summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2011-03-30Be more restrictive with source tarball contents.Lukas Fleischer1-2/+13
Reject tarballs containing more than one directory or files outside a directory. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerability in "web/template/header.php".Lukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix PHP notice when submitting an empty file.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix strict standards warnings in "web/html/pkgsubmit.php".Lukas Fleischer1-2/+2
end() expects a reference but we pass a function return value here. Using list() is a bit hacky as well as it expects a 0-based array whereas unpack() returns a 1-based array - thus we use "list(, $foo)". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Check if submitted files are in GZIP format.Lukas Fleischer1-2/+16
This is quite hacky but this way we can ensure users get comprehensible error messages when trying to upload ".tar.xz" or ".tar.bz2" files. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerabilities in "web/html/voters.php".Lukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix PHP undefined notice in "web/html/packages.php".Lukas Fleischer1-1/+6
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerabilities in package comment templates.Lukas Fleischer2-3/+3
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30gendummydata.py: Do not touch output file until we need it.Lukas Fleischer1-5/+5
Ensures there's no leftover (empty) file if something during initialization fails. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-24Bump up default per-page value to 50Dan McGee2-7/+7
25 is woefully small for the number of packages many searches can return, and with 28000+ packages in AUR, it makes sense to show a lot more per page by default. The new choices of (50, 100, 250) happen to match those from the main site. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-15Fix main site package search URLDan McGee1-2/+2
I've been wanting to kill this one for a long time. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-12Fix searching for orphans with "$LANG != 'en'" (fixes FS#23252).Lukas Fleischer1-1/+1
Regression introduced in commit ef8fab0c. Removed the strict check again instead of wrapping it in __() to ensure search URLs are language independent. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix XSS vulnerability in package search results and package details.Lukas Fleischer2-10/+10
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix broken XHTML.Lukas Fleischer14-154/+170
Fix a lot of invalid XHTML in the templates and actions. There might still be some legacy code left, but this should cover most of it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10Perform a second query to find total search countDan McGee1-7/+11
This removes the need for SQL_CALC_FOUND_ROWS which can really slow down queries in a lot of cases. The COUNT(*) query we end up performing can reuse a lot of the original clauses from our primary query, but we can really slim it up by omitting some joins and the sorting/limiting clauses. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10Split package search query into partsDan McGee1-20/+20
No functional change here; we should be rebuilding the same query at the end of the process. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10More PHP Notice undefined fixupsDan McGee3-3/+12
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-09Release 1.8.1.1.8.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix outdated link in My Statistics paneDan McGee1-1/+1
Regression introduced in commit c39183c3ee7eb1. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Add a sanitize_ids function and use it in all pkg_* functionsDan McGee1-33/+22
And use implode() instead of some looping/first time logic. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Set a default timezoneDan McGee1-0/+2
With our use of strtotime() in stats.inc, we are "required" to do so or at least the emitted warning tells us it is a good idea. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in account pagesDan McGee2-18/+28
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Remove dead dependency/required by link codeDan McGee2-29/+7
For some reason we were doing this song and dance "iterate all the known parameters" business. This is totally unnecessary, clutters the links, and was spewing errors all over the place, so kill it. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Ensure all variables are set in package search formDan McGee1-21/+13
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in pkg_search_formDan McGee1-7/+7
If we were displaying this without coming from a previous query submit, notices were emitted all over the place. Fix them by adding an isset() first to each variable we try to access. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notice: requiredby arrayDan McGee1-3/+2
Required by query does not have a dep condition element. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix main site URLDan McGee1-2/+2
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Add action lookup helper functionDan McGee2-11/+16
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Ensure all package ID values are coerced to integersDan McGee1-18/+22
We don't need mysql_real_escape_string(), we need valid integer conversions. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Vastly simplify pkg_delete functionDan McGee1-58/+8
Since only TUs/Devs can delete packages, we can remove almost all checks except the account type check. And now that our DB uses foreign keys, all of the other deletes happen implicitly when a package is deleted so we don't need to take care of it here. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Ensure users can be deleted when foreign keys are presentDan McGee2-3/+3
This change is necessary to prevent this: mysql> delete from Users where ID = 112; ERROR 1451 (23000): Cannot delete or update a parent row: a foreign key constraint fails (`aur`.`Packages`, CONSTRAINT `Packages_ibfk_2` FOREIGN KEY (`SubmitterUID`) REFERENCES `Users` (`ID`) ON DELETE NO ACTION) As a bonus, due to foreign keys, orphaning of packages will be automatic. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Allow DB connection values to come from the environmentDan McGee3-21/+33
Stop hardcoding everything everywhere for those of us that don't use the localhost/aur/aur/AUR setup. Also allow for the dummy data to be created in the reload script if it does not exist. Finally, remove two assumptions that the AUR database already exists. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Use a single transaction to write dummy dataDan McGee1-0/+2
This is immensely faster when using InnoDB since we don't need to sync after each and every INSERT statement. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Small template cleanupDan McGee1-2/+1
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Improve cookie handlingDan McGee2-14/+11
* Remove comment that is mostly bogus- the domain is automatically set. * When logging out, don't delete the language cookie. * Make the language cookie persistent. * Use the minimal time possible to expire cookies; no need to compute anything. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-01Fix potential injection vulnerabilityDan McGee1-2/+7
We trusted the values we pulled out of the IDs array and never coerced them to integers, passing them to the backend unescaped and uncasted. Ensure they are treated as integers only and validate the resulting value is > 0. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-28AUTHORS: Move Callan from "Current Maintainers" to "Contributors".Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-28AUTHORS: Rename "Current Contributors" to "Current Maintainers".Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-28Remove database recreation code from "support/schema/reloadtestdb.sh".Lukas Fleischer1-6/+0
Database is being dropped and recreated in the schema, so there's no need to do this in "reloadtestdb.sh" as well. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-28Specify utf8 in database schema.Loui Chang1-4/+4
Signed-off-by: Loui Chang <louipc.ist@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Add note on merging "web/lib/config.inc.proto" to "UPGRADING".Lukas Fleischer1-0/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Fix some minor bugs in "support/schema/gendummydata.py".Lukas Fleischer1-2/+2
The dummy data generation script used to create wrong package IDs for both "PackageVotes" and "PackageDepends" tables which led to errors when reloading the test data (constraints failed). This is fixed by no longer creating entries with zero ("0") package IDs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Set the character set when connecting to mysqlFlorian Pritz1-0/+2
We should not rely on the default server setting staying the same forever. Signed-off-by: Florian Pritz <bluewind@server-speed.net> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Add "ENGINE = InnoDB" to "CREATE TABLE" statements in the SQL schema.Lukas Fleischer1-13/+13
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Define "Packages.SubmitterUID" and "Packages.MaintainerUID" as "NULL".Lukas Fleischer8-10/+20
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Add note on upgrading from MyISAM to InnoDB to "UPGRADING".Lukas Fleischer1-0/+24
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Define "PackageComments.DelUsersID" as "NULL".Lukas Fleischer3-3/+6
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-26Add missing foreign keys and constraints to the DB.Lukas Fleischer2-5/+37
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-26Use a real sync algorithm in aurblup (fixes FS#23039).Lukas Fleischer1-37/+101
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-25Reject blacklisted packages on initial submission only.Lukas Fleischer1-9/+9
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>