summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2012-12-22gendummydata.py: Open all files with UTF-8 encodingcanyonknight1-3/+3
Users with certain locales are unable to generate dummy data. Enforce UTF-8 encoding. Fixes FS#32986 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-22gendummydata.py: Remove need for fortune subprocesscanyonknight1-7/+11
Fortune calls slows down the generation of dummy data dramatically for large datasets. Read from a specified fortune file directly to avoid the need for the subprocess. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07Merge branch 'maint'Lukas Fleischer3-20/+52
2012-12-07Split package flagging and unflagging into separate functionscanyonknight@gmail.com2-33/+45
Currently, package flagging and unflagging takes place within the pkg_flag() function. A bool is set to true or false depending on the action. Create new pkg_unflag() function with sole purpose of unflagging and keep pkg_flag() in place. This split will be useful in the overhaul of the notification system. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07INSTALL: Change # to $ where possibleMarcel Korpel1-9/+9
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07INSTALL: Current PHP has JSON support without extensionMarcel Korpel1-4/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07INSTALL: Update required dummy data packagescanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07systemd compatibilityMarcel Korpel1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account privilege escalation vulnerabilitycanyonknight1-2/+2
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account editing and hijacking vulnerabilitycanyonknight2-3/+37
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-24index.php: Move voter page token check to switch control structurecanyonknight1-6/+4
Voter page token check takes place in the same way as other existing token checks. Move the check for consistency. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-24login.php: Properly link to logout page when already logged incanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-15gendummydata.py: Remove extra letter from dummy pkgrelcanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-15pkgfuncs.inc.php: Rework query to avoid "Required by" duplicatescanyonknight1-1/+1
Packages with multiple DepConditions are returned multiple times in the "Required by" column. Limit SQL results to distinct packages. Fixes FS#32478 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07Release 2.0.1v2.0.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07pkg_details.php: Fix potential XSS for package names and dep conditionscanyonknight1-3/+3
Package names and dep conditions can be specially crafted for an XSS attack. Properly sanitize these variables on the package details page. In addition, avoid including dep conditions as part of a package link. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid use of "$_SERVER['REQUEST_URI']"Lukas Fleischer2-3/+3
Use the routing library to build proper URIs instead of relying on the "REQUEST_URI" server variable which can be manipulated and might return bogus URIs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid double slashes in notificationsLukas Fleischer1-3/+3
Both get_pkg_uri() and get_user_uri() should always return root-relative URLs -- do not prepend another "/". Fixes FS#32460. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04routing.inc.php: Return proper (non-virtual) URIsLukas Fleischer1-2/+2
Make sure we always return root-relative URIs in get_pkg_uri() and in get_user_uri() and prepend a slash ("/") if the virtual URL feature is disabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkgsubmit.php: Show a warning for split packagesLukas Fleischer1-0/+4
Display a special error message if the package is identified as split package. Currently, the AUR displays a very vague error message when a split package is submitted ("Invalid name: only lowercase letters are allowed"). This often caused confusion among package submitters, see FS#22834 and FS#32450. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkg_details.php: Remove plural from the adopt/disown buttonLukas Fleischer1-2/+2
Fixes FS#32455. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Add missing internationalization to a few stringsLukas Fleischer2-3/+3
Fixes FS#32449. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04header.php: Do not lowercase language selection entriesLukas Fleischer1-2/+2
Commit 091c2b5f5523773604699b914c19e6b02ce290bc introduced lower casing to the language drop-down list. Revert this and use htmlspecialchars() to escape language entries instead. Addresses FS#32453. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Release 2.0.0v2.0.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Translation updates from TransifexLukas Fleischer23-8520/+12625
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04UPGRADING: Remove reference to Archive_TarLukas Fleischer1-5/+3
The Archive_Tar PEAR module is no longer needed as of commit acdf9a85a0ff320f55d6eebb2ba7550fea61a5bb. Remove the associated upgrading instruction. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-30Return 404 for invalid account/package subpagesLukas Fleischer1-8/+26
