aur.inc 10.2 KB
Newer Older
1
<?php
2
set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../template');
pjmattal's avatar
pjmattal committed
3
header('Content-Type: text/html; charset=utf-8');
simo's avatar
simo committed
4
5
6
header('Cache-Control: no-cache, must-revalidate');
header('Expires: Tue, 11 Oct 1988 22:00:00 GMT'); // quite a special day
header('Pragma: no-cache');
7
8
9
10

include_once('translator.inc');
set_lang();

pjmattal's avatar
pjmattal committed
11
include_once("config.inc");
12
include_once("version.inc");
Loui Chang's avatar
Loui Chang committed
13
include_once("acctfuncs.inc");
14

eric's avatar
eric committed
15
16
17
18
# TODO do we need to set the domain on cookies?  I seem to remember some
# security concerns about not using domains - but it's not like
# we really care if another site can see what language/SID a user
# is using...
eric's avatar
eric committed
19

20

eric's avatar
eric committed
21
22
23
24
# see if the visitor is already logged in
#
function check_sid() {
	global $_COOKIE;
eric's avatar
eric committed
25
	global $LOGIN_TIMEOUT;
eric's avatar
eric committed
26

Loui Chang's avatar
Loui Chang committed
27
	if (isset($_COOKIE["AURSID"])) {
eric's avatar
eric committed
28
29
30
31
32
		$failed = 0;
		# the visitor is logged in, try and update the session
		#
		$dbh = db_connect();
		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
33
		$q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
eric's avatar
eric committed
34
		$result = db_query($q, $dbh);
35
		if (mysql_num_rows($result) == 0) {
eric's avatar
eric committed
36
37
			# Invalid SessionID - hacker alert!
			#
eric's avatar
eric committed
38
39
			$failed = 1;
		} else {
eric's avatar
eric committed
40
			$row = mysql_fetch_row($result);
41
42
			$last_update = $row[0];
			if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
eric's avatar
eric committed
43
				$failed = 2;
eric's avatar
eric committed
44
45
			}
		}
46

eric's avatar
eric committed
47
48
		if ($failed == 1) {
			# clear out the hacker's cookie, and send them to a naughty page
49
			# why do you have to be so harsh on these people!?
eric's avatar
eric committed
50
51
			#
			setcookie("AURSID", "", time() - (60*60*24*30), "/");
52
			unset($_COOKIE['AURSID']);
eric's avatar
eric committed
53
		} elseif ($failed == 2) {
eric's avatar
eric committed
54
55
56
57
58
			# visitor's session id either doesn't exist, or the timeout
			# was reached and they must login again, send them back to
			# the main page where they can log in again.
			#
			$q = "DELETE FROM Sessions WHERE SessionID = '";
59
			$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
eric's avatar
eric committed
60
			db_query($q, $dbh);
eric's avatar
eric committed
61
62

			setcookie("AURSID", "", time() - (60*60*24*30), "/");
63
			unset($_COOKIE['AURSID']);
eric's avatar
eric committed
64
65
66
		} else {
			# still logged in and haven't reached the timeout, go ahead
			# and update the idle timestamp
67
68
69

			# Only update the timestamp if it is less than the
			# current time plus $LOGIN_TIMEOUT.
eric's avatar
eric committed
70
			#
71
72
73
74
75
76
77
			# This keeps 'remembered' sessions from being
			# overwritten.
			if ($last_update < time() + $LOGIN_TIMEOUT) {
				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
				$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
				db_query($q, $dbh);
			}
eric's avatar
eric committed
78
79
80
81
82
		}
	}
	return;
}

eric's avatar
eric committed
83
84
85
# verify that an email address looks like it is legitimate
#
function valid_email($addy) {
86
	return strpos($addy, '@');
eric's avatar
eric committed
87
88
}

eric's avatar
eric committed
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# a new seed value for mt_srand()
#
function make_seed() {
	list($usec, $sec) = explode(' ', microtime());
	return (float) $sec + ((float) $usec * 10000);
}

# generate a (hopefully) unique session id
#
function new_sid() {
	mt_srand(make_seed());
	$ts = time();
	$pid = getmypid();

	$rand_num = mt_rand();
	mt_srand(make_seed());
	$rand_str = substr(md5(mt_rand()),2, 20);

	$id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num;
	return strtoupper(md5($id));
}

eric's avatar
eric committed
111

112
113
114
115
116
117
118
# obtain the username if given their Users.ID
#
function username_from_id($id="") {
	if (!$id) {
		return "";
	}
	$dbh = db_connect();
119
	$q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id);
120
121
122
123
124
125
126
127
128
129
	$result = db_query($q, $dbh);
	if (!$result) {
		return "None";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}


eric's avatar
eric committed
130
131
132
# obtain the username if given their current SID
#
function username_from_sid($sid="") {
eric's avatar
eric committed
133
134
135
136
137
138
139
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT Username ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
140
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
eric's avatar
eric committed
141
142
143
144
145
146
147
148
149
150
151
152
	$result = db_query($q, $dbh);
	if (!$result) {
		return "";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}

