From 237a4570e2a2bbfd39520886f56c5240e6ed4bec Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Tue, 5 Aug 2014 23:52:03 +0200 Subject: Add PCRE_DOLLAR_ENDONLY to preg_match() When using preg_match() to check for a match that starts at the beginning of the string and ends at the last character of the string, we do not want to allow an additional newline character to sneak in. Amongst other potential loopholes, adding the PCRE_DOLLAR_ENDONLY modifier prevents users from registering with user names that end with a newline character. Signed-off-by: Lukas Fleischer --- web/html/pkgsubmit.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'web/html') diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 7d894256..8a48df2a 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -193,7 +193,7 @@ if ($uid): /* Validate package base name. */ if (!$error) { $pkgbase_name = $pkgbase_info['pkgbase']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkgbase_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkgbase_name)) { $error = __("Invalid name: only lowercase letters are allowed."); } @@ -209,7 +209,7 @@ if ($uid): /* Validate package names. */ $pkg_name = $pi['pkgname']; - if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $pkg_name)) { + if (!preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $pkg_name)) { $error = __("Invalid name: only lowercase letters are allowed."); break; } -- cgit v1.2.3-24-g4f1b From 0613a637b39420deb0b34c8831aa2c31fa63ee7f Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Wed, 6 Aug 2014 00:08:46 +0200 Subject: Fix notification handling on submission and adoption Automatically add users to the notification list when adopting a package. This used to work bug was broken by 03c6304 (Rework permission handling, 2014-07-15). Fixes FS#41426. Signed-off-by: Lukas Fleischer --- web/html/pkgsubmit.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web/html') diff --git a/web/html/pkgsubmit.php b/web/html/pkgsubmit.php index 8a48df2a..a11fb5b0 100644 --- a/web/html/pkgsubmit.php +++ b/web/html/pkgsubmit.php @@ -380,7 +380,7 @@ if ($uid): * notification list. */ if ($was_orphan) { - pkgbase_notify(account_from_sid($_COOKIE["AURSID"]), array($base_id), true); + pkgbase_notify(array($base_id), true); } end_atomic_commit(); -- cgit v1.2.3-24-g4f1b From 218ccf51e38ad9b0654aa509f2bf8eec44d69c07 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 8 Aug 2014 11:47:06 +0200 Subject: Add permission checks to the request feature * Only show the request form to users that are logged in. * Only show the close request form to Trusted Users and developers. * Check for a valid login in pkgreq_file(). Signed-off-by: Lukas Fleischer --- web/html/pkgreq.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'web/html') diff --git a/web/html/pkgreq.php b/web/html/pkgreq.php index 03b31b84..ccb0acd8 100644 --- a/web/html/pkgreq.php +++ b/web/html/pkgreq.php @@ -9,9 +9,17 @@ set_lang(); check_sid(); if (isset($base_id)) { + if (!has_credential(CRED_PKGREQ_FILE)) { + header('Location: /'); + exit(); + } html_header(__("File Request")); include('pkgreq_form.php'); } elseif (isset($pkgreq_id)) { + if (!has_credential(CRED_PKGREQ_CLOSE)) { + header('Location: /'); + exit(); + } html_header(__("Close Request")); $pkgbase_name = pkgreq_get_pkgbase_name($pkgreq_id); include('pkgreq_close_form.php'); -- cgit v1.2.3-24-g4f1b