Implements FS#33294

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Use Twitter Bootstrap JavaScript framework for typeahead support.

Add a new "suggest" JSON method, which returns the first 20
packages that match the beginning characters of a query.

canyonknight: Link format change, commit message
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Supported languages are listed in their native language. Only Dutch is
in English. Translate reference into Dutch.

canyonknight: Commit message clarity

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Users with certain locales are unable to generate dummy data.
Enforce UTF-8 encoding.

Fixes FS#32986

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Fortune calls slows down the generation of dummy data dramatically
for large datasets. Read from a specified fortune file directly
to avoid the need for the subprocess.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Currently, package flagging and unflagging takes place within the
pkg_flag() function. A bool is set to true or false depending on the
action.

Create new pkg_unflag() function with sole purpose of unflagging
and keep pkg_flag() in place. This split will be useful in the
overhaul of the notification system.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.

Add check so that all users cannot increase their own account
permissions.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.

This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.

Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Voter page token check takes place in the same way as other
existing token checks. Move the check for consistency.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Packages with multiple DepConditions are returned multiple
times in the "Required by" column.

Limit SQL results to distinct packages.

Fixes FS#32478

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Package names and dep conditions can be specially crafted for an XSS
attack. Properly sanitize these variables on the package details page.

In addition, avoid including dep conditions as part of a package link.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Use the routing library to build proper URIs instead of relying on the
"REQUEST_URI" server variable which can be manipulated and might return
bogus URIs.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Both get_pkg_uri() and get_user_uri() should always return root-relative
URLs -- do not prepend another "/".

Fixes FS#32460.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Make sure we always return root-relative URIs in get_pkg_uri() and in
get_user_uri() and prepend a slash ("/") if the virtual URL feature is
disabled.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Display a special error message if the package is identified as split
package.

Currently, the AUR displays a very vague error message when a split
package is submitted ("Invalid name: only lowercase letters are
allowed"). This often caused confusion among package submitters, see
FS#22834 and FS#32450.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Fixes FS#32455.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Fixes FS#32449.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Commit 091c2b5f

 introduced lower casing
to the language drop-down list. Revert this and use htmlspecialchars()
to escape language entries instead.

Addresses FS#32453.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

The Archive_Tar PEAR module is no longer needed as of commit
acdf9a85

. Remove the associated
upgrading instruction.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Display an error page and return a 404 status code in the following
cases:

* An invalid package name is passed to the "packages" action.
* An invalid user name is passed to the "account" action.
* An invalid package action is passed.
* An invalid account action is passed.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Users are able to upload tarballs without a directory.
The directory count for a tarball is available, so use it to
display an error when there is not a single directory.

This patch has no effect on users who generate their uploaded
tarballs using makepkg. All other users must include a directory
in their tarball.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Word-wrap labels in the package statistics box, just as we wrap package
names in the "Recent Updates" box.

Addresses FS#32160.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Some AUR setups do not have PEAR available. While other setups
have access to outdated Archive_Tar versions. Avoid these
problems completely by including the necessary files for
Archive_Tar in lib/.

Remove Archive_Tar requirement from INSTALL doc.

Signed-off-by: canyonknight <canyonknight@gmail.com>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.

Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.

Fixes FS#31849

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

The main site, wiki, and BBS are using HTTPS exclusively, so link
directly to the correct protocol rather than forcing a redirect.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>