aur.inc.php 10.8 KB
Newer Older
1
<?php
2
set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../template');
pjmattal's avatar
pjmattal committed
3
header('Content-Type: text/html; charset=utf-8');
simo's avatar
simo committed
4
5
6
header('Cache-Control: no-cache, must-revalidate');
header('Expires: Tue, 11 Oct 1988 22:00:00 GMT'); // quite a special day
header('Pragma: no-cache');
7

Dan McGee's avatar
Dan McGee committed
8
9
date_default_timezone_set('UTC');

10
include_once('translator.inc.php');
11
12
set_lang();

13
include_once("config.inc.php");
14
include_once("routing.inc.php");
15
16
include_once("version.inc.php");
include_once("acctfuncs.inc.php");
17
include_once("cachefuncs.inc.php");
elij's avatar
elij committed
18

eric's avatar
eric committed
19
20
# see if the visitor is already logged in
#
21
function check_sid($dbh=NULL) {
eric's avatar
eric committed
22
	global $_COOKIE;
eric's avatar
eric committed
23
	global $LOGIN_TIMEOUT;
eric's avatar
eric committed
24

Loui Chang's avatar
Loui Chang committed
25
	if (isset($_COOKIE["AURSID"])) {
eric's avatar
eric committed
26
27
28
		$failed = 0;
		# the visitor is logged in, try and update the session
		#
29
30
31
		if(!$dbh) {
			$dbh = db_connect();
		}
eric's avatar
eric committed
32
		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
canyonknight's avatar
canyonknight committed
33
34
35
36
37
		$q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
		$result = $dbh->query($q);
		$row = $result->fetch(PDO::FETCH_NUM);

		if (!$row[0]) {
eric's avatar
eric committed
38
39
			# Invalid SessionID - hacker alert!
			#
eric's avatar
eric committed
40
41
			$failed = 1;
		} else {
42
43
			$last_update = $row[0];
			if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
eric's avatar
eric committed
44
				$failed = 2;
eric's avatar
eric committed
45
46
			}
		}
47

eric's avatar
eric committed
48
49
		if ($failed == 1) {
			# clear out the hacker's cookie, and send them to a naughty page
50
			# why do you have to be so harsh on these people!?
eric's avatar
eric committed
51
			#
52
			setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
53
			unset($_COOKIE['AURSID']);
eric's avatar
eric committed
54
		} elseif ($failed == 2) {
Dan McGee's avatar
Dan McGee committed
55
			# session id timeout was reached and they must login again.
eric's avatar
eric committed
56
			#
57
			delete_session_id($_COOKIE["AURSID"], $dbh);
eric's avatar
eric committed
58

59
			setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
60
			unset($_COOKIE['AURSID']);
eric's avatar
eric committed
61
62
63
		} else {
			# still logged in and haven't reached the timeout, go ahead
			# and update the idle timestamp
64
65
66

			# Only update the timestamp if it is less than the
			# current time plus $LOGIN_TIMEOUT.
eric's avatar
eric committed
67
			#
68
69
70
71
			# This keeps 'remembered' sessions from being
			# overwritten.
			if ($last_update < time() + $LOGIN_TIMEOUT) {
				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
canyonknight's avatar
canyonknight committed
72
73
				$q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
				$dbh->exec($q);
74
			}
eric's avatar
eric committed
75
76
77
78
79
		}
	}
	return;
}

80
81
82
83
84
85
86
87
88
89
# Verify the supplied token matches the expected token for POST forms
#
function check_token() {
	if (isset($_POST['token'])) {
		return ($_POST['token'] == $_COOKIE['AURSID']);
	} else {
		return false;
	}
}

eric's avatar
eric committed
90
91
92
# verify that an email address looks like it is legitimate
#
function valid_email($addy) {
93
94
95
96
97
98
99
100
101
102
103
104
	// check against RFC 3696
	if (filter_var($addy, FILTER_VALIDATE_EMAIL) === false) {
		return false;
	}

