aur.inc 10.2 KB
Newer Older
1
<?php
2
set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../template');
pjmattal's avatar
pjmattal committed
3
header('Content-Type: text/html; charset=utf-8');
simo's avatar
simo committed
4
5
6
header('Cache-Control: no-cache, must-revalidate');
header('Expires: Tue, 11 Oct 1988 22:00:00 GMT'); // quite a special day
header('Pragma: no-cache');
7
8
9
10

include_once('translator.inc');
set_lang();

pjmattal's avatar
pjmattal committed
11
include_once("config.inc");
12
include_once("version.inc");
Loui Chang's avatar
Loui Chang committed
13
include_once("acctfuncs.inc");
14

eric's avatar
eric committed
15
16
17
18
# TODO do we need to set the domain on cookies?  I seem to remember some
# security concerns about not using domains - but it's not like
# we really care if another site can see what language/SID a user
# is using...
eric's avatar
eric committed
19

20

eric's avatar
eric committed
21
22
23
24
# see if the visitor is already logged in
#
function check_sid() {
	global $_COOKIE;
eric's avatar
eric committed
25
	global $LOGIN_TIMEOUT;
eric's avatar
eric committed
26

Loui Chang's avatar
Loui Chang committed
27
	if (isset($_COOKIE["AURSID"])) {
eric's avatar
eric committed
28
29
30
31
32
		$failed = 0;
		# the visitor is logged in, try and update the session
		#
		$dbh = db_connect();
		$q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
33
		$q.= "WHERE SessionID = '" . mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
eric's avatar
eric committed
34
		$result = db_query($q, $dbh);
35
		if (mysql_num_rows($result) == 0) {
eric's avatar
eric committed
36
37
			# Invalid SessionID - hacker alert!
			#
eric's avatar
eric committed
38
39
			$failed = 1;
		} else {
eric's avatar
eric committed
40
			$row = mysql_fetch_row($result);
41
42
			$last_update = $row[0];
			if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
eric's avatar
eric committed
43
				$failed = 2;
eric's avatar
eric committed
44
45
			}
		}
46

eric's avatar
eric committed
47
48
		if ($failed == 1) {
			# clear out the hacker's cookie, and send them to a naughty page
49
			# why do you have to be so harsh on these people!?
eric's avatar
eric committed
50
51
			#
			setcookie("AURSID", "", time() - (60*60*24*30), "/");
52
			unset($_COOKIE['AURSID']);
eric's avatar
eric committed
53
		} elseif ($failed == 2) {
eric's avatar
eric committed
54
55
56
57
58
			# visitor's session id either doesn't exist, or the timeout
			# was reached and they must login again, send them back to
			# the main page where they can log in again.
			#
			$q = "DELETE FROM Sessions WHERE SessionID = '";
59
			$q.= mysql_real_escape_string($_COOKIE["AURSID"]) . "'";
eric's avatar
eric committed
60
			db_query($q, $dbh);
eric's avatar
eric committed
61
62

			setcookie("AURSID", "", time() - (60*60*24*30), "/");
63
			unset($_COOKIE['AURSID']);
eric's avatar
eric committed
64
65
66
		} else {
			# still logged in and haven't reached the timeout, go ahead
			# and update the idle timestamp
67
68
69

			# Only update the timestamp if it is less than the
			# current time plus $LOGIN_TIMEOUT.
eric's avatar
eric committed
70
			#
71
72
73
74
75
76
77
			# This keeps 'remembered' sessions from being
			# overwritten.
			if ($last_update < time() + $LOGIN_TIMEOUT) {
				$q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
				$q.= "WHERE SessionID = '".mysql_real_escape_string($_COOKIE["AURSID"])."'";
				db_query($q, $dbh);
			}
eric's avatar
eric committed
78
79
80
81
82
		}
	}
	return;
}

eric's avatar
eric committed
83
84
85
# verify that an email address looks like it is legitimate
#
function valid_email($addy) {
86
	return strpos($addy, '@');
eric's avatar
eric committed
87
88
}

eric's avatar
eric committed
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# a new seed value for mt_srand()
#
function make_seed() {
	list($usec, $sec) = explode(' ', microtime());
	return (float) $sec + ((float) $usec * 10000);
}

# generate a (hopefully) unique session id
#
function new_sid() {
	mt_srand(make_seed());
	$ts = time();
	$pid = getmypid();

	$rand_num = mt_rand();
	mt_srand(make_seed());
	$rand_str = substr(md5(mt_rand()),2, 20);

	$id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num;
	return strtoupper(md5($id));
}

eric's avatar
eric committed
111

112
113
114
115
116
117
118
# obtain the username if given their Users.ID
#
function username_from_id($id="") {
	if (!$id) {
		return "";
	}
	$dbh = db_connect();
119
	$q = "SELECT Username FROM Users WHERE ID = " . mysql_real_escape_string($id);
120
121
122
123
124
125
126
127
128
129
	$result = db_query($q, $dbh);
	if (!$result) {
		return "None";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}


eric's avatar
eric committed
130
131
132
# obtain the username if given their current SID
#
function username_from_sid($sid="") {
eric's avatar
eric committed
133
134
135
136
137
138
139
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT Username ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
140
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
eric's avatar
eric committed
141
142
143
144
145
146
147
148
149
150
151
152
	$result = db_query($q, $dbh);
	if (!$result) {
		return "";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}