# obtain the email address if given their current SID
#
function email_from_sid($sid="") {
eric's avatar
eric committed
153
154
155
156
157
158
159
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT Email ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
160
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
eric's avatar
eric committed
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
	$result = db_query($q, $dbh);
	if (!$result) {
		return "";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}

# obtain the account type if given their current SID
# Return either "", "User", "Trusted User", "Developer"
#
function account_from_sid($sid="") {
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT AccountType ";
	$q.= "FROM Users, AccountTypes, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
181
	$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
182
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
eric's avatar
eric committed
183
	$result = db_query($q, $dbh);
eric's avatar
eric committed
184
185
186
187
188
189
190
	if (!$result) {
		return "";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}
191

192
193
194
195
196
197
198
199
200
201
# obtain the Users.ID if given their current SID
#
function uid_from_sid($sid="") {
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT Users.ID ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
202
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
203
204
205
206
207
208
209
210
211
	$result = db_query($q, $dbh);
	if (!$result) {
		return 0;
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}

212
213
214
# connect to the database
#
function db_connect() {
Dan McGee's avatar
Dan McGee committed
215
	$handle = mysql_connect(AUR_db_host, AUR_db_user, AUR_db_pass);
216
217
218
219
	if (!$handle) {
		die("Error connecting to AUR database: " . mysql_error());
	}

220
	mysql_select_db(AUR_db_name, $handle) or
221
222
223
224
225
		die("Error selecting AUR database: " . mysql_error());

	return $handle;
}

Dan McGee's avatar
Dan McGee committed
226
227
228
229
230
231
232
233
234
235
236
237
# disconnect from the database
# this won't normally be needed as PHP/reference counting will take care of
# closing the connection once it is no longer referenced
#
function db_disconnect($db_handle="") {
	if ($db_handle) {
		mysql_close($db_handle);
		return TRUE;
	}
	return FALSE;
}

eric's avatar
eric committed
238
# wrapper function around db_query in case we want to put
Dan McGee's avatar
Dan McGee committed
239
# query logging/debugging in.
eric's avatar
eric committed
240
241
242
243
244
245
#
function db_query($query="", $db_handle="") {
	if (!$query) {
		return FALSE;
	}
	if (!$db_handle) {
Dan McGee's avatar
Dan McGee committed
246
		die("DB handle was not provided to db_query");
eric's avatar
eric committed
247
	}
eric's avatar
eric committed
248
	$result = @mysql_query($query, $db_handle);
eric's avatar
eric committed
249
250
251
	return $result;
}

eric's avatar
eric committed
252
253
254
# set up the visitor's language
#
function set_lang() {
255
	global $_t;
eric's avatar
eric committed
256
257
258
259
	global $LANG;
	global $SUPPORTED_LANGS;

	$update_cookie = 0;
Loui Chang's avatar
Loui Chang committed
260
	if (isset($_REQUEST['setlang'])) {
eric's avatar
eric committed
261
262
263
264
265
		# visitor is requesting a language change
		#
		$LANG = $_REQUEST['setlang'];
		$update_cookie = 1;

Loui Chang's avatar
Loui Chang committed
266
	} elseif (isset($_COOKIE['AURLANG'])) {
eric's avatar
eric committed
267
268
269
270
		# If a cookie is set, use that
		#
		$LANG = $_COOKIE['AURLANG'];

Loui Chang's avatar
Loui Chang committed
271
	} elseif (isset($_COOKIE["AURSID"])) {
eric's avatar
eric committed
272
273
274
275
		$dbh = db_connect();
		$q = "SELECT LangPreference FROM Users, Sessions ";
		$q.= "WHERE Users.ID = Sessions.UsersID ";
		$q.= "AND Sessions.SessionID = '";
276
		$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
eric's avatar
eric committed
277
278
279
280
281
282
283
		$result = db_query($q, $dbh);
		if (!$result) {
			$LANG = "en";
		} else {
			$row = mysql_fetch_array($result);
			$LANG = $row[0];
		}
284
		$update_cookie = 1;
eric's avatar
eric committed
285
	}
eric's avatar
eric committed
286