	// check dns for mx, a, aaaa records
	list($local, $domain) = explode('@', $addy);
	if (!(checkdnsrr($domain, 'MX') || checkdnsrr($domain, 'A') || checkdnsrr($domain, 'AAAA'))) {
		return false;
	}

	return true;
eric's avatar
eric committed
105
106
}

eric's avatar
eric committed
107
108
109
# generate a (hopefully) unique session id
#
function new_sid() {
110
	return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true));
eric's avatar
eric committed
111
112
}

eric's avatar
eric committed
113

114
115
# obtain the username if given their Users.ID
#
116
function username_from_id($id="", $dbh=NULL) {
117
118
119
	if (!$id) {
		return "";
	}
120
121
122
	if(!$dbh) {
		$dbh = db_connect();
	}
canyonknight's avatar
canyonknight committed
123
124
	$q = "SELECT Username FROM Users WHERE ID = " . $dbh->quote($id);
	$result = $dbh->query($q);
125
126
127
	if (!$result) {
		return "None";
	}
canyonknight's avatar
canyonknight committed
128
	$row = $result->fetch(PDO::FETCH_NUM);
129
130
131
132
133

	return $row[0];
}


eric's avatar
eric committed
134
135
# obtain the username if given their current SID
#
136
function username_from_sid($sid="", $dbh=NULL) {
eric's avatar
eric committed
137
138
139
	if (!$sid) {
		return "";
	}
140
141
142
	if(!$dbh) {
		$dbh = db_connect();
	}
eric's avatar
eric committed
143
144
145
	$q = "SELECT Username ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
canyonknight's avatar
canyonknight committed
146
147
	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
	$result = $dbh->query($q);
eric's avatar
eric committed
148
149
150
	if (!$result) {
		return "";
	}
canyonknight's avatar
canyonknight committed
151
	$row = $result->fetch(PDO::FETCH_NUM);
eric's avatar
eric committed
152
153
154
155
156
157

	return $row[0];
}

# obtain the email address if given their current SID
#
158
function email_from_sid($sid="", $dbh=NULL) {
eric's avatar
eric committed
159
160
161
	if (!$sid) {
		return "";
	}
162
163
164
	if(!$dbh) {
		$dbh = db_connect();
	}
eric's avatar
eric committed
165
166
167
	$q = "SELECT Email ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
canyonknight's avatar
canyonknight committed
168
169
	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
	$result = $dbh->query($q);
eric's avatar
eric committed
170
171
172
	if (!$result) {
		return "";
	}
canyonknight's avatar
canyonknight committed
173
	$row = $result->fetch(PDO::FETCH_NUM);
eric's avatar
eric committed
174
175
176
177
178
179
180

	return $row[0];
}

# obtain the account type if given their current SID
# Return either "", "User", "Trusted User", "Developer"
#
181
function account_from_sid($sid="", $dbh=NULL) {
eric's avatar
eric committed
182
183
184
	if (!$sid) {
		return "";
	}
185
186
187
	if(!$dbh) {
		$dbh = db_connect();
	}
eric's avatar
eric committed
188
189
190
	$q = "SELECT AccountType ";
	$q.= "FROM Users, AccountTypes, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
191
	$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
canyonknight's avatar
canyonknight committed
192
193
	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
	$result = $dbh->query($q);
eric's avatar
eric committed
194
195
196
	if (!$result) {
		return "";
	}
canyonknight's avatar
canyonknight committed
197
	$row = $result->fetch(PDO::FETCH_NUM);
eric's avatar
eric committed
198
199
200

	return $row[0];
}
201

202
203
# obtain the Users.ID if given their current SID
#
204
function uid_from_sid($sid="", $dbh=NULL) {
205
206
207
	if (!$sid) {
		return "";
	}
208
209
210
	if(!$dbh) {
		$dbh = db_connect();
	}
211
212
213
	$q = "SELECT Users.ID ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
canyonknight's avatar
canyonknight committed
214
215
	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
	$result = $dbh->query($q);
216
217
218
	if (!$result) {
		return 0;
	}
canyonknight's avatar
canyonknight committed
219
	$row = $result->fetch(PDO::FETCH_NUM);
220
221
222
223

	return $row[0];
}

224
225
226
# connect to the database
#
function db_connect() {
canyonknight's avatar
canyonknight committed
227
228
	try {
		$dbh = new PDO(AUR_db_DSN_prefix . ":" . AUR_db_host . ";dbname=" . AUR_db_name, AUR_db_user, AUR_db_pass);
Dan McGee's avatar
Dan McGee committed
229
	}
canyonknight's avatar
canyonknight committed
230
231
	catch (PDOException $e) {
		echo "Error - Could not connect to AUR database: " . $e->getMessage();
eric's avatar
eric committed
232
	}
233

canyonknight's avatar
canyonknight committed
234
	$dbh->exec("SET NAMES 'utf8' COLLATE 'utf8_general_ci';");
235

canyonknight's avatar
canyonknight committed
236
	return $dbh;
eric's avatar
eric committed
237
238
}

239
240
# common header
#
241
function html_header($title="") {
242
	global $LANG;
243
	global $SUPPORTED_LANGS;
244

