . $login_error . "
\n"; } print "\n"; print "\n"; diff --git a/web/html/logout.php b/web/html/logout.php index 6757784e..07a787a1 100644 --- a/web/html/logout.php +++ b/web/html/logout.php @@ -2,17 +2,19 @@ include("aur.inc"); # access AUR common functions include("logout_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language -html_header(); # print out the HTML header - -# Any text you print out to the visitor, use the __() function -# for i18n support. See 'testpo.php' for more details. +# if they've got a cookie, log them out - need to do this before +# sending any HTML output. # -print __("Under construction...")."
\n"; +if (isset($_COOKIE["AURSID"])) { + $q = "DELETE FROM Sessions WHERE SessionID = '"; + $q.= mysql_escape_string($_COOKIE["AURSID"]) . "'"; + setcookie("AURSID", "", time() - (60*60*24*30), "/"); +} + +html_header(); # print out the HTML header +print __("You have been successfully logged out.")."
\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgmgmnt.php b/web/html/pkgmgmnt.php index 0988e51e..b1768dbf 100644 --- a/web/html/pkgmgmnt.php +++ b/web/html/pkgmgmnt.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("mgmnt_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."
\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgsearch.php b/web/html/pkgsearch.php index d23a602e..f5ef888e 100644 --- a/web/html/pkgsearch.php +++ b/web/html/pkgsearch.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("search_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."
\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index fc36da5d..c9465a1d 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -1,6 +1,8 @@ \n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/pkgvote.php b/web/html/pkgvote.php index e111937f..594ec168 100644 --- a/web/html/pkgvote.php +++ b/web/html/pkgvote.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("vote_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header @@ -11,8 +12,5 @@ html_header(); # print out the HTML header print __("Under construction...")."
\n"; -html_footer("\$Id$"); # Use the $Id$ keyword - # NOTE: when checking in a new file, use - # 'svn propset svn:keywords "Id" filename.php' - # to tell svn to expand the "Id" keyword. +html_footer("\$Id$"); ?> diff --git a/web/html/template.php b/web/html/template.php index a61ba6fc..9ae001e4 100644 --- a/web/html/template.php +++ b/web/html/template.php @@ -2,6 +2,7 @@ include("aur.inc"); # access AUR common functions include("template_po.inc"); # use some form of this for i18n support set_lang(); # this sets up the visitor's language +check_sid(); # see if they're still logged in html_header(); # print out the HTML header diff --git a/web/lang/hacker_po.inc b/web/lang/hacker_po.inc new file mode 100644 index 00000000..183cee67 --- /dev/null +++ b/web/lang/hacker_po.inc @@ -0,0 +1,24 @@ + Traducción española aquí. <--"; +# $_t["fr"]["Your session id is invalid."] = "--> Traduction française ici. <--"; +# $_t["de"]["Your session id is invalid."] = "--> Deutsche Übersetzung hier. <--"; + +$_t["en"]["If this problem persists, please contact the site administrator."] = "If this problem persists, please contact the site administrator."; +# $_t["es"]["If this problem persists, please contact the site administrator."] = "--> Traducción española aquí. <--"; +# $_t["fr"]["If this problem persists, please contact the site administrator."] = "--> Traduction française ici. <--"; +# $_t["de"]["If this problem persists, please contact the site administrator."] = "--> Deutsche Übersetzung hier. <--"; + +?> \ No newline at end of file diff --git a/web/lang/logout_po.inc b/web/lang/logout_po.inc index 438f50df..dab1ddaf 100644 --- a/web/lang/logout_po.inc +++ b/web/lang/logout_po.inc @@ -16,4 +16,9 @@ $_t["en"]["Under construction..."] = "Under construction..."; # $_t["fr"]["Under construction..."] = "--> Traduction française ici. <--"; # $_t["de"]["Under construction..."] = "--> Deutsche Übersetzung hier. <--"; +$_t["en"]["You have been successfully logged out."] = "You have been successfully logged out."; +# $_t["es"]["You have been successfully logged out."] = "--> Traducción española aquí. <--"; +# $_t["fr"]["You have been successfully logged out."] = "--> Traduction française ici. <--"; +# $_t["de"]["You have been successfully logged out."] = "--> Deutsche Übersetzung hier. <--"; + ?