From 237a4570e2a2bbfd39520886f56c5240e6ed4bec Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Tue, 5 Aug 2014 23:52:03 +0200 Subject: Add PCRE_DOLLAR_ENDONLY to preg_match() When using preg_match() to check for a match that starts at the beginning of the string and ends at the last character of the string, we do not want to allow an additional newline character to sneak in. Amongst other potential loopholes, adding the PCRE_DOLLAR_ENDONLY modifier prevents users from registering with user names that end with a newline character. Signed-off-by: Lukas Fleischer --- web/lib/pkgreqfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web/lib/pkgreqfuncs.inc.php') diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 5924959a..98fb0cb8 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,7 +91,7 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; - if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/", $merge_into)) { + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } -- cgit v1.2.3-24-g4f1b From 218ccf51e38ad9b0654aa509f2bf8eec44d69c07 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Fri, 8 Aug 2014 11:47:06 +0200 Subject: Add permission checks to the request feature * Only show the request form to users that are logged in. * Only show the close request form to Trusted Users and developers. * Check for a valid login in pkgreq_file(). Signed-off-by: Lukas Fleischer --- web/lib/pkgreqfuncs.inc.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'web/lib/pkgreqfuncs.inc.php') diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php index 98fb0cb8..92070434 100644 --- a/web/lib/pkgreqfuncs.inc.php +++ b/web/lib/pkgreqfuncs.inc.php @@ -91,6 +91,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) { global $AUR_REQUEST_ML; global $AUTO_ORPHAN_AGE; + if (!has_credential(CRED_PKGREQ_FILE)) { + return array(false, __("You must be logged in to file package requests.")); + } + if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) { return array(false, __("Invalid name: only lowercase letters are allowed.")); } -- cgit v1.2.3-24-g4f1b