* Move DB code for removing a session in logout.php to a new function in
acctfuncs.inc.php
* Add ability for clear_expired_sessions function to check for DB connection
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Verifying a username exists should use already present valid_user function
* Create new functions in acctfuncs.inc.php with SQL queries from addvote.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Create new function in pkgfuncs.inc.php with SQL queries from voters.php
* Centralization of DB code important in a future transition to PDO interface
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Move all languages to a select container to save some space. Language
selection is a rarely used feature, so there's no need to make this a
one click option.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not show the login form on every page. Move it to a separate login
page and add a link to the navigation bar. Also, add a logout link for
logged-in users.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
* Switch to CSS used by archweb
* General fixups in XHTML
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Use CSS from archweb
* General clean-up of XHTML formatting
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Switch CSS over to archweb styling
* General clean-up of XHTML
* Set proposal box size to something more sane for a default
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Change all boxes and other CSS to match archweb
* General fixups in XHTML formatting
* Change results table to match color scheme everywhere else
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Adjust style to match the overall layout.
* Use proper HTML tags and double quotes.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
* Currently voters.php has no navigation links and/or styling. This patch adds
the appropriate styling
* User PHP alternative syntax for control structures
* Change a variable name to more frequently used "atype"
* General clean-up of XHTML
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Switch to CSS used by archweb
* Move package search to a smaller box to match the style of the main site
* Add text describing mailing list and bug tracker. Eventually remove those
associated nav bar links.
* General clean-up of XHTML
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Using a div container to format heading is ridiculous. Use "<h2></h2>"
instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
* Add "archweb.css" from the master branch of archweb. We will use this
as base style sheet in the future.
* Add "aur.css" for AUR-specific extensions to "archweb.css".
* Remove the "archnavbar.css" link from the header template since this
is included in "archweb.css".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
A mix of logical operator styles are currently in use. The predominant style
uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency
is minor, but is easily avoided.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Rather than looking up by username, it makes more sense to look the
stats up by user ID to reduce the number of needed joins.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is more user-friendly than supporting package IDs only and can be
used as a basis to support direct links to AUR packages in places where
links are computer-produced (e.g. Wiki templates).
Addresses FS#21600 and FS#28839.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is handy for verifying the PGP key of new Trusted Users. Also, this
could potentially used as a basis to allow signed package uploads in the
future.
Implements FS#29028.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.
The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:
PaxHeader/xcursor-protozoa
xcursor-protozoa/
xcursor-protozoa/PaxHeader/PKGBUILD
xcursor-protozoa/PKGBUILD
This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.
Addresses FS#28802.
Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use "undisclosed-recipients: ;" when sending mass notifications (such as
comment notifications and the like. Addresses FS#28229.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This should be set to something like 'http://localhost' for development
or 'https://aur.archlinux.org' in production. It ensures all links in
the site stay in the development site and there is no sudden jump from
development to production environments.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We already show it in the account listing page as well, so we should
show it here too.
Also use a standard date format; we weren't using this non-punctuated
format anywhere else.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This affects login the most, where we save about 4 calls to db_connect()
by passing a single handle into functions where necessary.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replacing with CSS styles where appropriate. A previously unused CSS
style is tweaked in the stylesheet to match most of what was done via
non-CSS styling.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not move the package to the incoming package directory and fail to
create proper database entries if some AUR upload helper doesn't provide
a category. We got several failing constraints here, such as:
Cannot add or update a child row: a foreign key constraint fails
(`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY
(`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO
ACTION)
Instead, default to "1" (which is "none", or "keep category" for
existing packages) if no category is supplied.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use the standard string type specifier instead of "%h" in format
strings. Both specifiers are treated equally in __() so we shouldn't
break anything here. This also allows us to replace the hacky
substitution algorithm in __() by vsprintf().
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
As discussed on the mailing list, enable "secure" and "httponly" for
session cookies to prevent them from being transferred over insecure
connections.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Add BEGIN and COMMIT statements where it makes sense to do so. This
allows the entire package creation or update process to be atomic and
not be seen until it is complete.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Merge all comments and votes of deleted packages into another package if
the "Merge with" field is used. Duplicate votes (votes from a user who
already voted on the target package or voted on more than one of the
deleted packages) are discarded.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Describe what this function actually does: Return the ID of a package
with a given name and return NULL if such a package doesn't exist.
The function name is chosen in a fashion similar to other functions from
"pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This implements the following scheme:
* /packages/cower/ --> /packages/co/cower/
* /packages/j/ --> /packages/j/j/
* /packages/zqy/ --> /packages/zq/zqy/
We take up to the first two characters of each package name as a
intermediate subdirectory, and then the full package name lives
underneath that. Shorter named packages live in a single letter
directory.
Why, you ask? Well because earlier today the AUR hit 32,000 entries in
the unsupported/ directory, making new package uploads impossible. While
some might argue we shouldn't have so many damn packages in the repos,
we should be able to handle this case.
Why two characters instead of one? Our two biggest two-char groups, 'pe'
and 'py', both start with 'p', and have nearly 2000 packages each. Go
Python and Perl.
Still needed is a "move the existing data" script, as well as a set of
rewrite rules for those wishing to preserve backward compatible URLs for
any helper programs doing the wrong thing and relying on them.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not try to insert a falsey value into the database in case of
"depends=()".
Signed-off-by: Manuel <manutortosa@chakra-project.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not use split(), which has been deprecated as of PHP 5.3.0. As we
don't even require regular expressions here, just use explode() instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
The epoch field in PKGBUILD files was completely ignored until now,
and the final Version field for a package consisted only of
pkgver and pkgrel (example: 5.0-1)
This means that rpc.php reported the version incorrectly for packages
having epoch > 0.
One case where this was a problem is that it confused AUR helpers
wanting to examine all locally installed packages (with epoch > 0)
and search the AUR for an updated version.
The epoch field is taken into consideration now, and if not 0,
will be prepended to the final Version field (example: 1:5.0-1)
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
utilize the apc cache functionality in aur.inc to cache the rss feed
output. the cache will cache on a per-protocol basis (http/https) so
that urls are appropriate regardless of which url people hit.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
- Undefined index: HTTPS in rss.php on line 8
- Undefined property: RSSCreator20::$cssStyleSheet in
feedcreator.class.php on line 591
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
- move request_method test to the top, and catch other request types
(HEAD, PUT, etc)
- change how html output is handled. instead of building a string, just
output the html
- set appropriate response header for incorrect request_method.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
make the sql query form consistent in usage by cleaning up instances
where db_query's result was not inspected before attempting to fetch row
data from the handle
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
