summaryrefslogtreecommitdiffstats
path: root/web/lib/aur.inc.php
AgeCommit message (Collapse)AuthorFilesLines
2017-11-05Only allow valid HTTP(s) URLs as home pageLukas Fleischer1-0/+20
The home page specified in the account settings is converted to a clickable link on the user's profile. Make sure it is a valid URL which uses the http or https scheme. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-11-05Set X-Frame-Options to DENY for all pagesLukas Fleischer1-0/+1
Do not allow to render aurweb pages in a frame to protect against clickjacking. Fixes FS#56168. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-30Add support for Terms of Service documentsLukas Fleischer1-0/+23
This allows for adding Terms of Service documents to the database that registered users need to accept before using the AUR. A revision field can be used to indicate whether a document was updated. If it is increased, all users are again asked to accept the new terms. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-04-27Call check_sid() from a central locationLukas Fleischer1-0/+2
Instead of calling check_sid() from every single PHP script representing a web page, add the call to aur.inc.php which is sourced by all of them. Also, remove set_lang() calls from the scripts since these are also already included in aur.inc.php. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-02-24Use bcrypt to hash passwordsLukas Fleischer1-57/+0
Replace the default hash function used for storing passwords by password_hash() which internally uses bcrypt. Legacy MD5 hashes are still supported and are immediately converted to the new format when a user logs in. Since big parts of the authentication system needed to be rewritten in this context, this patch also includes some simplification and refactoring of all code related to password checking and resetting. Fixes FS#52297. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2017-01-20Add user set timezonesMark Weiman1-0/+3
Currently, aurweb displays all dates and times in UTC time. This patch adds a capability for each logged in user to set their preferred timezone. Implements FS#48729. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2016-11-10Remove all usage of UNIX_TIMESTAMP in web interfaceMark Weiman1-2/+2
UNIX_TIMESTAMP is not part of the SQL standard. Instead, all usage in the web interface is changed to use PHP's time() function. Signed-off-by: Mark Weiman <mark.weiman@markzz.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-09-11Allow for logging in via email addressLukas Fleischer1-0/+15
Accept both user names and email addresses in the login prompt. Suggested-by: Johannes Löthberg <johannes@kyriasis.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-31Fix duplicate escaping of action linksLukas Fleischer1-7/+7
The __() helper function already escapes HTML special characters. Do not escape them again in html_action_*(). Fixes FS#45780. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-08-08Add comment edit icon and formMarcel Korpel1-0/+19
Show an icon next to the comment deletion icon, which leads to a comment edit form. Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-07-12use rel="nofollow" for links in commentsDaniel Micay1-1/+1
This removes the incentive for spammers to post links by asking search engines to ignore them. Signed-off-by: Daniel Micay <danielmicay@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Fake pkgbase actions for unconfirmed usersGordian Edenhofer1-9/+19
Displaying flag, notify, vote, adopt and file request links for users which did not authenticate themselves and letting those fake buttons link to the login page. Signed-off-by: Gordian Edenhofer <gordian.edenhofer@gmail.com> Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-27Split out code to generate action linksLukas Fleischer1-0/+37
Add (and use) two new helper functions html_account_link() and html_account_form() to generate the links in the package actions box. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-20Fix a warning when formatting user namesLukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14Show co-maintainers next to maintainers in detailsLukas Fleischer1-0/+25
Implements FS#45313. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2015-06-14Refactor code for printing account linksLukas Fleischer1-2/+11
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
2014-10-24Use an INI-style configuration fileLukas Fleischer1-8/+18
Replace web/lib/config.inc.php with an INI-style configuration file. This allows us to get rid of several globals and makes it easier to use the same configuration file in external scripts. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-08-08Fix the return value of save_salt()Lukas Fleischer1-1/+1
Return true if and only if the SQL query was executed successfully. Logins with an unsalted password no longer fail now. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-07-15Rework permission handlingLukas Fleischer1-10/+1
Add a new function has_credential() that checks whether the currently logged in user is allowed to perform a given action. Moving all permission handling to this central place makes adding new user groups and adjusting permissions much more convenient. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-07-01Simplify code to bound integer valuesLukas Fleischer1-0/+13
Suggested-by: Florian Pritz <bluewind@xinu.at> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-06-05Do not return "None" in user functionsLukas Fleischer1-20/+24
Return null instead of the string "None" in username_from_id(), uid_from_email() and uid_from_username(). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-29Move latest_pkgs() to pkgfuncs.inc.phpLukas Fleischer1-24/+0
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-05-03Fix parsing of array overridesLukas Fleischer1-4/+11
If a depends (makedepends, checkdepends, optdepends, conflicts, provides, replaces, license, groups, source) line appears in a package section, it replaces the corresponding array from the pkgbase section. If there is a single "depends = " line in the package section, the depends array of that package is considered empty. This partly reverts the behavior introduced in commit 137a9ae (Fix parsing of array overrides, 2014-05-03). Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-19Handle pkgbase array overrides gracefullyLukas Fleischer1-0/+25
