From 237a4570e2a2bbfd39520886f56c5240e6ed4bec Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Tue, 5 Aug 2014 23:52:03 +0200 Subject: Add PCRE_DOLLAR_ENDONLY to preg_match() When using preg_match() to check for a match that starts at the beginning of the string and ends at the last character of the string, we do not want to allow an additional newline character to sneak in. Amongst other potential loopholes, adding the PCRE_DOLLAR_ENDONLY modifier prevents users from registering with user names that end with a newline character. Signed-off-by: Lukas Fleischer --- web/html/pkgsubmit.php | 4 ++-- web/lib/acctfuncs.inc.php | 2 +- web/lib/pkgreqfuncs.inc.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 7d894256..8a48df2a 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -193,7 +193,7 @@ if ($uid): /* Validate package base name. */ if (!$error) { $pkgbase_name = $pkgbase_info['pkgbase']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkgbase_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkgbase_name)) { $error = __("Invalid name: only lowercase letters are allowed."); } @@ -209,7 +209,7 @@ if ($uid): /* Validate package names. */ $pkg_name = $pi['pkgname']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkg_name)) { $error = __("Invalid name: only lowercase letters are allowed."); break; } diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 254f0e2f..e3ff4949 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -544,7 +544,7 @@ function valid_username($user) { if (strlen($user) < USERNAME_MIN_LEN || strlen($user) > USERNAME_MAX_LEN) { return false; - } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/i", $user)) { + } else if (!preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/Di", $user)) { return false; } diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 5924959a..98fb0cb8 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,7 +91,7 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; - if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) { + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } -- cgit v1.2.3-24-g4f1b From 0613a637b39420deb0b34c8831aa2c31fa63ee7f Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Wed, 6 Aug 2014 00:08:46 +0200 Subject: Fix notification handling on submission and adoption Automatically add users to the notification list when adopting a package. This used to work bug was broken by 03c6304 (Rework permission handling, 2014-07-15). Fixes FS#41426. Signed-off-by: Lukas Fleischer --- web/html/pkgsubmit.php | 2 +- web/lib/pkgbasefuncs.inc.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 8a48df2a..a11fb5b0 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -380,7 +380,7 @@ if ($uid): * notification list. */ if ($was_orphan) { - pkgbase_notify(account_from_sid($_COOKIE["AURSID"]), array($base_id), true); + pkgbase_notify(array($base_id), true); } end_atomic_commit(); diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php index 946209b7..1ac0b470 100644 --- a/web/lib/pkgbasefuncs.inc.php +++ b/web/lib/pkgbasefuncs.inc.php @@ -617,7 +617,7 @@ function pkgbase_adopt ($base_ids, $action=true, $via) { $dbh->exec($q); if ($action) { - pkgbase_notify(account_from_sid($_COOKIE["AURSID"]), $base_ids); + pkgbase_notify($base_ids); return array(true, __("The selected packages have been adopted.")); } else { return array(true, __("The selected packages have been disowned.")); -- cgit v1.2.3-24-g4f1b From d61b34f2557eb38142c879cbe2dea8598873dfb3 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 8 Aug 2014 11:32:06 +0200 Subject: Fix the return value of save_salt() Return true if and only if the SQL query was executed successfully. Logins with an unsalted password no longer fail now. Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 82730bb5..81cbf694 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -471,7 +471,7 @@ function save_salt($user_id, $passwd) { $hash = salted_hash($passwd, $salt); $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", "; $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id; - $result = $dbh->exec($q); + return $dbh->exec($q); } /** -- cgit v1.2.3-24-g4f1b From 218ccf51e38ad9b0654aa509f2bf8eec44d69c07 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 8 Aug 2014 11:47:06 +0200 Subject: Add permission checks to the request feature * Only show the request form to users that are logged in. * Only show the close request form to Trusted Users and developers. * Check for a valid login in pkgreq_file(). Signed-off-by: Lukas Fleischer --- web/html/pkgreq.php | 8 ++++++++ web/lib/credentials.inc.php | 2 ++ web/lib/pkgreqfuncs.inc.php | 4 ++++ 3 files changed, 14 insertions(+) diff --git a/web/html/pkgreq.php b/web/html/pkgreq.php index 03b31b84..ccb0acd8 100644 --- a/web/html/pkgreq.php +++ b/web/html/pkgreq.php @@ -9,9 +9,17 @@ set_lang(); check_sid(); if (isset($base_id)) { + if (!has_credential(CRED_PKGREQ_FILE)) { + header('Location: /'); + exit(); + } html_header(__("File Request")); include('pkgreq_form.php'); } elseif (isset($pkgreq_id)) { + if (!has_credential(CRED_PKGREQ_CLOSE)) { + header('Location: /'); + exit(); + } html_header(__("Close Request")); $pkgbase_name = pkgreq_get_pkgbase_name($pkgreq_id); include('pkgreq_close_form.php'); diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index efc203d3..0c428f2f 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -18,6 +18,7 @@ define("CRED_PKGBASE_NOTIFY", 13); define("CRED_PKGBASE_SUBMIT_BLACKLISTED", 14); define("CRED_PKGBASE_UNFLAG", 15); define("CRED_PKGBASE_VOTE", 16); +define("CRED_PKGREQ_FILE", 23); define("CRED_PKGREQ_CLOSE", 17); define("CRED_PKGREQ_LIST", 18); define("CRED_TU_ADD_VOTE", 19); @@ -48,6 +49,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: + case CRED_PKGREQ_FILE: return ($atype == 'User' || $atype == 'Trusted User' || $atype == 'Developer' || $atype == 'Trusted User & Developer'); diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 98fb0cb8..92070434 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,6 +91,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; + if (!has_credential(CRED_PKGREQ_FILE)) { + return array(false, __("You must be logged in to file package requests.")); + } + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } -- cgit v1.2.3-24-g4f1b