Replace special characters in the referer GET parameter using
htmlspecialchars() before inserting it into the login form fields to
prevent from XSS attacks.
Fixes FS#55286.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Instead of calling check_sid() from every single PHP script representing
a web page, add the call to aur.inc.php which is sourced by all of them.
Also, remove set_lang() calls from the scripts since these are also
already included in aur.inc.php.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
After 24734d0 (Shorten Email column to 254 characters, 2015-11-12) the
maximum length of the input fields should be shortened, too.
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
According to RFC 3696 (and the associated errata), an email address can
be up to 256 characters long. Change the database field and the length
limit on all input fields accordingly.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Accept both user names and email addresses in the login prompt.
Suggested-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
After the user was authenticated a redirect to the site which
linked the user to the login page is done. This fixes FS#32481.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
At the login and the package search page, the user is promted to
provide some input. Until now it was neccessary to first click the
field in which the input should be placed.
This can be simplified with HTML5 using the autofocus attribute of
the input element, though not included in XHTML 1.0, the attribute
was at least given a value to comply with the standard.
Signed-off-by: Gordian Edenhofer <gordian.edenhofer@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Rename the project to help differentiate between the software providing
access to the Arch User Repository and the collection of source packages
itself.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replace web/lib/config.inc.php with an INI-style configuration file.
This allows us to get rid of several globals and makes it easier to use
the same configuration file in external scripts.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use the routing library to build proper URIs instead of relying on the
"REQUEST_URI" server variable which can be manipulated and might return
bogus URIs.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
As all new passwords are hashed and therefore stored in the database
at the same length, this limitation is no longer needed.
Fixes FS#31855
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.
Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Do not show the login form on every page. Move it to a separate login
page and add a link to the navigation bar. Also, add a logout link for
logged-in users.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
