* Use "<label>"/"</label>" for form labels.
* Use "<strong>"/"</strong>" for important text.
* Use "<h4>"/"</h4>" for headings.
* Drop "<b>"/"</b>" everywhere else.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.
Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Packages can currently be submitted with variables longer than the maximum
allowed by the DB for that specific field. The string will be shortened
without informing the user. This can result in unexpected oddities on
submitted packages. Print error messages informing the user when the package
name, URL, description, license, or version is too long.
Also move the resolution of full package version (including epoch) to an
earlier point in pkgsubmit.php
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Logged out users who navigate to /submit currently reach a page with only an
error message. This adds the full navigation bar for users who errantly reach
/submit before logging in.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Extend the routing front/back ends to allow for using
"/package/$pkgname/" for individual packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
A foreach() being run without checking to see if the uploaded PKGBUILD had any
sources now no longer causes an undefined index notice when there are no
sources.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Currently, $_FILES showing a filesize of zero is interpreted as no file was
uploaded, despite other errors potentially being the cause.
* The $_FILES superglobal stores what the actual error was, so use it. This
includes file write problems, empty uploads, partial uploads, and
upload_max_filesize being exceeded.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Move DB code in pkgsubmit.php to new functions in aur.inc.php and
pkgfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Adjust style to match the overall layout.
* Use proper HTML tags and double quotes.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
Using a div container to format heading is ridiculous. Use "<h2></h2>"
instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.
The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:
PaxHeader/xcursor-protozoa
xcursor-protozoa/
xcursor-protozoa/PaxHeader/PKGBUILD
xcursor-protozoa/PKGBUILD
This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.
Addresses FS#28802.
Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replacing with CSS styles where appropriate. A previously unused CSS
style is tweaked in the stylesheet to match most of what was done via
non-CSS styling.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not move the package to the incoming package directory and fail to
create proper database entries if some AUR upload helper doesn't provide
a category. We got several failing constraints here, such as:
Cannot add or update a child row: a foreign key constraint fails
(`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY
(`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO
ACTION)
Instead, default to "1" (which is "none", or "keep category" for
existing packages) if no category is supplied.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use the standard string type specifier instead of "%h" in format
strings. Both specifiers are treated equally in __() so we shouldn't
break anything here. This also allows us to replace the hacky
substitution algorithm in __() by vsprintf().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Add BEGIN and COMMIT statements where it makes sense to do so. This
allows the entire package creation or update process to be atomic and
not be seen until it is complete.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Describe what this function actually does: Return the ID of a package
with a given name and return NULL if such a package doesn't exist.
The function name is chosen in a fashion similar to other functions from
"pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This implements the following scheme:
* /packages/cower/ --> /packages/co/cower/
* /packages/j/ --> /packages/j/j/
* /packages/zqy/ --> /packages/zq/zqy/
We take up to the first two characters of each package name as a
intermediate subdirectory, and then the full package name lives
underneath that. Shorter named packages live in a single letter
directory.
Why, you ask? Well because earlier today the AUR hit 32,000 entries in
the unsupported/ directory, making new package uploads impossible. While
some might argue we shouldn't have so many damn packages in the repos,
we should be able to handle this case.
Why two characters instead of one? Our two biggest two-char groups, 'pe'
and 'py', both start with 'p', and have nearly 2000 packages each. Go
Python and Perl.
Still needed is a "move the existing data" script, as well as a set of
rewrite rules for those wishing to preserve backward compatible URLs for
any helper programs doing the wrong thing and relying on them.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not try to insert a falsey value into the database in case of
"depends=()".
Signed-off-by: Manuel <manutortosa@chakra-project.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not use split(), which has been deprecated as of PHP 5.3.0. As we
don't even require regular expressions here, just use explode() instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
The epoch field in PKGBUILD files was completely ignored until now,
and the final Version field for a package consisted only of
pkgver and pkgrel (example: 5.0-1)
This means that rpc.php reported the version incorrectly for packages
having epoch > 0.
One case where this was a problem is that it confused AUR helpers
wanting to examine all locally installed packages (with epoch > 0)
and search the AUR for an updated version.
The epoch field is taken into consideration now, and if not 0,
will be prepended to the final Version field (example: 1:5.0-1)
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Ensure we are not quoting these values in any of our SQL queries.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Prevent race conditions that may occur when either the session or the
user is deleted before we extract the actual user identifier.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
uid_from_sid() is called once at the very beginning of the script,
storing the actual user identifier in "$uid". No need to fire up another
query.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We removed the code depending on this a long time ago - drop it and add
some note to "UPGRADING".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Instead, we just store dependencies directly in the PackageDepends
table. Since we don't use this info anywhere besides the package details
page, there is little value in precalculating what is in the AUR vs.
what is not.
An upgrade path is provided via several SQL statements in the UPGRADING
document. There should be no user-visible change from this, but the DB
schema gets a bit more sane and we no longer have loads of junk packages
in our tables that are never shown to the end user. This should also
help the MySQL query planner in several cases as we no longer have to be
careful to exclude dummy packages on every query.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Set it equal to the SubmittedTS field, which will be our indication the
package is new when we show the logo on the front page of the AUR.
This results in the ability to remove the use of the unindexable
GREATEST() function from the AUR code everywhere we had to use it before
to handle the 0 timestamp case.
Note that there is no race condition here in calling UNIX_TIMESTAMP()
twice- it always returns the time at the beginning of statment
execution:
mysql> select unix_timestamp(), sleep(2), unix_timestamp();
+------------------+----------+------------------+
| unix_timestamp() | sleep(2) | unix_timestamp() |
+------------------+----------+------------------+
| 1300851746 | 0 | 1300851746 |
+------------------+----------+------------------+
1 row in set (2.00 sec)
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We had a ton of duplicate code shared between the insert and update
cases. Do a refactor so we can pull this stuff out below the if/else
block and only need it there once, saving some headaches.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
end() expects a reference but we pass a function return value here.
Using list() is a bit hacky as well as it expects a 0-based array
whereas unpack() returns a 1-based array - thus we use "list(, $foo)".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is quite hacky but this way we can ensure users get comprehensible
error messages when trying to upload ".tar.xz" or ".tar.bz2" files.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Can be used to blacklist package names for normal users. TUs and
developers are not affected. This is especially useful if used together
with a cron job that updates the blacklist periodically, e.g. to reject
packages which are available in the binary repos (FS#12902).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
