summaryrefslogtreecommitdiffstats
path: root/web
AgeCommit message (Collapse)AuthorFilesLines
2011-04-06Add option to search for exact name matches only (fixes FS#23556).Lukas Fleischer2-2/+7
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-05Initialize "$name" in pkgname_from_id().Lukas Fleischer1-2/+1
Ensures "$name" is always initialized, even if the package doesn't exist. Fixes PHP warnings appearing when retrieving package details of a package with an invalid ID. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-05Remove File_Find PEAR module from code base.Lukas Fleischer3-490/+4
We removed the code depending on this a long time ago - drop it and add some note to "UPGRADING". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-04Fix PHP warning when browsing a non-existent package.Lukas Fleischer1-4/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Add more stats to the front page tableDan McGee2-4/+34
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Add indentation to stats tableDan McGee1-30/+19
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Remove Dummy Package conceptDan McGee7-79/+27
Instead, we just store dependencies directly in the PackageDepends table. Since we don't use this info anywhere besides the package details page, there is little value in precalculating what is in the AUR vs. what is not. An upgrade path is provided via several SQL statements in the UPGRADING document. There should be no user-visible change from this, but the DB schema gets a bit more sane and we no longer have loads of junk packages in our tables that are never shown to the end user. This should also help the MySQL query planner in several cases as we no longer have to be careful to exclude dummy packages on every query. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Always set ModifiedTS including new packagesDan McGee4-9/+6
Set it equal to the SubmittedTS field, which will be our indication the package is new when we show the logo on the front page of the AUR. This results in the ability to remove the use of the unindexable GREATEST() function from the AUR code everywhere we had to use it before to handle the 0 timestamp case. Note that there is no race condition here in calling UNIX_TIMESTAMP() twice- it always returns the time at the beginning of statment execution: mysql> select unix_timestamp(), sleep(2), unix_timestamp(); +------------------+----------+------------------+ | unix_timestamp() | sleep(2) | unix_timestamp() | +------------------+----------+------------------+ | 1300851746 | 0 | 1300851746 | +------------------+----------+------------------+ 1 row in set (2.00 sec) Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-04-03Submission process code refactorDan McGee1-61/+35
We had a ton of duplicate code shared between the insert and update cases. Do a refactor so we can pull this stuff out below the if/else block and only need it there once, saving some headaches. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Be more restrictive with source tarball contents.Lukas Fleischer1-2/+13
Reject tarballs containing more than one directory or files outside a directory. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerability in "web/template/header.php".Lukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix PHP notice when submitting an empty file.Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix strict standards warnings in "web/html/pkgsubmit.php".Lukas Fleischer1-2/+2
end() expects a reference but we pass a function return value here. Using list() is a bit hacky as well as it expects a 0-based array whereas unpack() returns a 1-based array - thus we use "list(, $foo)". Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Check if submitted files are in GZIP format.Lukas Fleischer1-2/+16
This is quite hacky but this way we can ensure users get comprehensible error messages when trying to upload ".tar.xz" or ".tar.bz2" files. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerabilities in "web/html/voters.php".Lukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix PHP undefined notice in "web/html/packages.php".Lukas Fleischer1-1/+6
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-30Fix XSS vulnerabilities in package comment templates.Lukas Fleischer2-3/+3
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-24Bump up default per-page value to 50Dan McGee2-7/+7
25 is woefully small for the number of packages many searches can return, and with 28000+ packages in AUR, it makes sense to show a lot more per page by default. The new choices of (50, 100, 250) happen to match those from the main site. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-15Fix main site package search URLDan McGee1-2/+2
I've been wanting to kill this one for a long time. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-12Fix searching for orphans with "$LANG != 'en'" (fixes FS#23252).Lukas Fleischer1-1/+1
Regression introduced in commit ef8fab0c. Removed the strict check again instead of wrapping it in __() to ensure search URLs are language independent. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix XSS vulnerability in package search results and package details.Lukas Fleischer2-10/+10
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-11Fix broken XHTML.Lukas Fleischer14-154/+170
Fix a lot of invalid XHTML in the templates and actions. There might still be some legacy code left, but this should cover most of it. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10Perform a second query to find total search countDan McGee1-7/+11
