1. 19 Jan, 2013 1 commit
  2. 21 Oct, 2012 1 commit
  3. 24 Sep, 2012 1 commit
  4. 20 Sep, 2012 1 commit
  5. 17 Sep, 2012 1 commit
    • canyonknight's avatar
      Migrate all DB code to use PDO · e171f6f3
      canyonknight authored
      
      
      All DB code currently uses the quickly aging mysql_* functions. These
      functions are strongly discouraged and may eventually be deprecated.
      
      Transition all code to utilize the PDO data access abstraction layer. PDO
      allows for consistent query code across multiple databases. This could
      potentially allow for someone to use a database other than MySQL with
      minimal code changes.
      
      All functions and behaviors are reproduced as faithfully as possible with
      PDO equivalents and some changes in code.
      
      Signed-off-by: default avatarcanyonknight <canyonknight@gmail.com>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      e171f6f3
  6. 17 Jul, 2012 1 commit
  7. 14 Jul, 2012 1 commit
  8. 06 Jul, 2012 4 commits
  9. 24 Jun, 2012 1 commit
    • canyonknight's avatar
      Implement token system to fix CSRF vulnerabilities · 2c93f0a9
      canyonknight authored
      
      
      Specially crafted pages can force authenticated users to unknowingly perform
      actions on the AUR website despite being on an attacker's website. This
      cross-site request forgery (CSRF) vulnerability applies to all POST data on
      the AUR.
      
      Implement a token system using a double submit cookie. Have a hidden form
      value on every page containing POST forms. Use the newly added check_token() to
      verify the token sent via POST matches the "AURSID" cookie value. Random
      nature of the token limits potential for CSRF.
      
      Signed-off-by: default avatarcanyonknight <canyonknight@gmail.com>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      2c93f0a9
  10. 24 Mar, 2012 1 commit
  11. 21 Mar, 2012 1 commit
    • BlackEagle's avatar
      valid_email :: check if domain part is real · 0a1e1729
      BlackEagle authored
      
      
      this can be used as an intermediate 'patch' util there is a validation
      system in place.
      
      the extra check is to verify that the domain part of a correctly
      formatted email address is existing and in use. this will not at all
      stop spammers since they can use bogus emails with valid domain parts
      
      Lukas: Minor formatting changes.
      
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      0a1e1729
  12. 02 Nov, 2011 1 commit
  13. 25 Oct, 2011 2 commits
  14. 24 Oct, 2011 3 commits
  15. 11 Aug, 2011 3 commits
  16. 10 Aug, 2011 1 commit
  17. 25 Jun, 2011 2 commits
  18. 22 Jun, 2011 3 commits
  19. 17 May, 2011 1 commit
  20. 27 Apr, 2011 2 commits
  21. 10 Apr, 2011 1 commit
  22. 03 Apr, 2011 1 commit
    • Dan McGee's avatar
      Remove Dummy Package concept · 7c91c592
      Dan McGee authored
      
      
      Instead, we just store dependencies directly in the PackageDepends
      table. Since we don't use this info anywhere besides the package details
      page, there is little value in precalculating what is in the AUR vs.
      what is not.
      
      An upgrade path is provided via several SQL statements in the UPGRADING
      document. There should be no user-visible change from this, but the DB
      schema gets a bit more sane and we no longer have loads of junk packages
      in our tables that are never shown to the end user. This should also
      help the MySQL query planner in several cases as we no longer have to be
      careful to exclude dummy packages on every query.
      
      Signed-off-by: default avatarDan McGee <dan@archlinux.org>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      7c91c592
  23. 04 Mar, 2011 2 commits
  24. 27 Feb, 2011 2 commits
  25. 21 Feb, 2011 1 commit
  26. 25 Jan, 2011 1 commit
    • Lukas Fleischer's avatar
      Replaced rm_rf() by rm_tree(). · 389d3a55
      Lukas Fleischer authored
      
      
      Implemented recursive directory deletion in PHP properly without the use
      of exec(). This improves security, performance and portability and makes
      the code compatible with PHP's Safe Mode as well as with PHP setups that
      disable exec() using the "disable_functions" directive.
      
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      389d3a55