* Rearrange order of package details to a more logical order
* Add widget box on right side of page that has package actions. Limited to
viewing PKGBUILD, downloading tarball, and printing package flag date.
Eventually should be able to support all AUR package actions.
* Move "Dependencies" and "Required by" to new CSS to allow for them to be
displayed as columns adjacent to one another, with one package per line.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Using a div container to format heading is ridiculous. Use "<h2></h2>"
instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
* Add "archweb.css" from the master branch of archweb. We will use this
as base style sheet in the future.
* Add "aur.css" for AUR-specific extensions to "archweb.css".
* Remove the "archnavbar.css" link from the header template since this
is included in "archweb.css".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We fixed this for the fields displayed on the package details page in
commit b5fffe9a02cd4fd3b7da66e403f02eea89c8fcad. This should fix the
remaining ones.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
No need to show a full RFC 2822-compliant date here. Instead, display
date, hours and minutes for "Last Updated" and "First Submitted" fields
and display the date only for the out-of-date time stamp.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: canyonknight <canyonknight@gmail.com>
A mix of logical operator styles are currently in use. The predominant style
uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency
is minor, but is easily avoided.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Introduce ability to specify number of open and closed dummy trusted user
proposals
* First step for eventually adding dummy votes for proposals
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
There is no reason the MaintainerUID can't be treated as a string within this
script. By changing to a string an "if" statement can be eliminated.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Exit with an error if fortune command isn't found
* No reason to enforce the "-l" option from the fortune command
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Remove outdated information
* Give a brief synopsis of what the web visible PHP files do
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Old README file is severely outdated, update with current information.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Move documentation related to installation to a separate INSTALL file.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This allows for getting the package names of multiple packages at once,
without having to iterate over them and making one DB query per package.
pkgname_from_id() now accepts both integer arrays and single integers
(backwards compatibility mode).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Rather than looking up by username, it makes more sense to look the
stats up by user ID to reduce the number of needed joins.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is more user-friendly than supporting package IDs only and can be
used as a basis to support direct links to AUR packages in places where
links are computer-produced (e.g. Wiki templates).
Addresses FS#21600 and FS#28839.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This is handy for verifying the PGP key of new Trusted Users. Also, this
could potentially used as a basis to allow signed package uploads in the
future.
Implements FS#29028.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
this can be used as an intermediate 'patch' util there is a validation
system in place.
the extra check is to verify that the domain part of a correctly
formatted email address is existing and in use. this will not at all
stop spammers since they can use bogus emails with valid domain parts
Lukas: Minor formatting changes.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.
The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:
PaxHeader/xcursor-protozoa
xcursor-protozoa/
xcursor-protozoa/PaxHeader/PKGBUILD
xcursor-protozoa/PKGBUILD
This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.
Addresses FS#28802.
Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This one is not a specific dialect, so "nb" (Norwegian Bokmål) is the
better name to use here.
Thanks-to: Alexander Rødseth <rodseth@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This makes the difference between Portuguese (Brazil) and Portuguese
(Portugal) a bit clearer. Also, "pt_PT" is way more up to date than
"pt".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use "undisclosed-recipients: ;" when sending mass notifications (such as
comment notifications and the like. Addresses FS#28229.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Escape each output string using htmlspecialchars(). These aren't
exploitable; it's still better to escape them properly.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Escape strings properly using htmlspecialchars(). Seems like we missed
these in former cleanups. Fixes FS#28515.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We already ask for the result count, but only use it as a basis for testing
query success or failure. Add the value to the JSON reply.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This should be set to something like 'http://localhost' for development
or 'https://aur.archlinux.org' in production. It ensures all links in
the site stay in the development site and there is no sudden jump from
development to production environments.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Conflicts:
web/lib/aur.inc.php
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
We already show it in the account listing page as well, so we should
show it here too.
Also use a standard date format; we weren't using this non-punctuated
format anywhere else.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This affects login the most, where we save about 4 calls to db_connect()
by passing a single handle into functions where necessary.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replacing with CSS styles where appropriate. A previously unused CSS
style is tweaked in the stylesheet to match most of what was done via
non-CSS styling.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
