diff options
-rw-r--r-- | web/lib/pkgfuncs.inc | 55 |
1 files changed, 22 insertions, 33 deletions
diff --git a/web/lib/pkgfuncs.inc b/web/lib/pkgfuncs.inc index 75f076e..9979d24 100644 --- a/web/lib/pkgfuncs.inc +++ b/web/lib/pkgfuncs.inc @@ -598,6 +598,20 @@ function current_action($action) { } /** + * Ensure an array of IDs is in fact all valid integers. + */ +function sanitize_ids($ids) { + $new_ids = array(); + foreach ($ids as $id) { + $id = intval($id); + if ($id > 0) { + $new_ids[] = $id; + } + } + return $new_ids; +} + +/** * Flag and un-flag packages out-of-date * * @param string $atype Account type, output of account_from_sid @@ -616,6 +630,7 @@ function pkg_flag ($atype, $ids, $action = True) { } } + $ids = sanitize_ids($ids); if (empty($ids)) { if ($action) { return __("You did not select any packages to flag."); @@ -624,28 +639,8 @@ function pkg_flag ($atype, $ids, $action = True) { } } - foreach ($ids as $pid) { - if (!is_numeric($pid)) { - if ($action) { - return __("You did not select any packages to flag."); - } else { - return __("You did not select any packages to unflag."); - } - } - } - $dbh = db_connect(); - $first = 1; - foreach ($ids as $pid) { - if ($first) { - $first = 0; - $flag = $pid; - } else { - $flag .= ", " . $pid; - } - } - $q = "UPDATE Packages SET"; if ($action) { $q.= " OutOfDateTS = UNIX_TIMESTAMP()"; @@ -653,7 +648,7 @@ function pkg_flag ($atype, $ids, $action = True) { else { $q.= " OutOfDateTS = NULL"; } - $q.= " WHERE ID IN (" . $flag . ")"; + $q.= " WHERE ID IN (" . implode(",", $ids) . ")"; db_query($q, $dbh); @@ -664,7 +659,7 @@ function pkg_flag ($atype, $ids, $action = True) { $f_uid = uid_from_sid($_COOKIE['AURSID']); $q = "SELECT Packages.Name, Users.Email, Packages.ID "; $q.= "FROM Packages, Users "; - $q.= "WHERE Packages.ID IN (" . $flag .") "; + $q.= "WHERE Packages.ID IN (" . implode(",", $ids) .") "; $q.= "AND Users.ID = Packages.MaintainerUID "; $q.= "AND Users.ID != " . $f_uid; $result = db_query($q, $dbh); @@ -704,6 +699,7 @@ function pkg_delete ($atype, $ids) { return __("You do have permission to delete packages."); } + $ids = sanitize_ids($ids); if (empty($ids)) { return __("You did not select any packages to delete."); } @@ -733,6 +729,7 @@ function pkg_adopt ($atype, $ids, $action = True) { } } + $ids = sanitize_ids($ids); if (empty($ids)) { if ($action) { return __("You did not select any packages to adopt."); @@ -743,16 +740,6 @@ function pkg_adopt ($atype, $ids, $action = True) { $dbh = db_connect(); - $first = 1; - foreach ($ids as $pid) { - if ($first) { - $first = 0; - $pkg = $pid; - } else { - $pkg .= ", ".$pid; - } - } - $field = "MaintainerUID"; $q = "UPDATE Packages "; @@ -763,7 +750,7 @@ function pkg_adopt ($atype, $ids, $action = True) { } $q.= "SET $field = $user "; - $q.= "WHERE ID IN ($pkg) "; + $q.= "WHERE ID IN (" . implode(",", $ids) . ") "; if ($action && $atype == "User") { # Regular users may only adopt orphan packages from unsupported @@ -800,6 +787,7 @@ function pkg_vote ($atype, $ids, $action = True) { } } + $ids = sanitize_ids($ids); if (empty($ids)) { if ($action) { return __("You did not select any packages to vote for."); @@ -881,6 +869,7 @@ function pkg_notify ($atype, $ids, $action = True) { return; } + $ids = sanitize_ids($ids); if (empty($ids)) { return __("Couldn't add to notification list."); } |