| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The callback parameter of the RPC interface currently allows for
specifying a prefix of arbitrary length of the returned result. This can
be exploited by certain attacks.
As a countermeasure, this patch restricts the allowed character set for
the callback name to letters, digits, underscores, parenthesis and dots.
It also limits the length of the name to 128 characters. Furthermore,
the reflected callback name is now always prepended with "/**/", which
is a common workaround to protect against attacks such as Rosetta Flash.
Fixes FS#46259.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This method will be used by the JavaScript comment editing and produces
a form containing the comment.
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Fixes FS#37317.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
This is a preparatory patch that simplifies adding more arguments to
the parse functions
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Marcel Korpel <marcel.korpel@gmail.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Fixes FS#45537.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Implements FS#45422.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Remove package base categories. Instead, users can now specify up to
twenty custom keywords that are taken into consideration when searching.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
In commit 74edb6f (Use Git repositories to store packages, 2014-06-06),
the URLPath field was dropped from RPC package results. Reintroduce the
field for backwards compatibility, even though it is no longer
recommended to use snapshot tarballs.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
Do not return packages belonging to hidden package bases in RPC results.
Fixes FS#45271.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
|
|
* Remove package submission page from the web interface.
* Replace PKGBUILD and tarball links with links to cgit.
* Remove the "URLPath" field from RPC replies.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Replace web/lib/config.inc.php with an INI-style configuration file.
This allows us to get rid of several globals and makes it easier to use
the same configuration file in external scripts.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add the typeahead implementation we already use for the package search
to the merge target text field. Instead of suggesting packages, suggest
package base names.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add RPC v3 which always returns a list of objects in RPC responses,
regardless of the request type. An empty list is returned when an error
occurs. The error message is moved to a separate "error" field.
Fixes FS#40963.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This is useful to tools that automatically generate requests to orphan,
delete or merge packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Most AUR helpers don't support the new format yet. Use version 1 of the
API by default. In order to use the new format, "v=2" can be appended to
the list of GET parameters.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This adds a backwards compatibility mode for the old RPC API. The old
format can be requested by explicitly adding "v=1" to the list of GET
parameters. Note that due to internal changes, the old format only
returns the first license that belongs to a package.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Fix braces, indentation and comment style.
* Remove some superfluous comments.
* Reword some comments.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This is needed for clients to quickly differentiate between different
versions of the RPC API. The version number should be bumped whenever
there is a change that breaks backwards compatibility.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This patch adds the following fields to info and multiinfo replies:
* Depends
* MakeDepends
* CheckDepends
* OptDepends
* Conflicts
* Provides
* Replaces
* Groups
* License
Each of these fields is an array.
Note that since collecting all these fields is CPU-intensive, they are
not included in replies to search queries.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Fix the SQL query to conform to the new database layout.
* Remove the license field from replies. The license field is now stored
in a separate table and no longer returned on search queries.
* Add a "PackageBase" field that contains the name of the package base
of every package in the result.
* Fix the source tarball URL. The URL is now built based on the package
base name instead of the package name.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Uses the Singleton pattern to ensure all queries use the same
database connection that is released upon script completion.
All database connections should now be called with DB::connect() and
not db_connect().
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use Twitter Bootstrap JavaScript framework for typeahead support.
Add a new "suggest" JSON method, which returns the first 20
packages that match the beginning characters of a query.
canyonknight: Link format change, commit message
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.
Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.
Fixes FS#31849
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
All DB code currently uses the quickly aging mysql_* functions. These
functions are strongly discouraged and may eventually be deprecated.
Transition all code to utilize the PDO data access abstraction layer. PDO
allows for consistent query code across multiple databases. This could
potentially allow for someone to use a database other than MySQL with
minimal code changes.
All functions and behaviors are reproduced as faithfully as possible with
PDO equivalents and some changes in code.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Return an empty array and set the result count to zero instead.
Before:
$ curl 'http://localhost/rpc.php?type=search&arg=raboof'
{"type":"error","resultcount":0,"results":"No results found"}
After:
$ curl 'http://localhost/rpc.php?type=search&arg=raboof'
{"type":"search","resultcount":0,"results":[]}
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We already ask for the result count, but only use it as a basis for testing
query success or failure. Add the value to the JSON reply.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.
Note that we already fixed this for the RPC interface in commit
da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.
This is a rebased version of a patch by elij submitted about half a year
ago.
Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Coerce following fields into integers to ensure json_encode() serializes
them as integers:
* ID
* CategoryID
* NumVotes
* OutOfDate
* FirstSubmitted
* LastModified
This means that there will be a minor API break. There's no better way
to do this properly, though. Fixes FS#25693.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Convert the "OutOfDate" field to provide a timestamp instead of a
boolean flag in JSON results. We don't really care about backward
compatibility here, as most AUR helpers would break anyway when trying
to parse RPC responses after the data type overhaul that should come
with one of the following patches.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Info queries using package IDs were no longer working due to commit
c6d84b3a8df10c522d79c754d4f73cb2a352586f, which introduced a table join
in process_query(), thus making the "ID" column ambiguous. Fix this by
explicitly specifying the table to use. Fixes FS#25696.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This implements the following scheme:
* /packages/cower/ --> /packages/co/cower/
* /packages/j/ --> /packages/j/j/
* /packages/zqy/ --> /packages/zq/zqy/
We take up to the first two characters of each package name as a
intermediate subdirectory, and then the full package name lives
underneath that. Shorter named packages live in a single letter
directory.
Why, you ask? Well because earlier today the AUR hit 32,000 entries in
the unsupported/ directory, making new package uploads impossible. While
some might argue we shouldn't have so many damn packages in the repos,
we should be able to handle this case.
Why two characters instead of one? Our two biggest two-char groups, 'pe'
and 'py', both start with 'p', and have nearly 2000 packages each. Go
Python and Perl.
Still needed is a "move the existing data" script, as well as a set of
rewrite rules for those wishing to preserve backward compatible URLs for
any helper programs doing the wrong thing and relying on them.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Lukas: Add note to "UPGRADING".
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
after reading the discussion about the submitter field, i looked again
at my previous patch and realized that it was not very good at all.
hopefully this simplified version will be more acceptable.
the justification for this patch is that many third-party tools will
want to know how new a package is, or when it last changed. adding the
submitted and modified timestamps will allow users to get all the
relevant package data in a single query.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add etag and if-none-match conditional get support. This will allow
'smart client' to save network bandwidth, as they can save the etag hash
value for queries and test it later. Still an http request because this
patch specifically sets a cache lifetime of zero, and must-revalidate.
The benefit here is bandwidth savings. Caching based on expires headers
would likely be counter productive, as the api data can change rather
quickly...but etag is a nice compromise, and could be quite beneficial
for bandwidth recution in some scenarios.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Include maintainer in info and search method.
Lukas: Adjustments for "multiinfo" queries.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The majority of "real world" info requests [1] come in hefty batches. We
would be better served to handle these in one request rather than
multiple by allowing AUR clients to send multiple arguments.
This enables things like this to work:
http://aur.test/rpc.php?type=multiinfo&arg[]=cups-xerox&arg[]=cups-mc2430dl&arg[]=10673
Note to RPC users: unfortunately due to the asinine design of PHP, you
unfortunately have to use the 'arg[]' syntax if you want more than one
query argument, or you will only get the package satisfying the last arg
you pass.
[1] Rough data from April 11, 2011, with a total hit count of 1,109,163:
12 /login.php
13 /rpc.php?type=sarch
15 /rpc.php?type=msearch
16 /pingserver.php
16 /rpc.php
22 /logout.php
163 /passreset.php
335 /account.php
530 /pkgsubmit.php
916 /rss2.php
3838 /index.php
6752 /rss.php
9699 /
42478 /rpc.php?type=search
184737 /packages.php
681725 /rpc.php?type=info
That means a whopping 61.5% of our requests were for info over the RPC
interface; package pages are a distant second at only 16.7%.
Lukas: Introduce "multiinfo" query instead of extending "info" (for the
sake of backward compatibility).
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Do the implode as the same but separate step each time, and remove
indentation where no other query has it.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Mark things static in the class rather than use a constructor every
single invocation of the service.
* Don't call mysql_real_escape_string() before we even have a database
connection, and don't do work in the database if we don't need to.
* Formatting consistency fixups in a few places.
* Add new process_query() helper function; use this instead of
copy-pasted code in all of the RPC method calls.
* Remove the escaping code meant to fix FS#15526, introduced in commit
4d1eb4dd7ac631. It broke more than it solved, only fixed the output in
one of three RPC calls (and who knows what the web interface then also
does), and proper encoding should be done at the database level rather
than up here.
Lukas: Add special case for "info" queries to process_query() (return a
single result instead of an array of results here).
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
You need this enabled for the AUR, period. No need for this BS.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Instead, we just store dependencies directly in the PackageDepends
table. Since we don't use this info anywhere besides the package details
page, there is little value in precalculating what is in the AUR vs.
what is not.
An upgrade path is provided via several SQL statements in the UPGRADING
document. There should be no user-visible change from this, but the DB
schema gets a bit more sane and we no longer have loads of junk packages
in our tables that are never shown to the end user. This should also
help the MySQL query planner in several cases as we no longer have to be
careful to exclude dummy packages on every query.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We don't need this anymore since all packages managed here are
well...managed here. Rip out all of the places we were using this field,
many of which depended on the magic value '2' anyway.
On the display side of things, we had a column that was always showing
'unsupported' that is now gone, and you can no longer sort by this column.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE", so we need to deal with them separately.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Drop the "URLPath" field from the "Packages" table, build URLs from
package names instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
- resolve conflict and omit i18n changes.
|
