Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This one is not a specific dialect, so "nb" (Norwegian Bokmål) is the
better name to use here.

Thanks-to: Alexander Rødseth <rodseth@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This makes the difference between Portuguese (Brazil) and Portuguese
(Portugal) a bit clearer. Also, "pt_PT" is way more up to date than
"pt".

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Escape each output string using htmlspecialchars(). These aren't
exploitable; it's still better to escape them properly.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Escape strings properly using htmlspecialchars(). Seems like we missed
these in former cleanups. Fixes FS#28515.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.

Note that we already fixed this for the RPC interface in commit
da2ebb66

 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>

Wrap mysql_real_escape_string() in a wrapper function db_escape_string()
to ease porting to other databases, and as another step to pulling more
of the database code into a central location.

This is a rebased version of a patch by elij submitted about half a year
ago.

Thanks-to: elij <elij.mx@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Conflicts:

	web/lib/aur.inc.php

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Reported-by: Thomas Bächler <thomas@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Do not move the package to the incoming package directory and fail to
create proper database entries if some AUR upload helper doesn't provide
a category. We got several failing constraints here, such as:

  Cannot add or update a child row: a foreign key constraint fails
  (`AUR`.`Packages`, CONSTRAINT `Packages_ibfk_1` FOREIGN KEY
  (`CategoryID`) REFERENCES `PackageCategories` (`ID`) ON DELETE NO
  ACTION)

Instead, default to "1" (which is "none", or "keep category" for
existing packages) if no category is supplied.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This is way more convenient if you follow a HTTP link. Implements
FS#25757.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Info queries using package IDs were no longer working due to commit
c6d84b3a

, which introduced a table join
in process_query(), thus making the "ID" column ambiguous. Fix this by
explicitly specifying the table to use. Fixes FS#25696.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This makes the "Category" label as well as "Change category" button on
the package details page translatable. Fixes FS#25692.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Do not attempt to rewrite "/packages/fo/foo/foo.tar.gz".

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

We discussed this on aur-dev. We shouldn't specify a territory unless
translations are specific to a variant of the Greek language.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

* Switch to x86_64 architecture by default
* Add more repositories (including multilib)
* Update default configuration path to include .php file extension

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Thanks-to: Jesse Jaara <jesse.jaara@gmail.com>
Thanks-to: Jelle van der Waa <jelle@vdwaa.nl>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Regression introduced in 888db089

.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

We broke this in 888db089

 when adding
the ".php" extension to all inclusion files. Seems like we forgot to do
this in the Makefile.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

As discussed on the mailing list, enable "secure" and "httponly" for
session cookies to prevent them from being transferred over insecure
connections.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

If this is enabled, do not show the login form and display a note
suggesting to switch to a secure connection if a user accesses the site
via HTTP.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Thanks-to: Dave Reisner <d@falconindy.com>
Thanks-to: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

These were never used in the function. Where they are used is in the
pkg_details.php template, so move them closer to their actual usage so
as not to confuse poor programmers such as myself.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Add BEGIN and COMMIT statements where it makes sense to do so. This
allows the entire package creation or update process to be atomic and
not be seen until it is complete.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Allows handle reuse if one is available.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This prevents needless calls to db_connect() if we already have a
reference to a handle we can pass into a function. Although the current
underlying implementation using mysql_connect() will return the same
connection if all parameters are the same, this might not be true if we
switch to a more modern (e.g. PDO) interface.

In the face of safe transactions, it is extremely important all actions
are being taken over the same connection to the database.

Signed-off-by: Dan McGee <dan@archlinux.org>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

Merge all comments and votes of deleted packages into another package if
the "Merge with" field is used. Duplicate votes (votes from a user who
already voted on the target package or voted on more than one of the
deleted packages) are discarded.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

This allows for merging comments and votes of deleted packages into
another one which is useful if a package needs to be renamed.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>

Describe what this function actually does: Return the ID of a package
with a given name and return NULL if such a package doesn't exist.

The function name is chosen in a fashion similar to other functions from
"pkgfuncs.inc.php" (pkgname_from_id(), pkgnotify_from_sid(), ...).

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>