summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2013-01-30Replace permission check code with can_edit_account()canyonknight1-5/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30acctfuncs.inc.php: Change return type of valid_username functioncanyonknight1-6/+5
The function is only determining whether a username is valid, so it makes more sense to simply return a boolean value. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30aur.inc.php: Fix PHP undefined index notice for AURSIDcanyonknight1-1/+1
Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30pkg_details.php: Add missing translatable stringcanyonknight1-2/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19stats.inc.php: Remove unnecessary account type lookupcanyonknight1-3/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19user_table.php: Remove unused link parametercanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Remove double htmlspecialcharsMarcel Korpel1-2/+0
This is already done in header.php; doing this double will result in &amp; in title element Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19We live in 2013 nowMarcel Korpel1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Added RewriteRule for ApacheMarcel Korpel1-0/+7
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-22Changed 'Dutch' to 'Nederlands'Marcel Korpel1-1/+1
Supported languages are listed in their native language. Only Dutch is in English. Translate reference into Dutch. canyonknight: Commit message clarity Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07INSTALL: Change # to $ where possibleMarcel Korpel1-9/+9
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07INSTALL: Current PHP has JSON support without extensionMarcel Korpel1-4/+2
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07INSTALL: Update required dummy data packagescanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-12-07systemd compatibilityMarcel Korpel1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account privilege escalation vulnerabilitycanyonknight1-2/+2
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-29Fix account editing and hijacking vulnerabilitycanyonknight2-3/+37
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-24login.php: Properly link to logout page when already logged incanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-15gendummydata.py: Remove extra letter from dummy pkgrelcanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-15pkgfuncs.inc.php: Rework query to avoid "Required by" duplicatescanyonknight1-1/+1
Packages with multiple DepConditions are returned multiple times in the "Required by" column. Limit SQL results to distinct packages. Fixes FS#32478 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07Release 2.0.1v2.0.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-07pkg_details.php: Fix potential XSS for package names and dep conditionscanyonknight1-3/+3
Package names and dep conditions can be specially crafted for an XSS attack. Properly sanitize these variables on the package details page. In addition, avoid including dep conditions as part of a package link. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid use of "$_SERVER['REQUEST_URI']"Lukas Fleischer2-3/+3
Use the routing library to build proper URIs instead of relying on the "REQUEST_URI" server variable which can be manipulated and might return bogus URIs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Avoid double slashes in notificationsLukas Fleischer1-3/+3
Both get_pkg_uri() and get_user_uri() should always return root-relative URLs -- do not prepend another "/". Fixes FS#32460. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04routing.inc.php: Return proper (non-virtual) URIsLukas Fleischer1-2/+2
Make sure we always return root-relative URIs in get_pkg_uri() and in get_user_uri() and prepend a slash ("/") if the virtual URL feature is disabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkgsubmit.php: Show a warning for split packagesLukas Fleischer1-0/+4
Display a special error message if the package is identified as split package. Currently, the AUR displays a very vague error message when a split package is submitted ("Invalid name: only lowercase letters are allowed"). This often caused confusion among package submitters, see FS#22834 and FS#32450. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04pkg_details.php: Remove plural from the adopt/disown buttonLukas Fleischer1-2/+2
Fixes FS#32455. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Add missing internationalization to a few stringsLukas Fleischer2-3/+3
Fixes FS#32449. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04header.php: Do not lowercase language selection entriesLukas Fleischer1-2/+2
Commit 091c2b5f5523773604699b914c19e6b02ce290bc introduced lower casing to the language drop-down list. Revert this and use htmlspecialchars() to escape language entries instead. Addresses FS#32453. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Release 2.0.0v2.0.0Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04Translation updates from TransifexLukas Fleischer23-8520/+12625
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-11-04UPGRADING: Remove reference to Archive_TarLukas Fleischer1-5/+3
The Archive_Tar PEAR module is no longer needed as of commit acdf9a85a0ff320f55d6eebb2ba7550fea61a5bb. Remove the associated upgrading instruction. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-30Return 404 for invalid account/package subpagesLukas Fleischer1-8/+26
Display an error page and return a 404 status code in the following cases: * An invalid package name is passed to the "packages" action. * An invalid user name is passed to the "account" action. * An invalid package action is passed. * An invalid account action is passed. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-29pkgsubmit.php: Check that there is one directory in a tarballcanyonknight1-0/+4
Users are able to upload tarballs without a directory. The directory count for a tarball is available, so use it to display an error when there is not a single directory. This patch has no effect on users who generate their uploaded tarballs using makepkg. All other users must include a directory in their tarball. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28home.php: Remove unneeded tablesLukas Fleischer1-14/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28Implement word-wrap for package statisticsLukas Fleischer2-8/+12
Word-wrap labels in the package statistics box, just as we wrap package names in the "Recent Updates" box. Addresses FS#32160. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-28Add Archive_Tar class to lib/canyonknight4-11/+3066
Some AUR setups do not have PEAR available. While other setups have access to outdated Archive_Tar versions. Avoid these problems completely by including the necessary files for Archive_Tar in lib/. Remove Archive_Tar requirement from INSTALL doc. Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-10-22Release 2.0.0-rc2v2.0.0-rc2Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Update message catalogLukas Fleischer1-5/+11
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22POTFILES: Add "html/404.php"Lukas Fleischer1-0/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22aurjson.class.php: Limit number of RPC resultscanyonknight2-5/+21
With no limit to the number of results, memory_limit set to 32M can easily be exceeded for searches that have a large number of results. This results in an HTTP error 500 for those queries. Limit results to an amount set within config.inc.php to avoid exceeding memory_limit. Introduce new JSON error code for when the result limit is hit. Fixes FS#31849 Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-22Use HTTPS links everywhere for Arch sitesDan McGee9-16/+16
The main site, wiki, and BBS are using HTTPS exclusively, so link directly to the correct protocol rather than forcing a redirect. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-21Link to the HTTPs login page in the headerLukas Fleischer2-0/+6
Change the login link so that it points directly to the HTTPs version of the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20home.php: Fix XHTML tag errorscanyonknight1-2/+3
* Add missing <p> tag * Move <h4> outside of a <p> tag * Rename an id to avoid a conflict with an already existing id Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20account_details.php: Fix XHTML tags being closed incorrectlycanyonknight1-7/+7
Replace incorrect </td> tags with </th> tags Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20account_edit_form.php: Fix some XHTML errorscanyonknight1-7/+9
* Add </option> close tags * Add VI delimiter to selected option * Add quotes to language codes Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20tu_list.php: Remove stray "</span>" tagscanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20pkg_comment_form.php: Remove reference to "call" attributecanyonknight1-1/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20pkg_details.php: Add missing XHTML close tagscanyonknight1-2/+4
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Sync CSS with archwebLukas Fleischer1-11/+39
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-20Display an error page if a virtual path doesn't existLukas Fleischer2-0/+18
Give user feedback instead of bailing out with an empty HTTP response body. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>