1. 24 Sep, 2012 2 commits
  2. 23 Aug, 2012 2 commits
  3. 15 Jul, 2012 3 commits
  4. 14 Jul, 2012 1 commit
  5. 11 Jul, 2012 1 commit
  6. 06 Jul, 2012 4 commits
  7. 24 Jun, 2012 1 commit
    • canyonknight's avatar
      Implement token system to fix CSRF vulnerabilities · 2c93f0a9
      canyonknight authored
      Specially crafted pages can force authenticated users to unknowingly perform
      actions on the AUR website despite being on an attacker's website. This
      cross-site request forgery (CSRF) vulnerability applies to all POST data on
      the AUR.
      Implement a token system using a double submit cookie. Have a hidden form
      value on every page containing POST forms. Use the newly added check_token() to
      verify the token sent via POST matches the "AURSID" cookie value. Random
      nature of the token limits potential for CSRF.
      Signed-off-by: default avatarcanyonknight <canyonknight@gmail.com>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
  8. 19 Mar, 2012 1 commit
    • Lukas Fleischer's avatar
      web/html/pkgsubmit.php: Revamp tarball validation · 1f36664e
      Lukas Fleischer authored
      * Reorder checks.
      * Use simple string functions instead of regular expressions.
      * Check for type flags before validating paths.
      The latter ensures we don't treat tarball keywords/flags as directories.
      This avoids problems with bsdtar inserting PaxHeader attributes into the
      archive which look something like the following to Archive_Tar:
      This only occurs on certain filesystems (e.g. jfs), but the tarball is
      by no means invalid. When extracted, it will only contain the PKGBUILD
      within a single subdirectory.
      Addresses FS#28802.
      Thanks-to: Dave Reisner <dreisner@archlinux.org>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
  9. 25 Oct, 2011 1 commit
    • Lukas Fleischer's avatar
      Wrap mysql_real_escape_string() in a function · 10b6a8ff
      Lukas Fleischer authored
      Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
      to ease porting to other databases, and as another step to pulling more
      of the database code into a central location.
      This is a rebased version of a patch by elij submitted about half a year
      Thanks-to: elij <elij.mx@gmail.com>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
  10. 24 Oct, 2011 2 commits
  11. 05 Sep, 2011 1 commit
    • Lukas Fleischer's avatar
      web/html/pkgsubmit.php: Deal with unset category ID · 1b63994b
      Lukas Fleischer authored
      Do not move the package to the incoming package directory and fail to
      create proper database entries if some AUR upload helper doesn't provide
      a category. We got several failing constraints here, such as:
        Cannot add or update a child row: a foreign key constraint fails
        (`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY
        (`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO
      Instead, default to "1" (which is "none", or "keep category" for
      existing packages) if no category is supplied.
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
  12. 20 Aug, 2011 1 commit
  13. 11 Aug, 2011 2 commits
  14. 10 Aug, 2011 1 commit
    • Dan McGee's avatar
      Segment the upload directory by package name prefix · 9a79d210
      Dan McGee authored
      This implements the following scheme:
      * /packages/cower/ --> /packages/co/cower/
      * /packages/j/     --> /packages/j/j/
      * /packages/zqy/   --> /packages/zq/zqy/
      We take up to the first two characters of each package name as a
      intermediate subdirectory, and then the full package name lives
      underneath that. Shorter named packages live in a single letter
      Why, you ask? Well because earlier today the AUR hit 32,000 entries in
      the unsupported/ directory, making new package uploads impossible. While
      some might argue we shouldn't have so many damn packages in the repos,
      we should be able to handle this case.
      Why two characters instead of one? Our two biggest two-char groups, 'pe'
      and 'py', both start with 'p', and have nearly 2000 packages each. Go
      Python and Perl.
      Still needed is a "move the existing data" script, as well as a set of
      rewrite rules for those wishing to preserve backward compatible URLs for
      any helper programs doing the wrong thing and relying on them.
      Signed-off-by: default avatarDan McGee <dan@archlinux.org>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
  15. 29 Jul, 2011 1 commit
  16. 28 Jun, 2011 1 commit
  17. 25 Jun, 2011 1 commit
    • Slavi Pantaleev's avatar
      Honor epoch field in PKGBUILD files. · 2131d3cb
      Slavi Pantaleev authored
      The epoch field in PKGBUILD files was completely ignored until now,
      and the final Version field for a package consisted only of
      pkgver and pkgrel (example: 5.0-1)
      This means that rpc.php reported the version incorrectly for packages
      having epoch > 0.
      One case where this was a problem is that it confused AUR helpers
      wanting to examine all locally installed packages (with epoch > 0)
      and search the AUR for an updated version.
      The epoch field is taken into consideration now, and if not 0,
      will be prepended to the final Version field (example: 1:5.0-1)
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
  18. 22 Jun, 2011 1 commit
  19. 27 Apr, 2011 1 commit
  20. 24 Apr, 2011 2 commits
  21. 05 Apr, 2011 1 commit
  22. 03 Apr, 2011 3 commits
    • Dan McGee's avatar
      Remove Dummy Package concept · 7c91c592
      Dan McGee authored
      Instead, we just store dependencies directly in the PackageDepends
      table. Since we don't use this info anywhere besides the package details
      page, there is little value in precalculating what is in the AUR vs.
      what is not.
      An upgrade path is provided via several SQL statements in the UPGRADING
      document. There should be no user-visible change from this, but the DB
      schema gets a bit more sane and we no longer have loads of junk packages
      in our tables that are never shown to the end user. This should also
      help the MySQL query planner in several cases as we no longer have to be
      careful to exclude dummy packages on every query.
      Signed-off-by: default avatarDan McGee <dan@archlinux.org>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
    • Dan McGee's avatar
      Always set ModifiedTS including new packages · 1f252eba
      Dan McGee authored
      Set it equal to the SubmittedTS field, which will be our indication the
      package is new when we show the logo on the front page of the AUR.
      This results in the ability to remove the use of the unindexable
      GREATEST() function from the AUR code everywhere we had to use it before
      to handle the 0 timestamp case.
      Note that there is no race condition here in calling UNIX_TIMESTAMP()
      twice- it always returns the time at the beginning of statment
          mysql> select unix_timestamp(), sleep(2), unix_timestamp();
          | unix_timestamp() | sleep(2) | unix_timestamp() |
          |       1300851746 |        0 |       1300851746 |
          1 row in set (2.00 sec)
      Signed-off-by: default avatarDan McGee <dan@archlinux.org>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
    • Dan McGee's avatar
      Submission process code refactor · 1128489b
      Dan McGee authored
      We had a ton of duplicate code shared between the insert and update
      cases. Do a refactor so we can pull this stuff out below the if/else
      block and only need it there once, saving some headaches.
      Signed-off-by: default avatarDan McGee <dan@archlinux.org>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
  23. 30 Mar, 2011 4 commits
  24. 27 Feb, 2011 1 commit
  25. 25 Feb, 2011 1 commit