245
246
	$title = htmlspecialchars($title, ENT_QUOTES);

247
248
	include('header.php');
	return;
249
250
}

251

252
253
254
# common footer
#
function html_footer($ver="") {
255
	include('footer.php');
256
257
258
	return;
}

259
# check to see if the user can submit a package
eric's avatar
eric committed
260
#
261
function can_submit_pkg($name="", $sid="", $dbh=NULL) {
eric's avatar
eric committed
262
	if (!$name || !$sid) {return 0;}
263
264
265
	if(!$dbh) {
		$dbh = db_connect();
	}
Dan McGee's avatar
Dan McGee committed
266
	$q = "SELECT MaintainerUID ";
canyonknight's avatar
canyonknight committed
267
268
269
270
271
272
273
	$q.= "FROM Packages WHERE Name = " . $dbh->quote($name);
	$result = $dbh->query($q);
	$row = $result->fetch(PDO::FETCH_NUM);

	if (!$row[0]) {
		return 1;
	}
274
	$my_uid = uid_from_sid($sid, $dbh);
eric's avatar
eric committed
275

276
	if ($row[0] === NULL || $row[0] == $my_uid) {
277
278
		return 1;
	}
eric's avatar
eric committed
279
280
281
282

	return 0;
}

eric's avatar
eric committed
283
284
# recursive delete directory
#
285
286
287
288
289
290
291
292
293
294
295
296
297
function rm_tree($dirname) {
	if (empty($dirname) || !is_dir($dirname)) return;

	foreach (scandir($dirname) as $item) {
		if ($item != '.' && $item != '..') {
			$path = $dirname . '/' . $item;
			if (is_file($path) || is_link($path)) {
				unlink($path);
			}
			else {
				rm_tree($path);
			}
		}
eric's avatar
eric committed
298
	}
Loui Chang's avatar
Loui Chang committed
299

300
301
	rmdir($dirname);

eric's avatar
eric committed
302
303
304
	return;
}

305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
# Recursive chmod to set group write permissions
#
function chmod_group($path) {
	if (!is_dir($path))
		return chmod($path, 0664);

	$d = dir($path);
	while ($f = $d->read()) {
		if ($f != '.' && $f != '..') {
			$fullpath = $path.'/'.$f;
			if (is_link($fullpath))
				continue;
			elseif (!is_dir($fullpath)) {
				if (!chmod($fullpath, 0664))
					return FALSE;
			}
			elseif(!chmod_group($fullpath))
				return FALSE;
		}
	}
	$d->close();

	if(chmod($path, 0775))
		return TRUE;
	else
		return FALSE;
}

simo's avatar
simo committed
333
334
# obtain the uid given a Users.Username
#
335
function uid_from_username($username="", $dbh=NULL) {
simo's avatar
simo committed
336
337
338
	if (!$username) {
		return "";
	}
339
340
341
	if(!$dbh) {
		$dbh = db_connect();
	}
canyonknight's avatar
canyonknight committed
342
343
	$q = "SELECT ID FROM Users WHERE Username = " . $dbh->quote($username);
	$result = $dbh->query($q);
simo's avatar
simo committed
344
345
346
	if (!$result) {
		return "None";
	}
canyonknight's avatar
canyonknight committed
347
	$row = $result->fetch(PDO::FETCH_NUM);
348
349
350
351
352
353

	return $row[0];
}

# obtain the uid given a Users.Email
#
354
function uid_from_email($email="", $dbh=NULL) {
355
356
357
	if (!$email) {
		return "";
	}
358
359
360
	if(!$dbh) {
		$dbh = db_connect();
	}
canyonknight's avatar
canyonknight committed
361
362
	$q = "SELECT ID FROM Users WHERE Email = " . $dbh->quote($email);
	$result = $dbh->query($q);
363
364
365
	if (!$result) {
		return "None";
	}
canyonknight's avatar
canyonknight committed
366
	$row = $result->fetch(PDO::FETCH_NUM);
367

simo's avatar
simo committed
368
369
370
	return $row[0];
}

371
372
# check user privileges
#
373
function check_user_privileges() {
374
375
376
377
	$type = account_from_sid($_COOKIE['AURSID']);
	return ($type == 'Trusted User' || $type == 'Developer');
}