# obtain the email address if given their current SID
#
function email_from_sid($sid="") {
eric's avatar
eric committed
153
154
155
156
157
158
159
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT Email ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
160
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
eric's avatar
eric committed
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
	$result = db_query($q, $dbh);
	if (!$result) {
		return "";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}

# obtain the account type if given their current SID
# Return either "", "User", "Trusted User", "Developer"
#
function account_from_sid($sid="") {
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT AccountType ";
	$q.= "FROM Users, AccountTypes, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
181
	$q.= "AND AccountTypes.ID = Users.AccountTypeID ";
182
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
eric's avatar
eric committed
183
	$result = db_query($q, $dbh);
eric's avatar
eric committed
184
185
186
187
188
189
190
	if (!$result) {
		return "";
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}
191

192
193
194
195
196
197
198
199
200
201
# obtain the Users.ID if given their current SID
#
function uid_from_sid($sid="") {
	if (!$sid) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT Users.ID ";
	$q.= "FROM Users, Sessions ";
	$q.= "WHERE Users.ID = Sessions.UsersID ";
202
	$q.= "AND Sessions.SessionID = '" . mysql_real_escape_string($sid) . "'";
203
204
205
206
207
208
209
210
211
	$result = db_query($q, $dbh);
	if (!$result) {
		return 0;
	}
	$row = mysql_fetch_row($result);

	return $row[0];
}

212
213
214
# connect to the database
#
function db_connect() {
Dan McGee's avatar
Dan McGee committed
215
	$handle = mysql_connect(AUR_db_host, AUR_db_user, AUR_db_pass);
216
217
218
219
	if (!$handle) {
		die("Error connecting to AUR database: " . mysql_error());
	}

220
	mysql_select_db(AUR_db_name, $handle) or
221
222
223
224
225
		die("Error selecting AUR database: " . mysql_error());

	return $handle;
}

Dan McGee's avatar
Dan McGee committed
226
227
228
229
230
231
232
233
234
235
236
237
# disconnect from the database
# this won't normally be needed as PHP/reference counting will take care of
# closing the connection once it is no longer referenced
#
function db_disconnect($db_handle="") {
	if ($db_handle) {
		mysql_close($db_handle);
		return TRUE;
	}
	return FALSE;
}

eric's avatar
eric committed
238
# wrapper function around db_query in case we want to put
Dan McGee's avatar
Dan McGee committed
239
# query logging/debugging in.
eric's avatar
eric committed
240
241
242
243
244
245
#
function db_query($query="", $db_handle="") {
	if (!$query) {
		return FALSE;
	}
	if (!$db_handle) {
Dan McGee's avatar
Dan McGee committed
246
		die("DB handle was not provided to db_query");
eric's avatar
eric committed
247
	}
eric's avatar
eric committed
248
	$result = @mysql_query($query, $db_handle);
eric's avatar
eric committed
249
250
251
	return $result;
}

eric's avatar
eric committed
252
253
254
# set up the visitor's language
#
function set_lang() {
255
	global $_t;
eric's avatar
eric committed
256
257
258
259
	global $LANG;
	global $SUPPORTED_LANGS;

	$update_cookie = 0;
Loui Chang's avatar
Loui Chang committed
260
	if (isset($_REQUEST['setlang'])) {
eric's avatar
eric committed
261
262
263
264
265
		# visitor is requesting a language change
		#
		$LANG = $_REQUEST['setlang'];
		$update_cookie = 1;

Loui Chang's avatar
Loui Chang committed
266
	} elseif (isset($_COOKIE['AURLANG'])) {
eric's avatar
eric committed
267
268
269
270
		# If a cookie is set, use that
		#
		$LANG = $_COOKIE['AURLANG'];

Loui Chang's avatar
Loui Chang committed
271
	} elseif (isset($_COOKIE["AURSID"])) {
eric's avatar
eric committed
272
273
274
275
		$dbh = db_connect();
		$q = "SELECT LangPreference FROM Users, Sessions ";
		$q.= "WHERE Users.ID = Sessions.UsersID ";
		$q.= "AND Sessions.SessionID = '";
276
		$q.= mysql_real_escape_string($_COOKIE["AURSID"])."'";
eric's avatar
eric committed
277
278
279
280
281
282
283
		$result = db_query($q, $dbh);
		if (!$result) {
			$LANG = "en";
		} else {
			$row = mysql_fetch_array($result);
			$LANG = $row[0];
		}
284
		$update_cookie = 1;
eric's avatar
eric committed
285
	}
eric's avatar
eric committed
286

