Age | Commit message (Collapse) | Author |
|
* Changes adopting/disowning packages to use GET instead of POST
* Uses CSS to make form submit button look like a link
* Complements commit 3bc951e3d87eaf692a7e47cf16a28d838c7cb2bd
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We fixed all known CRSF vulnerabilities in commit 2c93f0a (Implement
token system to fix CSRF vulnerabilities, 2012-06-23). c349cb2 (Add
virtual path support for package actions, 2012-07-17) partly reverted
this by injecting a valid CRSF token when virtual paths are in use.
This patch allows for keeping the virtual path feature, while
reintroducing POST forms and CRSF tokens. Actions like package flagging,
votes and notifications are no longer prone to CRSF (see FS#35437 for
details).
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use forms and POST instead of GET for following actions:
* Flagging/Unflagging a package out-of-date
* Voting for a package and removing votes
* Enabling/Disabling notifications
Use CSS to make the submit buttons of these forms look like links.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package names and dep conditions can be specially crafted for an XSS
attack. Properly sanitize these variables on the package details page.
In addition, avoid including dep conditions as part of a package link.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#32455.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fixes FS#32449.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The main site, wiki, and BBS are using HTTPS exclusively, so link
directly to the correct protocol rather than forcing a redirect.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
When virtual URLs are enabled, simpler links can be used to access
a user's account details page. Change this for both the maintainer and
submitter links.
Keeps backwards compatibility with virtual URLs being disabled.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package actions now have a separate box on the package details page. Add
a package merge link in that box.
Link leads to a new page (pkgmerge.php) that can be used to confirm package
merging. A separate page with confirmation is used to avoid CSRFs.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Package actions now have a separate box on the package details page. Make
a package deletion link in that box.
Link leads to a new page (pkgdel.php) that can be used to confirm package
deletion. A separate page with confirmation is used to avoid CSRFs.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.
Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Reported-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Currently everyone is allowed to unflag a package as out of date. This should
be limited to only the appropriate people for a specific package.
Fixes FS#27263
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
The "Required by" column already handles an empty list appropriately. Move a
</div> tag to match that behavior in the "Dependencies" column
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Link to "/packages/$pkgname/voters/" instead of using "/voters/" and a
get parameter to request a specific package by ID.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
archweb uses "<div></div>" and "<p></p>" here.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Move the flag/unflag action below the flag date.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Note that this currently only works if the virtual path feature is
enabled. If you don't use virtual paths, these will still be displayed
as buttons below the package details listing.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
When a package is requested by name, the "ID" request parameter might be
unset. Use the "ID" field of the query result instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Extend the routing front/back ends to allow for using
"/package/$pkgname/" for individual packages.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Conflicts:
web/html/account.php
web/html/addvote.php
web/html/pkgsubmit.php
web/lib/acctfuncs.inc.php
web/template/actions_form.php
web/template/pkg_comment_form.php
web/template/pkg_comments.php
web/template/pkg_details.php
web/template/pkg_search_results.php
web/template/tu_details.php
|
|
The corresponding closing "</div>" tag is only printed if the if-branch
is taken, which results in broken HTML code if the if-branch is skipped.
Move the "<div>" tag so that either both or none of the tags are
included in the generated HTML code.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Remove an erroneous quote from the destination URL of links to
officially supported package dependencies on archweb.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
* Rearrange order of package details to a more logical order
* Add widget box on right side of page that has package actions. Limited to
viewing PKGBUILD, downloading tarball, and printing package flag date.
Eventually should be able to support all AUR package actions.
* Move "Dependencies" and "Required by" to new CSS to allow for them to be
displayed as columns adjacent to one another, with one package per line.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Using a div container to format heading is ridiculous. Use "<h2></h2>"
instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>
|
|
No need to show a full RFC 2822-compliant date here. Instead, display
date, hours and minutes for "Last Updated" and "First Submitted" fields
and display the date only for the out-of-date time stamp.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: canyonknight <canyonknight@gmail.com>
|
|
A mix of logical operator styles are currently in use. The predominant style
uses "&&" and "||" instead of "and" and "or", respectively. This inconsistency
is minor, but is easily avoided.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.
Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This is more user-friendly than supporting package IDs only and can be
used as a basis to support direct links to AUR packages in places where
links are computer-produced (e.g. Wiki templates).
Addresses FS#21600 and FS#28839.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Escape strings properly using htmlspecialchars(). Seems like we missed
these in former cleanups. Fixes FS#28515.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This makes the "Category" label as well as "Change category" button on
the package details page translatable. Fixes FS#25692.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
These were never used in the function. Where they are used is in the
pkg_details.php template, so move them closer to their actual usage so
as not to confuse poor programmers such as myself.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
This implements the following scheme:
* /packages/cower/ --> /packages/co/cower/
* /packages/j/ --> /packages/j/j/
* /packages/zqy/ --> /packages/zq/zqy/
We take up to the first two characters of each package name as a
intermediate subdirectory, and then the full package name lives
underneath that. Shorter named packages live in a single letter
directory.
Why, you ask? Well because earlier today the AUR hit 32,000 entries in
the unsupported/ directory, making new package uploads impossible. While
some might argue we shouldn't have so many damn packages in the repos,
we should be able to handle this case.
Why two characters instead of one? Our two biggest two-char groups, 'pe'
and 'py', both start with 'p', and have nearly 2000 packages each. Go
Python and Perl.
Still needed is a "move the existing data" script, as well as a set of
rewrite rules for those wishing to preserve backward compatible URLs for
any helper programs doing the wrong thing and relying on them.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
There may be characters in package dependencies that are reserved within
URLs (e.g. "+"). Use urlencode() to ensure those are encoded correctly.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Instead, we just store dependencies directly in the PackageDepends
table. Since we don't use this info anywhere besides the package details
page, there is little value in precalculating what is in the AUR vs.
what is not.
An upgrade path is provided via several SQL statements in the UPGRADING
document. There should be no user-visible change from this, but the DB
schema gets a bit more sane and we no longer have loads of junk packages
in our tables that are never shown to the end user. This should also
help the MySQL query planner in several cases as we no longer have to be
careful to exclude dummy packages on every query.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
I've been wanting to kill this one for a long time.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Fix a lot of invalid XHTML in the templates and actions. There might
still be some legacy code left, but this should cover most of it.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
For some reason we were doing this song and dance "iterate all the known
parameters" business. This is totally unnecessary, clutters the links,
and was spewing errors all over the place, so kill it.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Required by query does not have a dep condition element.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
We don't need this anymore since all packages managed here are
well...managed here. Rip out all of the places we were using this field,
many of which depended on the magic value '2' anyway.
On the display side of things, we had a column that was always showing
'unsupported' that is now gone, and you can no longer sort by this column.
Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Tarball extraction code has been removed in commit
ec0dfc27deb246ee7d7f19fd5290e499805869d2, so links to package sources
contained in the source tarball itself will no longer be accessible
through the AUR frontend.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|
|
Drop the "URLPath" field from the "Packages" table, build URLs from
package names instead.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
|