| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.
Add check so that all users cannot increase their own account
permissions.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.
This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.
Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Packages with multiple DepConditions are returned multiple
times in the "Required by" column.
Limit SQL results to distinct packages.
Fixes FS#32478
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Both get_pkg_uri() and get_user_uri() should always return root-relative
URLs -- do not prepend another "/".
Fixes FS#32460.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Make sure we always return root-relative URIs in get_pkg_uri() and in
get_user_uri() and prepend a slash ("/") if the virtual URL feature is
disabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Some AUR setups do not have PEAR available. While other setups
have access to outdated Archive_Tar versions. Avoid these
problems completely by including the necessary files for
Archive_Tar in lib/.
Remove Archive_Tar requirement from INSTALL doc.
Signed-off-by: canyonknight <canyonknight@gmail.com>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.
Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.
Fixes FS#31849
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Change the login link so that it points directly to the HTTPs version of
the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
An array that contains whether the package is blacklisted is
being improperly used for a comparison. Use fetchColumn() to
avoid the array completely and compare a value directly.
Regression with e171f6f34eeacf35cf7142b4788d43e7d0978546
Fixes FS#31867
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
As all new passwords are hashed and therefore stored in the database
at the same length, this limitation is no longer needed.
Fixes FS#31855
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Change voters_list() to return an array of voters instead of
generating HTML code in the library call.
* Change the template to generate HTML code for the list of voters
instead of displaying the library's return value.
* Use HTML lists.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Check if a package actually changed its status before sending an email
to prevent from spamming. Addresses FS#31745.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes a undefined variable notice in getvotes() that popped up when a
package without any votes was requested.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Use "<label>"/"</label>" for form labels.
* Use "<strong>"/"</strong>" for important text.
* Use "<h4>"/"</h4>" for headings.
* Drop "<b>"/"</b>" everywhere else.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
PHPDoc is a standardized format for commenting on PHP code.
Using it allows for a more cohesive use of IDEs and documentation
generators with the AUR code.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Use archweb classes for search result statistics.
* Add some space between page numbers.
* Display current page number instead of current item range.
* Hide page numbers if the result fits into a single page.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Add a package ID parameter to pkg_change_category() instead of relying
on the "ID" or "N" GET parameters.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
One cannot check if the PDOStatement object returned by query()
evaluates to true in order to check for a non-empty record set. Modify
the SQL query to count the number of records instead of retrieving the
records themselves and fixing the check.
Regression introduced in e171f6f34eeacf35cf7142b4788d43e7d0978546.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use the global keyword to import "$AUR_LOCATION" in
add_package_comment().
Regression introduced in d3de6679010a1d140794305e747f1af0e7f21834.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Restructure account.php to remove redundant code.
* Remove own_account_details().
* Rework logic check to default to no access to account edit form.
* Make default account action viewing account info.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Navigation to the "AccountInfo" page should only require a user to know the
username of the account they are looking for. Update all AUR links that use
the user info page to reflect the new URL.
Before:
AUR_URL/account/?Action=AccountInfo&U=userfoo
After:
AUR_URL/account/userfoo
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
All DB code currently uses the quickly aging mysql_* functions. These
functions are strongly discouraged and may eventually be deprecated.
Transition all code to utilize the PDO data access abstraction layer. PDO
allows for consistent query code across multiple databases. This could
potentially allow for someone to use a database other than MySQL with
minimal code changes.
All functions and behaviors are reproduced as faithfully as possible with
PDO equivalents and some changes in code.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Currently everyone is allowed to unflag a package as out of date. This should
be limited to only the appropriate people for a specific package.
Fixes FS#27263
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Link to "/packages/$pkgname/voters/" instead of using "/voters/" and a
get parameter to request a specific package by ID.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Make sure that pkg_change_category() works, even if the "N" get
parameter is used and "ID" is unset. Note that this is considered to be
a hack rather than a proper fix; pkg_change_category() needs a lot of
work.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Minor oversight when adding the routing back end in commit
eb22bcc7548d1b1025a3832aa4555792729d11b0.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Return the correct route -- even if a "/" is appended to the URI.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This needs to be available on every page since it is needed for
get_uri() and get_pkg_uri() and "web/html/index.php" isn't executed if
the virtual path feature is disabled.
Reported-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Note that this currently only works if the virtual path feature is
enabled. If you don't use virtual paths, these will still be displayed
as buttons below the package details listing.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Jump to the home page instead of displaying a page that only tells you
that you're logged in.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Extend the routing front/back ends to allow for using
"/package/$pkgname/" for individual packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This adds a URL mapping library that can be used to implement virtual
paths. Also, "web/html/index.php" is moved to "web/html/home.php" and
"web/html/index.php" becomes a routing front end that maps virtual paths
to corresponding files.
To enable the virtual path feature, all requests need to be redirected
to the "index.php" routing script. If you use lighttpd, following
rewrite rule can be used:
url.rewrite = ( "^(.*)$" => "/index.php/$1" )
A similar rule can be used for Apache (using mod_rewrite).
Note that the current routing front end only works if PATH_INFO is
provided.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Conflicts:
web/html/account.php
web/html/addvote.php
web/html/pkgsubmit.php
web/lib/acctfuncs.inc.php
web/template/actions_form.php
web/template/pkg_comment_form.php
web/template/pkg_comments.php
web/template/pkg_details.php
web/template/pkg_search_results.php
web/template/tu_details.php
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes broken account suspension system.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Initialize the "$details" and "$whovoted" variables with an empty
array/string to suppress a "Undefined variable" notice if the
votes/voters list is empty.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML
out of the display_account_info function that echoes the code, and moves it
to the new account_details.php template file.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