This removes the need for SQL_CALC_FOUND_ROWS which can really slow down queries in a lot of cases. The COUNT(*) query we end up performing can reuse a lot of the original clauses from our primary query, but we can really slim it up by omitting some joins and the sorting/limiting clauses. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10Split package search query into partsDan McGee1-20/+20
No functional change here; we should be rebuilding the same query at the end of the process. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-10More PHP Notice undefined fixupsDan McGee3-3/+12
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-09Release 1.8.1.1.8.1Lukas Fleischer1-1/+1
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix outdated link in My Statistics paneDan McGee1-1/+1
Regression introduced in commit c39183c3ee7eb1. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Add a sanitize_ids function and use it in all pkg_* functionsDan McGee1-33/+22
And use implode() instead of some looping/first time logic. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Set a default timezoneDan McGee1-0/+2
With our use of strtotime() in stats.inc, we are "required" to do so or at least the emitted warning tells us it is a good idea. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in account pagesDan McGee2-18/+28
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Remove dead dependency/required by link codeDan McGee2-29/+7
For some reason we were doing this song and dance "iterate all the known parameters" business. This is totally unnecessary, clutters the links, and was spewing errors all over the place, so kill it. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Ensure all variables are set in package search formDan McGee1-21/+13
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notices in pkg_search_formDan McGee1-7/+7
If we were displaying this without coming from a previous query submit, notices were emitted all over the place. Fix them by adding an isset() first to each variable we try to access. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix PHP notice: requiredby arrayDan McGee1-3/+2
Required by query does not have a dep condition element. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Fix main site URLDan McGee1-2/+2
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Add action lookup helper functionDan McGee2-11/+16
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Ensure all package ID values are coerced to integersDan McGee1-18/+22
We don't need mysql_real_escape_string(), we need valid integer conversions. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Vastly simplify pkg_delete functionDan McGee1-58/+8
Since only TUs/Devs can delete packages, we can remove almost all checks except the account type check. And now that our DB uses foreign keys, all of the other deletes happen implicitly when a package is deleted so we don't need to take care of it here. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Ensure users can be deleted when foreign keys are presentDan McGee1-1/+0
This change is necessary to prevent this: mysql> delete from Users where ID = 112; ERROR 1451 (23000): Cannot delete or update a parent row: a foreign key constraint fails (`aur`.`Packages`, CONSTRAINT `Packages_ibfk_2` FOREIGN KEY (`SubmitterUID`) REFERENCES `Users` (`ID`) ON DELETE NO ACTION) As a bonus, due to foreign keys, orphaning of packages will be automatic. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Small template cleanupDan McGee1-2/+1
Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-04Improve cookie handlingDan McGee2-14/+11
* Remove comment that is mostly bogus- the domain is automatically set. * When logging out, don't delete the language cookie. * Make the language cookie persistent. * Use the minimal time possible to expire cookies; no need to compute anything. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-03-01Fix potential injection vulnerabilityDan McGee1-2/+7
We trusted the values we pulled out of the IDs array and never coerced them to integers, passing them to the backend unescaped and uncasted. Ensure they are treated as integers only and validate the resulting value is > 0. Signed-off-by: Dan McGee <dan@archlinux.org> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Set the character set when connecting to mysqlFlorian Pritz1-0/+2
We should not rely on the default server setting staying the same forever. Signed-off-by: Florian Pritz <bluewind@server-speed.net> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Define "Packages.SubmitterUID" and "Packages.MaintainerUID" as "NULL".Lukas Fleischer5-7/+7
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-27Define "PackageComments.DelUsersID" as "NULL".Lukas Fleischer1-2/+2
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-25Reject blacklisted packages on initial submission only.Lukas Fleischer1-9/+9
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-23Protect users against ZIP bombs (fixes FS#22991).Lukas Fleischer2-0/+17
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-23Add a per-user session limit (fixes FS#12898).Lukas Fleischer2-1/+18
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-22Add ability to search for non-out-of-date packages (fixes FS#17896).Lukas Fleischer2-6/+20
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2011-02-21Reject packages with subdirectories (fixes FS#22995).Lukas Fleischer1-0/+3
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>