The IDs of packages are unique, so there is no need to group search
results by package ID.
Note that the GROUP BY statement in question was introduced in commit
3447dfc (Support versioned RPC queries, 2014-04-28) for no apparent
reason and could even lead to errors in various DBMS.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
When performing info or multiinfo queries, one can currently either pass
package names or package IDs as parameters. As a consequence, it is
impossible to search for packages with a numeric package name because
numeric arguments are always treated as IDs. Since package IDs are not
public anymore these days, simply remove the possibility to search by ID
in revision 5 of the RPC interface.
Fixes FS#47324.
Suggested-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Fixes a regression introduced in 94aeead (aurjson: Pass http_data array
to all functions, 2015-06-28).
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Instead of introducing a new message "You do not have the right to edit
this comment." for the RPC interface, use "You are not allowed to edit
this comment." which we already show in the front-end.
Reported-by: Christoph Seitz <seitz.christoph@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
The callback parameter of the RPC interface currently allows for
specifying a prefix of arbitrary length of the returned result. This can
be exploited by certain attacks.
As a countermeasure, this patch restricts the allowed character set for
the callback name to letters, digits, underscores, parenthesis and dots.
It also limits the length of the name to 128 characters. Furthermore,
the reflected callback name is now always prepended with "/**/", which
is a common workaround to protect against attacks such as Rosetta Flash.
Fixes FS#46259.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This method will be used by the JavaScript comment editing and produces
a form containing the comment.
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
This is a preparatory patch that simplifies adding more arguments to
the parse functions
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Remove package base categories. Instead, users can now specify up to
twenty custom keywords that are taken into consideration when searching.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
In commit 74edb6f (Use Git repositories to store packages, 2014-06-06),
the URLPath field was dropped from RPC package results. Reintroduce the
field for backwards compatibility, even though it is no longer
recommended to use snapshot tarballs.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
* Remove package submission page from the web interface.
* Replace PKGBUILD and tarball links with links to cgit.
* Remove the "URLPath" field from RPC replies.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replace web/lib/config.inc.php with an INI-style configuration file.
This allows us to get rid of several globals and makes it easier to use
the same configuration file in external scripts.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Add the typeahead implementation we already use for the package search
to the merge target text field. Instead of suggesting packages, suggest
package base names.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Add RPC v3 which always returns a list of objects in RPC responses,
regardless of the request type. An empty list is returned when an error
occurs. The error message is moved to a separate "error" field.
Fixes FS#40963.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is useful to tools that automatically generate requests to orphan,
delete or merge packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Most AUR helpers don't support the new format yet. Use version 1 of the
API by default. In order to use the new format, "v=2" can be appended to
the list of GET parameters.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This adds a backwards compatibility mode for the old RPC API. The old
format can be requested by explicitly adding "v=1" to the list of GET
parameters. Note that due to internal changes, the old format only
returns the first license that belongs to a package.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is needed for clients to quickly differentiate between different
versions of the RPC API. The version number should be bumped whenever
there is a change that breaks backwards compatibility.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This patch adds the following fields to info and multiinfo replies:
* Depends
* MakeDepends
* CheckDepends
* OptDepends
* Conflicts
* Provides
* Replaces
* Groups
* License
Each of these fields is an array.
Note that since collecting all these fields is CPU-intensive, they are
not included in replies to search queries.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Fix the SQL query to conform to the new database layout.
* Remove the license field from replies. The license field is now stored
in a separate table and no longer returned on search queries.
* Add a "PackageBase" field that contains the name of the package base
of every package in the result.
* Fix the source tarball URL. The URL is now built based on the package
base name instead of the package name.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Uses the Singleton pattern to ensure all queries use the same
database connection that is released upon script completion.
All database connections should now be called with DB::connect() and
not db_connect().
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use Twitter Bootstrap JavaScript framework for typeahead support.
Add a new "suggest" JSON method, which returns the first 20
packages that match the beginning characters of a query.
canyonknight: Link format change, commit message
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.
Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.
Fixes FS#31849
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
All DB code currently uses the quickly aging mysql_* functions. These
functions are strongly discouraged and may eventually be deprecated.
Transition all code to utilize the PDO data access abstraction layer. PDO
allows for consistent query code across multiple databases. This could
potentially allow for someone to use a database other than MySQL with
minimal code changes.
All functions and behaviors are reproduced as faithfully as possible with
PDO equivalents and some changes in code.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We already ask for the result count, but only use it as a basis for testing
query success or failure. Add the value to the JSON reply.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Coerce following fields into integers to ensure json_encode() serializes
them as integers:
* ID
* CategoryID
* NumVotes
* OutOfDate
* FirstSubmitted
* LastModified
This means that there will be a minor API break. There's no better way
to do this properly, though. Fixes FS#25693.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Convert the "OutOfDate" field to provide a timestamp instead of a
boolean flag in JSON results. We don't really care about backward
compatibility here, as most AUR helpers would break anyway when trying
to parse RPC responses after the data type overhaul that should come
with one of the following patches.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Info queries using package IDs were no longer working due to commit
c6d84b3a8d, which introduced a table join
in process_query(), thus making the "ID" column ambiguous. Fix this by
explicitly specifying the table to use. Fixes FS#25696.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This implements the following scheme:
* /packages/cower/ --> /packages/co/cower/
* /packages/j/ --> /packages/j/j/
* /packages/zqy/ --> /packages/zq/zqy/
We take up to the first two characters of each package name as a
intermediate subdirectory, and then the full package name lives
underneath that. Shorter named packages live in a single letter
directory.
Why, you ask? Well because earlier today the AUR hit 32,000 entries in
the unsupported/ directory, making new package uploads impossible. While
some might argue we shouldn't have so many damn packages in the repos,
we should be able to handle this case.
Why two characters instead of one? Our two biggest two-char groups, 'pe'
and 'py', both start with 'p', and have nearly 2000 packages each. Go
Python and Perl.
Still needed is a "move the existing data" script, as well as a set of
rewrite rules for those wishing to preserve backward compatible URLs for
any helper programs doing the wrong thing and relying on them.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
after reading the discussion about the submitter field, i looked again
at my previous patch and realized that it was not very good at all.
hopefully this simplified version will be more acceptable.
the justification for this patch is that many third-party tools will
want to know how new a package is, or when it last changed. adding the
submitted and modified timestamps will allow users to get all the
relevant package data in a single query.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Add etag and if-none-match conditional get support. This will allow
'smart client' to save network bandwidth, as they can save the etag hash
value for queries and test it later. Still an http request because this
patch specifically sets a cache lifetime of zero, and must-revalidate.
The benefit here is bandwidth savings. Caching based on expires headers
would likely be counter productive, as the api data can change rather
quickly...but etag is a nice compromise, and could be quite beneficial
for bandwidth recution in some scenarios.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