Instead of overwriting arrays, such as depends, from the pkgbase section, new entries should be appended. Replace array_merge() with a mixture of array_merge_recursive() and array_replace_recursive() that merges array fields and replaces non-array fields. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Do not allow for overwriting arbitrary packagesLukas Fleischer1-0/+19
A package should only be overwritten if it already belongs to the package base that is trying to overwrite it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2014-04-05Add provisional support for package basesLukas Fleischer1-13/+2
This adds a PackageBases table to the database schema and moves the following fields from the Packages table to PackageBases: * CategoryID * NumVotes * OutOfDateTS * SubmittedTS * ModifiedTS * SubmitterUID * MaintainerUID It also fixes all database accesses to comply with the new layout. Having a separate PackageBases table is the first step to split package support. By now, we create one PackageBases entry per package (where the package base has the same name as the corresponding package). When adding full support for split packages later, the package base name will be derived from the pkgbase variable and a single package base will be shared amongst all packages built from one source package. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove checks before calling connection methodcanyonknight1-45/+15
Large amount of boilerplate code that checks if a database connection exists is useless now that the new connection method automatically does the same check. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove documentation references to database parametercanyonknight1-18/+0
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Remove unnecessary database connection parameter from all functionscanyonknight1-17/+17
All functions now have a database connection method that will use the same database connection. This imitates the functionality of passing a database connection as an argument and makes it redundant. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-02-10Add database wrapper class and new connection methodcanyonknight1-33/+16
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-30Merge branch 'maint'Lukas Fleischer1-1/+1
2013-01-30aur.inc.php: Fix PHP undefined index notice for AURSIDcanyonknight1-1/+1
Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Merge branch 'maint'Lukas Fleischer1-2/+0
2013-01-19Remove double htmlspecialcharsMarcel Korpel1-2/+0
This is already done in header.php; doing this double will result in &amp; in title element Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2013-01-19Add description meta-element to package pagesMarcel Korpel1-1/+1
Implements FS#33294 Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-10-21Link to the HTTPs login page in the headerLukas Fleischer1-0/+2
Change the login link so that it points directly to the HTTPs version of the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-24aur.inc.php: Document all functions using PHPDoc formatcanyonknight1-40/+191
PHPDoc is a standardized format for commenting on PHP code. Using it allows for a more cohesive use of IDEs and documentation generators with the AUR code. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-20Remove unused chmod_group() functioncanyonknight1-28/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-09-18Migrate all DB code to use PDOcanyonknight1-101/+53
All DB code currently uses the quickly aging mysql_* functions. These functions are strongly discouraged and may eventually be deprecated. Transition all code to utilize the PDO data access abstraction layer. PDO allows for consistent query code across multiple databases. This could potentially allow for someone to use a database other than MySQL with minimal code changes. All functions and behaviors are reproduced as faithfully as possible with PDO equivalents and some changes in code. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-17aur.inc.php: Include routing backendLukas Fleischer1-0/+1
This needs to be available on every page since it is needed for get_uri() and get_pkg_uri() and "web/html/index.php" isn't executed if the virtual path feature is disabled. Reported-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-14Merge branch 'maint'Lukas Fleischer1-0/+10
Conflicts: web/html/account.php web/html/addvote.php web/html/pkgsubmit.php web/lib/acctfuncs.inc.php web/template/actions_form.php web/template/pkg_comment_form.php web/template/pkg_comments.php web/template/pkg_details.php web/template/pkg_search_results.php web/template/tu_details.php
2012-07-14aur.inc.php: Use delete_session_id() where appropriatecanyonknight1-3/+1
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06aur.inc.php: Remove old and unused make_seed functioncanyonknight1-7/+0
Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06rss.php: Pull out DB codecanyonknight1-0/+19
* Move DB code in rss.php to new function in aur.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06pkgsubmit.php: Pull out DB codecanyonknight1-0/+21
* Move DB code in pkgsubmit.php to new functions in aur.inc.php and pkgfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-07-06Move login form to a separate pageLukas Fleischer1-10/+0
Do not show the login form on every page. Move it to a separate login page and add a link to the navigation bar. Also, add a logout link for logged-in users. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> Signed-off-by: canyonknight <canyonknight@gmail.com>
2012-06-24Implement token system to fix CSRF vulnerabilitiescanyonknight1-0/+10
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-24Unify function declaration styleLukas Fleischer1-16/+8
Always put the opening brace on the same line as the beginning of the function declaration. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-03-21valid_email :: check if domain part is realBlackEagle1-1/+12
this can be used as an intermediate 'patch' util there is a validation system in place. the extra check is to verify that the domain part of a correctly formatted email address is existing and in use. this will not at all stop spammers since they can use bogus emails with valid domain parts Lukas: Minor formatting changes. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-11-02Add a new AUR_LOCATION settingDan McGee1-0/+1
This should be set to something like 'http://localhost' for development or 'https://aur.archlinux.org' in production. It ensures all links in the site stay in the development site and there is no sudden jump from development to production environments. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>