Display an error page and return a 404 status code in the following cases: * An invalid package name is passed to the "packages" action. * An invalid user name is passed to the "account" action. * An invalid package action is passed. * An invalid account action is passed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-29pkgsubmit.php: Check that there is one directory in a tarballcanyonknight1-0/+4
Users are able to upload tarballs without a directory. The directory count for a tarball is available, so use it to display an error when there is not a single directory. This patch has no effect on users who generate their uploaded tarballs using makepkg. All other users must include a directory in their tarball. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28home.php: Remove unneeded tablesLukas Fleischer1-14/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28Implement word-wrap for package statisticsLukas Fleischer2-8/+12
Word-wrap labels in the package statistics box, just as we wrap package names in the "Recent Updates" box. Addresses FS#32160. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28Add Archive_Tar class to lib/canyonknight4-11/+3066
Some AUR setups do not have PEAR available. While other setups have access to outdated Archive_Tar versions. Avoid these problems completely by including the necessary files for Archive_Tar in lib/. Remove Archive_Tar requirement from INSTALL doc. Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-10-22Release 2.0.0-rc2v2.0.0-rc2Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Update message catalogLukas Fleischer1-5/+11
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22POTFILES: Add "html/404.php"Lukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22aurjson.class.php: Limit number of RPC resultscanyonknight2-5/+21
With no limit to the number of results, memory_limit set to 32M can easily be exceeded for searches that have a large number of results. This results in an HTTP error 500 for those queries. Limit results to an amount set within config.inc.php to avoid exceeding memory_limit. Introduce new JSON error code for when the result limit is hit. Fixes FS#31849 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Use HTTPS links everywhere for Arch sitesDan McGee9-16/+16
The main site, wiki, and BBS are using HTTPS exclusively, so link directly to the correct protocol rather than forcing a redirect. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-21Link to the HTTPs login page in the headerLukas Fleischer2-0/+6
Change the login link so that it points directly to the HTTPs version of the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20home.php: Fix XHTML tag errorscanyonknight1-2/+3
* Add missing <p> tag * Move <h4> outside of a <p> tag * Rename an id to avoid a conflict with an already existing id Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20account_details.php: Fix XHTML tags being closed incorrectlycanyonknight1-7/+7
Replace incorrect </td> tags with </th> tags Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20account_edit_form.php: Fix some XHTML errorscanyonknight1-7/+9
* Add </option> close tags * Add VI delimiter to selected option * Add quotes to language codes Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20tu_list.php: Remove stray "</span>" tagscanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20pkg_comment_form.php: Remove reference to "call" attributecanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20pkg_details.php: Add missing XHTML close tagscanyonknight1-2/+4
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Sync CSS with archwebLukas Fleischer1-11/+39
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Display an error page if a virtual path doesn't existLukas Fleischer2-0/+18
Give user feedback instead of bailing out with an empty HTTP response body. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-14pkg_search_results.php: Mark out-of-date packagesLukas Fleischer1-1/+1
Highlight the version number of out-of-date packages on the package search results page using the "flagged" class from archweb. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-14pkg_search_results.php: Move version to a separate columnLukas Fleischer1-1/+3
Synchronize the column layout with archweb. This also allows for easily highlighting the version number of out-of-date packages. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkg_comments.php: Move delete button to same line as poster infocanyonknight1-1/+3
The delete button is currently on a separate line. Change some logic to allow for the button to be on the same line as poster info. Reported-by: Dave Reisner <d@falconindy.com> Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkg_comment_form.php: Remove redundant label for the comment boxcanyonknight1-2/+0
Comment box already uses <h2> tag. Additional label is not needed. Also remove label for form submit button. Reported-by: Dave Reisner <d@falconindy.com> Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-11pkgsubmit.php: Fix package version not updatingcanyonknight1-1/+1
Parameters were not correct for a package update operation. Fix regression of 763cbf8373e3373254ad18f5b69fd16efdc6fd5c Fixes FS#31868 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>