This is handy for verifying the PGP key of new Trusted Users. Also, this
could potentially used as a basis to allow signed package uploads in the
future.
Implements FS#29028.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
this can be used as an intermediate 'patch' util there is a validation
system in place.
the extra check is to verify that the domain part of a correctly
formatted email address is existing and in use. this will not at all
stop spammers since they can use bogus emails with valid domain parts
Lukas: Minor formatting changes.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.
The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:
PaxHeader/xcursor-protozoa
xcursor-protozoa/
xcursor-protozoa/PaxHeader/PKGBUILD
xcursor-protozoa/PKGBUILD
This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.
Addresses FS#28802.
Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This one is not a specific dialect, so "nb" (Norwegian Bokmål) is the
better name to use here.
Thanks-to: Alexander Rødseth <rodseth@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This makes the difference between Portuguese (Brazil) and Portuguese
(Portugal) a bit clearer. Also, "pt_PT" is way more up to date than
"pt".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use "undisclosed-recipients: ;" when sending mass notifications (such as
comment notifications and the like. Addresses FS#28229.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Escape each output string using htmlspecialchars(). These aren't
exploitable; it's still better to escape them properly.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Escape strings properly using htmlspecialchars(). Seems like we missed
these in former cleanups. Fixes FS#28515.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We already ask for the result count, but only use it as a basis for testing
query success or failure. Add the value to the JSON reply.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This should be set to something like 'http://localhost' for development
or 'https://aur.archlinux.org' in production. It ensures all links in
the site stay in the development site and there is no sudden jump from
development to production environments.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We already show it in the account listing page as well, so we should
show it here too.
Also use a standard date format; we weren't using this non-punctuated
format anywhere else.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This affects login the most, where we save about 4 calls to db_connect()
by passing a single handle into functions where necessary.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replacing with CSS styles where appropriate. A previously unused CSS
style is tweaked in the stylesheet to match most of what was done via
non-CSS styling.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
The create database statement sets the default character set of the
database to UTF-8, so no need to do it down below.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Notable changes include the necessary handle object and the splitting
of provides and replaces into alpm_depend_t objects.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is not strictly necessry as listitem->data is public.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Always use two lines for if statements, use a character constant rather
than the 0 integer when NULL-terminating a string, and remove the
unnecessary NULL check before free(value)- free(NULL) is a no-op and
always safe.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
The semicolons are not necessary when performing queries via the MySQL
API, so remove them.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This has no real business being here, and is a pain to update when new
languages are shipped. Move it and the set_lang() function to
translator.inc.php instead so it doesn't overwhelm the user-configurable
settings file with static stuff.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Coerce following fields into integers to ensure json_encode() serializes
them as integers:
* ID
* CategoryID
* NumVotes
* OutOfDate
* FirstSubmitted
* LastModified
This means that there will be a minor API break. There's no better way
to do this properly, though. Fixes FS#25693.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Convert the "OutOfDate" field to provide a timestamp instead of a
boolean flag in JSON results. We don't really care about backward
compatibility here, as most AUR helpers would break anyway when trying
to parse RPC responses after the data type overhaul that should come
with one of the following patches.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not move the package to the incoming package directory and fail to
create proper database entries if some AUR upload helper doesn't provide
a category. We got several failing constraints here, such as:
Cannot add or update a child row: a foreign key constraint fails
(`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY
(`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO
ACTION)
Instead, default to "1" (which is "none", or "keep category" for
existing packages) if no category is supplied.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Info queries using package IDs were no longer working due to commit
c6d84b3a8d, which introduced a table join
in process_query(), thus making the "ID" column ambiguous. Fix this by
explicitly specifying the table to use. Fixes FS#25696.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This makes the "Category" label as well as "Change category" button on
the package details page translatable. Fixes FS#25692.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Remove hacky substitution code from __() and use vsprintf() instead
which will deal with all sorts of format strings properly.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use the standard string type specifier instead of "%h" in format
strings. Both specifiers are treated equally in __() so we shouldn't
break anything here. This also allows us to replace the hacky
substitution algorithm in __() by vsprintf().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