Loui Chang's avatar
Loui Chang committed
287
	# Set $LANG to default if nothing is valid.
eric's avatar
eric committed
288
	if (!array_key_exists($LANG, $SUPPORTED_LANGS)) {
Loui Chang's avatar
Loui Chang committed
289
		$LANG = DEFAULT_LANG;
eric's avatar
eric committed
290
291
292
293
294
	}

	if ($update_cookie) {
		setcookie("AURLANG", $LANG, 0, "/");
	}
295
296
297
298
299

	if ($LANG != DEFAULT_LANG ) {
		include_once("$LANG.po");
	}

eric's avatar
eric committed
300
301
302
	return;
}

303

304
305
# common header
#
306
function html_header($title="") {
eric's avatar
eric committed
307
	global $_SERVER;
eric's avatar
eric committed
308
	global $_COOKIE;
309
	global $_POST;
310
	global $LANG;
311
312
	global $SUPPORTED_LANGS;

313
314
315
	$login = try_login();
	$login_error = $login['error'];

316
317
	$title = htmlspecialchars($title, ENT_QUOTES);

318
319
	include('header.php');
	return;
320
321
}

322

323
324
325
# common footer
#
function html_footer($ver="") {
326
	include('footer.php');
327
328
329
	return;
}

330
# check to see if the user can submit a package
eric's avatar
eric committed
331
#
332
function can_submit_pkg($name="", $sid="") {
eric's avatar
eric committed
333
334
	if (!$name || !$sid) {return 0;}
	$dbh = db_connect();
Callan Barrett's avatar
Callan Barrett committed
335
	$q = "SELECT MaintainerUID, DummyPkg ";
336
	$q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'";
eric's avatar
eric committed
337
	$result = db_query($q, $dbh);
338
	if (mysql_num_rows($result) == 0) {return 1;}
eric's avatar
eric committed
339
	$row = mysql_fetch_row($result);
Callan Barrett's avatar
Callan Barrett committed
340
	if ($row[1] == "1") { return 1; }
eric's avatar
eric committed
341
342
	$my_uid = uid_from_sid($sid);

343
344
345
	if ($row[0] == $my_uid) {
		return 1;
	}
eric's avatar
eric committed
346
347
348
349

	return 0;
}

eric's avatar
eric committed
350
351
352
# recursive delete directory
#
function rm_rf($dirname="") {
Loui Chang's avatar
Loui Chang committed
353
354
	if ($dirname != "") {
		exec('rm -rf ' . escapeshellcmd($dirname));
eric's avatar
eric committed
355
	}
Loui Chang's avatar
Loui Chang committed
356

eric's avatar
eric committed
357
358
359
	return;
}

360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
# Recursive chmod to set group write permissions
#
function chmod_group($path) {
	if (!is_dir($path))
		return chmod($path, 0664);

	$d = dir($path);
	while ($f = $d->read()) {
		if ($f != '.' && $f != '..') {
			$fullpath = $path.'/'.$f;
			if (is_link($fullpath))
				continue;
			elseif (!is_dir($fullpath)) {
				if (!chmod($fullpath, 0664))
					return FALSE;
			}
			elseif(!chmod_group($fullpath))
				return FALSE;
		}
	}
	$d->close();

	if(chmod($path, 0775))
		return TRUE;
	else
		return FALSE;
}

simo's avatar
simo committed
388
389
390
391
392
393
394
395
# obtain the uid given a Users.Username
#
function uid_from_username($username="")
{
	if (!$username) {
		return "";
	}
	$dbh = db_connect();
396
	$q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username)
simo's avatar
simo committed
397
398
399
400
401
402
				."'";
	$result = db_query($q, $dbh);
	if (!$result) {
		return "None";
	}
	$row = mysql_fetch_row($result);
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422

	return $row[0];
}

# obtain the uid given a Users.Email
#
function uid_from_email($email="")
{
	if (!$email) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email)
				."'";
	$result = db_query($q, $dbh);
	if (!$result) {
		return "None";
	}
	$row = mysql_fetch_row($result);

simo's avatar
simo committed
423
424
425
	return $row[0];
}

426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
/**
 * Generate clean url with edited/added user values
 *
 * Makes a clean string of variables for use in URLs based on current $_GET and
 * list of values to edit/add to that. Any empty variables are discarded.
 *
 * ex. print "http://example.com/test.php?" . mkurl("foo=bar&bar=baz")
 *
 * @param string $append string of variables and values formatted as in URLs
 * ex. mkurl("foo=bar&bar=baz")
 * @return string clean string of variables to append to URL, urlencoded
 */
function mkurl($append) {
	$get = $_GET;
	$append = explode('&', $append);
	$uservars = array();
	$out = '';

	foreach ($append as $i) {
		$ex = explode('=', $i);
		$uservars[$ex[0]] = $ex[1];
	}

	foreach ($uservars as $k => $v) { $get[$k] = $v; }

	foreach ($get as $k => $v) {
		if ($v !== '') {
			$out .= '&amp;' . urlencode($k) . '=' . urlencode($v);
		}
	}

	return substr($out, 5);
}