378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
/**
 * Generate clean url with edited/added user values
 *
 * Makes a clean string of variables for use in URLs based on current $_GET and
 * list of values to edit/add to that. Any empty variables are discarded.
 *
 * ex. print "http://example.com/test.php?" . mkurl("foo=bar&bar=baz")
 *
 * @param string $append string of variables and values formatted as in URLs
 * ex. mkurl("foo=bar&bar=baz")
 * @return string clean string of variables to append to URL, urlencoded
 */
function mkurl($append) {
	$get = $_GET;
	$append = explode('&', $append);
	$uservars = array();
	$out = '';

	foreach ($append as $i) {
		$ex = explode('=', $i);
		$uservars[$ex[0]] = $ex[1];
	}

	foreach ($uservars as $k => $v) { $get[$k] = $v; }

	foreach ($get as $k => $v) {
		if ($v !== '') {
			$out .= '&amp;' . urlencode($k) . '=' . urlencode($v);
		}
	}

	return substr($out, 5);
}
Denis's avatar
Denis committed
411

412
function get_salt($user_id, $dbh=NULL) {
413
414
415
	if(!$dbh) {
		$dbh = db_connect();
	}
canyonknight's avatar
canyonknight committed
416
417
	$q = "SELECT Salt FROM Users WHERE ID = " . $user_id;
	$result = $dbh->query($q);
elij's avatar
elij committed
418
	if ($result) {
canyonknight's avatar
canyonknight committed
419
420
		$row = $result->fetch(PDO::FETCH_NUM);
		return $row[0];
elij's avatar
elij committed
421
422
	}
	return;
Denis's avatar
Denis committed
423
424
}

425
function save_salt($user_id, $passwd, $dbh=NULL) {
426
427
428
	if(!$dbh) {
		$dbh = db_connect();
	}
Denis's avatar
Denis committed
429
430
	$salt = generate_salt();
	$hash = salted_hash($passwd, $salt);
canyonknight's avatar
canyonknight committed
431
432
433
	$q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", ";
	$q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id;
	$result = $dbh->exec($q);
Denis's avatar
Denis committed
434
435
}

436
function generate_salt() {
437
	return md5(uniqid(mt_rand(), true));
Denis's avatar
Denis committed
438
439
}

440
function salted_hash($passwd, $salt) {
Denis's avatar
Denis committed
441
442
443
444
445
	if (strlen($salt) != 32) {
		trigger_error('Salt does not look like an md5 hash', E_USER_WARNING);
	}
	return md5($salt . $passwd);
}
446

447
function parse_comment($comment) {
448
449
450
451
452
453
454
455
456
457
458
	$url_pattern = '/(\b(?:https?|ftp):\/\/[\w\/\#~:.?+=&%@!\-;,]+?' .
		'(?=[.:?\-;,]*(?:[^\w\/\#~:.?+=&%@!\-;,]|$)))/iS';

	$matches = preg_split($url_pattern, $comment, -1,
		PREG_SPLIT_DELIM_CAPTURE);

	$html = '';
	for ($i = 0; $i < count($matches); $i++) {
		if ($i % 2) {
			# convert links
			$html .= '<a href="' . htmlspecialchars($matches[$i]) .
elij's avatar
elij committed
459
				'">' .	htmlspecialchars($matches[$i]) . '</a>';
460
461
462
463
464
465
466
467
468
		}
		else {
			# convert everything else
			$html .= nl2br(htmlspecialchars($matches[$i]));
		}
	}

	return $html;
}
canyonknight's avatar
canyonknight committed
469
470
471
472
473

function begin_atomic_commit($dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
canyonknight's avatar
canyonknight committed
474
	$dbh->beginTransaction();
canyonknight's avatar
canyonknight committed
475
476
477
478
479
480
}

function end_atomic_commit($dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
canyonknight's avatar
canyonknight committed
481
	$dbh->commit();
canyonknight's avatar
canyonknight committed
482
483
484
485
486
487
}

function last_insert_id($dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}
canyonknight's avatar
canyonknight committed
488
	return $dbh->lastInsertId();
canyonknight's avatar
canyonknight committed
489
}
canyonknight's avatar
canyonknight committed
490
491
492
493
494
495
496
497
498

function latest_pkgs($numpkgs, $dbh=NULL) {
	if(!$dbh) {
		$dbh = db_connect();
	}

	$q = "SELECT * FROM Packages ";
	$q.= "ORDER BY SubmittedTS DESC ";
	$q.= "LIMIT " .intval($numpkgs);
canyonknight's avatar
canyonknight committed
499
	$result = $dbh->query($q);
canyonknight's avatar
canyonknight committed
500
501

	if ($result) {
canyonknight's avatar
canyonknight committed
502
		while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
canyonknight's avatar
canyonknight committed
503
504
505
506
507
508
			$packages[] = $row;
		}
	}

	return $packages;
}