In addition to parsing and storing dependencies of packages, store
makedepends, checkdepends and optdepends. Every dependency (of any type)
is displayed on the package details page.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Instead of always parsing the PKGBUILD, only invoke the parser when
there is no meta data (.AURINFO) available. This speeds up the general
case (packages including meta data).

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This is legacy code. Move it to a separate source file in order to clean
up the submission code. The code will be removed altogether in an
upcoming release.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

A package should only be overwritten if it already belongs to the
package base that is trying to overwrite it.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This adds full support for the new .AURINFO format used by mkaurball,
including support for split packages.

The old PKGBUILD parser is still available for compatibility reasons.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This adds a PackageBases table to the database schema and moves the
following fields from the Packages table to PackageBases:

* CategoryID
* NumVotes
* OutOfDateTS
* SubmittedTS
* ModifiedTS
* SubmitterUID
* MaintainerUID

It also fixes all database accesses to comply with the new layout.

Having a separate PackageBases table is the first step to split package
support. By now, we create one PackageBases entry per package (where the
package base has the same name as the corresponding package). When
adding full support for split packages later, the package base name will
be derived from the pkgbase variable and a single package base will be
shared amongst all packages built from one source package.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Make use of the "errorlist" class instead of "pkgoutput" which is no
longer defined in the CSS.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Display a deprecation warning when a package without meta data is
submitted. The user can still decide to ignore that warning by
resubmitting the package but doing so is not recommended.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

mkaurball automatically adds .AURINFO meta data when building, so tell
people to use that instead of `makepkg --source`.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

There is an extension to the .AURINFO format that supports split
packages. Since there is no support for split packages in the AUR so
far, add a check to identify these cases.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Indentation can be useful if one wants to structure an .AURINFO file.
Remove leading and trailing whitespace from each line before parsing.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This field has been renamed in a revision of the .AURINFO format.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Do not remove parentheses from the pkgname to make sure the split
package detection works properly.

Also, fix a regression introduced in 4bb6e887

 (pkgsubmit.php: Simplify
package name validation, 2013-03-05) that resulted in the split package
error message never showing up.

Fixes FS#37496.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This allows for adding a metadata file called ".AURINFO" to source
tarballs to overwrite specific PKGBUILD fields. .AURINFO files are
parsed line by line. The syntax for each line is "key = value", where
key is any of the following field names:

* pkgname
* pkgver
* pkgdesc
* url
* license
* depend

Multiple "depend" lines can be specified to add multiple dependencies.

This format closely matches the .PKGINFO format that is used for binary
packages in pacman/libalpm. It can be extended by field name prefixes or
sections to support split packages later.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Move all PKGBUILD field validations to a central location.

Also, change $pkgbuild[] to $new_pkgbuild[] in order to parse evaluated
PKGBUILD fields instead of raw ones.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Remove redundant filters -- single quotes are already removed in
$pkgbuild_new and we do not pass the package name to a shell
(additionally, the regular expression already checks for potentially
evil characters).

Also, move the $pkg_name extraction up to fix the split package check.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Since all database related functions will establish a connection
when needed, there is no need to pre-emptively try and establish
a database connection.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

All functions now have a database connection method that will use
the same database connection. This imitates the functionality of
passing a database connection as an argument and makes it redundant.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Uses the Singleton pattern to ensure all queries use the same
database connection that is released upon script completion.

All database connections should now be called with DB::connect() and
not db_connect().

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Display a special error message if the package is identified as split
package.

Currently, the AUR displays a very vague error message when a split
package is submitted ("Invalid name: only lowercase letters are
allowed"). This often caused confusion among package submitters, see
FS#22834 and FS#32450.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Users are able to upload tarballs without a directory.
The directory count for a tarball is available, so use it to
display an error when there is not a single directory.

This patch has no effect on users who generate their uploaded
tarballs using makepkg. All other users must include a directory
in their tarball.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Parameters were not correct for a package update operation.
Fix regression of 763cbf83



Fixes FS#31868

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

A foreach() is run without verifying an uploaded package has any depends.
Fix the undefined index notice for packages uploaded with no depends.
Similar to commit 857de725

.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Use "<label>"/"</label>" for form labels.
* Use "<strong>"/"</strong>" for important text.
* Use "<h4>"/"</h4>" for headings.
* Drop "<b>"/"</b>" everywhere else.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Replace all occurrences of "<?php echo" and "<?php print" by "<?=" to
reduce noise in templates.

Note that as of PHP 5.4.0, "<?=" is always available and no longer
requires "short_open_tag" to be set.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Packages can currently be submitted with variables longer than the maximum
allowed by the DB for that specific field. The string will be shortened
without informing the user. This can result in unexpected oddities on
submitted packages. Print error messages informing the user when the package
name, URL, description, license, or version is too long.

Also move the resolution of full package version (including epoch) to an
earlier point in pkgsubmit.php

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Logged out users who navigate to /submit currently reach a page with only an
error message. This adds the full navigation bar for users who errantly reach
/submit before logging in.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Regression introduced in f3ce74c7

 when
resolving conflicts.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Extend the routing front/back ends to allow for using
"/package/$pkgname/" for individual packages.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Use virtual paths in links (e.g. link to "/packages/" instead of
"/packages.php" etc.) if the virtual path feature is enabled.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

A foreach() being run without checking to see if the uploaded PKGBUILD had any
sources now no longer causes an undefined index notice when there are no
sources.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Currently, $_FILES showing a filesize of zero is interpreted as no file was
uploaded, despite other errors potentially being the cause.
* The $_FILES superglobal stores what the actual error was, so use it. This
includes file write problems, empty uploads, partial uploads, and
upload_max_filesize being exceeded.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Move DB code in pkgsubmit.php to new functions in  aur.inc.php and
pkgfuncs.inc.php
* Centralization of DB code important in a future transition to PDO interface

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Adjust style to match the overall layout.
* Use proper HTML tags and double quotes.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>

Using a div container to format heading is ridiculous. Use "<h2></h2>"
instead.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: canyonknight <canyonknight@gmail.com>

Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Reorder checks.
* Use simple string functions instead of regular expressions.
* Check for type flags before validating paths.

The latter ensures we don't treat tarball keywords/flags as directories.
This avoids problems with bsdtar inserting PaxHeader attributes into the
archive which look something like the following to Archive_Tar:

    PaxHeader/xcursor-protozoa
    xcursor-protozoa/
    xcursor-protozoa/PaxHeader/PKGBUILD
    xcursor-protozoa/PKGBUILD

This only occurs on certain filesystems (e.g. jfs), but the tarball is
by no means invalid. When extracted, it will only contain the PKGBUILD
within a single subdirectory.

Addresses FS#28802.

Thanks-to: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>