Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Supported languages are listed in their native language. Only Dutch is
in English. Translate reference into Dutch.

canyonknight: Commit message clarity

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

A check is only done to verify a Trusted User isn't promoting their
account. An attacker can send tampered account type POST data to
change their "User" level account to a "Developer" account.

Add check so that all users cannot increase their own account
permissions.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Checks are in place to avoid users getting account editing forms
they shouldn't have access to. The appropriate checks before
editing the account in the backend are not in place.

This vulnerability allows a user to craft malicious POST data to
edit other user accounts, thereby allowing account hijacking.

Add a new flexible function can_edit_account() to determine if
a user has appropriate permissions. Run the permission check before
processing any account information in the backend.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Packages with multiple DepConditions are returned multiple
times in the "Required by" column.

Limit SQL results to distinct packages.

Fixes FS#32478

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Package names and dep conditions can be specially crafted for an XSS
attack. Properly sanitize these variables on the package details page.

In addition, avoid including dep conditions as part of a package link.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Use the routing library to build proper URIs instead of relying on the
"REQUEST_URI" server variable which can be manipulated and might return
bogus URIs.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Both get_pkg_uri() and get_user_uri() should always return root-relative
URLs -- do not prepend another "/".

Fixes FS#32460.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Make sure we always return root-relative URIs in get_pkg_uri() and in
get_user_uri() and prepend a slash ("/") if the virtual URL feature is
disabled.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Display a special error message if the package is identified as split
package.

Currently, the AUR displays a very vague error message when a split
package is submitted ("Invalid name: only lowercase letters are
allowed"). This often caused confusion among package submitters, see
FS#22834 and FS#32450.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Fixes FS#32455.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Fixes FS#32449.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Commit 091c2b5f introduced lower casing
to the language drop-down list. Revert this and use htmlspecialchars()
to escape language entries instead.

Addresses FS#32453.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

The Archive_Tar PEAR module is no longer needed as of commit
acdf9a85. Remove the associated
upgrading instruction.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Display an error page and return a 404 status code in the following
cases:

* An invalid package name is passed to the "packages" action.
* An invalid user name is passed to the "account" action.
* An invalid package action is passed.
* An invalid account action is passed.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Users are able to upload tarballs without a directory.
The directory count for a tarball is available, so use it to
display an error when there is not a single directory.

This patch has no effect on users who generate their uploaded
tarballs using makepkg. All other users must include a directory
in their tarball.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Word-wrap labels in the package statistics box, just as we wrap package
names in the "Recent Updates" box.

Addresses FS#32160.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Some AUR setups do not have PEAR available. While other setups
have access to outdated Archive_Tar versions. Avoid these
problems completely by including the necessary files for
Archive_Tar in lib/.

Remove Archive_Tar requirement from INSTALL doc.

Signed-off-by: canyonknight <canyonknight@gmail.com>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

With no limit to the number of results, memory_limit set to 32M
can easily be exceeded for searches that have a large number of
results. This results in an HTTP error 500 for those queries.

Limit results to an amount set within config.inc.php to avoid
exceeding memory_limit. Introduce new JSON error code for when
the result limit is hit.

Fixes FS#31849

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

The main site, wiki, and BBS are using HTTPS exclusively, so link
directly to the correct protocol rather than forcing a redirect.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Change the login link so that it points directly to the HTTPs version of
the login page if "$DISABLE_HTTP_LOGIN" is set and if HTTP is used.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Add missing <p> tag
* Move <h4> outside of a <p> tag
* Rename an id to avoid a conflict with an already existing id

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Replace incorrect </td> tags with </th> tags

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Add </option> close tags
* Add VI delimiter to selected option
* Add quotes to language codes

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>