> \ No newline at end of file diff --git a/web/lib/aur.inc b/web/lib/aur.inc index a333576d..54ec5eff 100644 --- a/web/lib/aur.inc +++ b/web/lib/aur.inc @@ -3,18 +3,24 @@ include_once("aur_po.inc"); # Define global variables # -$PASS_PHRASE = "Dustyissocool"; -$SUPPORTED_LANGS = array( +$LOGIN_TIMEOUT = 10; # number of idle seconds before timeout +$SUPPORTED_LANGS = array( # what languages we have translations for "en" => 1, # English "es" => 1, # Español "de" => 1, # Deutsch "fr" => 1, # Français ); +# debugging variables +# +$QBUG = 1; # toggle query logging to /tmp/aurq.log +$DBUG = 1; # use dbug($msg) to log to /tmp/aurd.log + # see if the visitor is already logged in # function check_sid() { global $_COOKIE; + global $LOGIN_TIMEOUT; if (isset($_COOKIE["AURSID"])) { $failed = 0; @@ -23,28 +29,45 @@ function check_sid() { $dbh = db_connect(); $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions "; $q.= "WHERE SessionID = '" . mysql_escape_string($_COOKIE["AURSID"]) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { + # Invalid SessionID - hacker alert! + # $failed = 1; } else { - if ($row[0] + 10 >= $row[1]) { - $failed = 1; + $row = mysql_fetch_row($result); + if ($row[0] + $LOGIN_TIMEOUT <= $row[1]) { + dbug("login timeout reached"); + $failed = 2; } } - if ($failed) { + if ($failed == 1) { + # clear out the hacker's cookie, and send them to a naughty page + # + setcookie("AURSID", "", time() - (60*60*24*30), "/"); + header("Location: /hacker.php"); + + } elseif ($failed == 2) { # visitor's session id either doesn't exist, or the timeout # was reached and they must login again, send them back to # the main page where they can log in again. # $q = "DELETE FROM Sessions WHERE SessionID = '"; $q.= mysql_escape_string($_COOKIE["AURSID"]) . "'"; - mysql_query($q, $dbh); + db_query($q, $dbh); setcookie("AURSID", "", time() - (60*60*24*30), "/"); header("Location: /timeout.php"); + + } else { + # still logged in and haven't reached the timeout, go ahead + # and update the idle timestamp + # + $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() "; + $q.= "WHERE SessionID = '".mysql_escape_string($_COOKIE["AURSID"])."'"; + db_query($q, $dbh); } } - return; } @@ -81,7 +104,7 @@ function username_from_sid($sid="") { $q.= "FROM Users, Sessions "; $q.= "WHERE Users.ID = Sessions.UsersID "; $q.= "AND SessionID = '" . mysql_escape_string($sid) . "'"; - $result = mysql_query($q, $dbh); + $result = db_query($q, $dbh); if (!$result) { return ""; } @@ -111,6 +134,26 @@ function db_connect() { return $handle; } +# wrapper function around db_query in case we want to put +# query logging/debuggin in. +# +function db_query($query="", $db_handle="") { + global $QBUG; + if (!$query) { + return FALSE; + } + if (!$db_handle) { + $db_handle = db_connect(); + } + if ($QBUG) { + $fp = fopen("/tmp/aurq.log", "a"); + fwrite($fp, $query . "\n"); + fclose($fp); + } + $result = mysql_query($query, $db_handle); + return $result; +} + # set up the visitor's language # function set_lang() { @@ -152,6 +195,7 @@ function set_lang() { # common header # function html_header() { + global $_COOKIE; print "\n"; print "\n"; print ""; @@ -205,14 +249,20 @@ function html_header() { print " ".__("Accounts")." "; print " - "; print " ".__("Packages")." "; - print " - "; - print " ".__("Vote")." "; - print " - "; - print " ".__("Manage")." "; - print " - "; - print " ".__("Submit")." "; - print " - "; - print " ".__("Logout")." "; + if (isset($_COOKIE["AURSID"])) { + # Only display these items if the visitor is logged in. This should + # be a safe check because check_sid() has been called prior to + # html_header(). + # + print " - "; + print " ".__("Vote")." "; + print " - "; + print " ".__("Manage")." "; + print " - "; + print " ".__("Submit")." "; + print " - "; + print " ".__("Logout")." "; + } print " :."; print " "; print " "; @@ -237,10 +287,19 @@ function html_footer($ver="") { print "\n"; print "
".$ver."
\n"; } - print "<\p>\n"; + print "

\n"; print "\n"; return; } +# debug logging +# +function dbug($msg) { + $fp = fopen("/tmp/aurd.log", "a"); + fwrite($fp, $msg . "\n"); + fclose($fp); + return; +} + # vim: ts=2 sw=2 noet ft=php ?>