Loui Chang's avatar
Loui Chang committed
287
	# Set $LANG to default if nothing is valid.
eric's avatar
eric committed
288
	if (!array_key_exists($LANG, $SUPPORTED_LANGS)) {
Loui Chang's avatar
Loui Chang committed
289
		$LANG = DEFAULT_LANG;
eric's avatar
eric committed
290
291
292
293
294
	}

	if ($update_cookie) {
		setcookie("AURLANG", $LANG, 0, "/");
	}
295
296
297

	if ($LANG != DEFAULT_LANG ) {
		include_once("$LANG.po");
298
299
	} else {
		include_once(DEFAULT_LANG.".po");
300
301
	}

eric's avatar
eric committed
302
303
304
	return;
}

305

306
307
# common header
#
308
function html_header($title="") {
eric's avatar
eric committed
309
	global $_SERVER;
eric's avatar
eric committed
310
	global $_COOKIE;
311
	global $_POST;
312
	global $LANG;
313
314
	global $SUPPORTED_LANGS;

315
316
317
	$login = try_login();
	$login_error = $login['error'];

318
319
	$title = htmlspecialchars($title, ENT_QUOTES);

320
321
	include('header.php');
	return;
322
323
}

324

325
326
327
# common footer
#
function html_footer($ver="") {
328
	include('footer.php');
329
330
331
	return;
}

332
# check to see if the user can submit a package
eric's avatar
eric committed
333
#
334
function can_submit_pkg($name="", $sid="") {
eric's avatar
eric committed
335
336
	if (!$name || !$sid) {return 0;}
	$dbh = db_connect();
Callan Barrett's avatar
Callan Barrett committed
337
	$q = "SELECT MaintainerUID, DummyPkg ";
338
	$q.= "FROM Packages WHERE Name = '".mysql_real_escape_string($name)."'";
eric's avatar
eric committed
339
	$result = db_query($q, $dbh);
340
	if (mysql_num_rows($result) == 0) {return 1;}
eric's avatar
eric committed
341
	$row = mysql_fetch_row($result);
Callan Barrett's avatar
Callan Barrett committed
342
	if ($row[1] == "1") { return 1; }
eric's avatar
eric committed
343
344
	$my_uid = uid_from_sid($sid);

345
346
347
	if ($row[0] == $my_uid) {
		return 1;
	}
eric's avatar
eric committed
348
349
350
351

	return 0;
}

eric's avatar
eric committed
352
353
354
# recursive delete directory
#
function rm_rf($dirname="") {
Loui Chang's avatar
Loui Chang committed
355
356
	if ($dirname != "") {
		exec('rm -rf ' . escapeshellcmd($dirname));
eric's avatar
eric committed
357
	}
Loui Chang's avatar
Loui Chang committed
358

eric's avatar
eric committed
359
360
361
	return;
}

362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
# Recursive chmod to set group write permissions
#
function chmod_group($path) {
	if (!is_dir($path))
		return chmod($path, 0664);

	$d = dir($path);
	while ($f = $d->read()) {
		if ($f != '.' && $f != '..') {
			$fullpath = $path.'/'.$f;
			if (is_link($fullpath))
				continue;
			elseif (!is_dir($fullpath)) {
				if (!chmod($fullpath, 0664))
					return FALSE;
			}
			elseif(!chmod_group($fullpath))
				return FALSE;
		}
	}
	$d->close();

	if(chmod($path, 0775))
		return TRUE;
	else
		return FALSE;
}

simo's avatar
simo committed
390
391
392
393
394
395
396
397
# obtain the uid given a Users.Username
#
function uid_from_username($username="")
{
	if (!$username) {
		return "";
	}
	$dbh = db_connect();
398
	$q = "SELECT ID FROM Users WHERE Username = '".mysql_real_escape_string($username)
simo's avatar
simo committed
399
400
401
402
403
404
				."'";
	$result = db_query($q, $dbh);
	if (!$result) {
		return "None";
	}
	$row = mysql_fetch_row($result);
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424

	return $row[0];
}

# obtain the uid given a Users.Email
#
function uid_from_email($email="")
{
	if (!$email) {
		return "";
	}
	$dbh = db_connect();
	$q = "SELECT ID FROM Users WHERE Email = '".mysql_real_escape_string($email)
				."'";
	$result = db_query($q, $dbh);
	if (!$result) {
		return "None";
	}
	$row = mysql_fetch_row($result);

simo's avatar
simo committed
425
426
427
	return $row[0];
}

428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
/**
 * Generate clean url with edited/added user values
 *
 * Makes a clean string of variables for use in URLs based on current $_GET and
 * list of values to edit/add to that. Any empty variables are discarded.
 *
 * ex. print "http://example.com/test.php?" . mkurl("foo=bar&bar=baz")
 *
 * @param string $append string of variables and values formatted as in URLs
 * ex. mkurl("foo=bar&bar=baz")
 * @return string clean string of variables to append to URL, urlencoded
 */
function mkurl($append) {
	$get = $_GET;
	$append = explode('&', $append);
	$uservars = array();
	$out = '';

	foreach ($append as $i) {
		$ex = explode('=', $i);
		$uservars[$ex[0]] = $ex[1];
	}

	foreach ($uservars as $k => $v) { $get[$k] = $v; }

	foreach ($get as $k => $v) {
		if ($v !== '') {
			$out .= '&amp;' . urlencode($k) . '=' . urlencode($v);
		}
	}

	return substr($out, 5);
}