This project is mirrored from https://:*****@gitlab.archlinux.org/archlinux/aurweb.git.
Pull mirroring updated .
- 19 Mar, 2013 2 commits
-
-
Lukas Fleischer authored
If an empty password is passed during account registration, login for the new user is disabled and a reset key is sent to the new user's e-mail address so that they can set an initial password manually. Signed-off-by:Lukas Fleischer <archlinux@cryptocrack.de>
-
Lukas Fleischer authored
This allows for reusing reset key submission for other things, such as sending an initial password reset code during account registration. Signed-off-by:
-
- 10 Feb, 2013 4 commits
-
-
canyonknight authored
Large amount of boilerplate code that checks if a database connection exists is useless now that the new connection method automatically does the same check. Signed-off-by:
canyonknight <canyonknight@gmail.com> Signed-off-by:
-
canyonknight authored
Signed-off-by: -
canyonknight authored
All functions now have a database connection method that will use the same database connection. This imitates the functionality of passing a database connection as an argument and makes it redundant. Signed-off-by:
-
canyonknight authored
Uses the Singleton pattern to ensure all queries use the same database connection that is released upon script completion. All database connections should now be called with DB::connect() and not db_connect(). Signed-off-by:
-
- 30 Jan, 2013 3 commits
-
-
canyonknight authored
An error message is printed when the number of affected rows is 0 for an edited account. A count of 0 doesn't imply an error, only that no changes were made in the database. Signed-off-by:
-
canyonknight authored
A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately. Signed-off-by:
-
canyonknight authored
The function is only determining whether a username is valid, so it makes more sense to simply return a boolean value. Signed-off-by:
-
- 29 Nov, 2012 2 commits
-
-
canyonknight authored
A check is only done to verify a Trusted User isn't promoting their account. An attacker can send tampered account type POST data to change their "User" level account to a "Developer" account. Add check so that all users cannot increase their own account permissions. Signed-off-by:
-
canyonknight authored
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by:
-
- 08 Oct, 2012 1 commit
-
-
Lukas Fleischer authored
* Change voters_list() to return an array of voters instead of generating HTML code in the library call. * Change the template to generate HTML code for the list of voters instead of displaying the library's return value. * Use HTML lists. Signed-off-by:
-
- 24 Sep, 2012 2 commits
-
-
Lukas Fleischer authored
* Use "<label>"/"</label>" for form labels. * Use "<strong>"/"</strong>" for important text. * Use "<h4>"/"</h4>" for headings. * Drop "<b>"/"</b>" everywhere else. Signed-off-by: -
canyonknight authored
Signed-off-by:
-
- 17 Sep, 2012 4 commits
-
-
canyonknight authored
* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by:
-
canyonknight authored
Navigation to the "AccountInfo" page should only require a user to know the username of the account they are looking for. Update all AUR links that use the user info page to reflect the new URL. Before: AUR_URL/account/?Action=AccountInfo&U=userfoo After: AUR_URL/account/userfoo Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
canyonknight authored
All DB code currently uses the quickly aging mysql_* functions. These functions are strongly discouraged and may eventually be deprecated. Transition all code to utilize the PDO data access abstraction layer. PDO allows for consistent query code across multiple databases. This could potentially allow for someone to use a database other than MySQL with minimal code changes. All functions and behaviors are reproduced as faithfully as possible with PDO equivalents and some changes in code. Signed-off-by:
-
- 15 Jul, 2012 2 commits
-
-
Lukas Fleischer authored
Jump to the home page instead of displaying a page that only tells you that you're logged in. Signed-off-by: -
Lukas Fleischer authored
Use virtual paths in links (e.g. link to "/packages/" instead of "/packages.php" etc.) if the virtual path feature is enabled. Signed-off-by:
-
- 14 Jul, 2012 1 commit
-
-
canyonknight authored
Fixes broken account suspension system. Signed-off-by:
-
- 08 Jul, 2012 1 commit
-
-
Lukas Fleischer authored
Initialize the "$details" and "$whovoted" variables with an empty array/string to suppress a "Undefined variable" notice if the votes/voters list is empty. Signed-off-by:
-
- 06 Jul, 2012 11 commits
-
-
canyonknight authored
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML out of the display_account_info function that echoes the code, and moves it to the new account_details.php template file. Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
canyonknight authored
Signed-off-by:
-
canyonknight authored
* Move DB code in tu.php and tu.php and tu_list.php to new functions in accfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by:
-
canyonknight authored
* Move DB code in account.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface * Consolidate redudant SQL statements from DisplayAccount and AccountInfo * Consolidation also adds ability to edit accounts based on username Signed-off-by:
-
canyonknight authored
* Move DB code in passreset.php to new functions in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by:
-
canyonknight authored
* Move DB code for removing a session in logout.php to a new function in acctfuncs.inc.php * Add ability for clear_expired_sessions function to check for DB connection * Centralization of DB code important in a future transition to PDO interface Signed-off-by:
-
canyonknight authored
* Move DB code from account_search_results.php to already existing function in acctfuncs.inc.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by:
-
canyonknight authored
* Verifying a username exists should use already present valid_user function * Create new functions in acctfuncs.inc.php with SQL queries from addvote.php * Centralization of DB code important in a future transition to PDO interface Signed-off-by:
-
canyonknight authored
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML out of a function that simply echoes the code, and moves it into a more reasonable template file in account_search_results.php Signed-off-by:
-
canyonknight authored
XHTML should be eliminated from lib/ as much as possible. This pulls the XHTML out of a function that simply echoes the code, and moves it into a more reasonable template file in account_edit_form.php Signed-off-by:
-
- 24 Jun, 2012 1 commit
-
-
canyonknight authored
Specially crafted pages can force authenticated users to unknowingly perform actions on the AUR website despite being on an attacker's website. This cross-site request forgery (CSRF) vulnerability applies to all POST data on the AUR. Implement a token system using a double submit cookie. Have a hidden form value on every page containing POST forms. Use the newly added check_token() to verify the token sent via POST matches the "AURSID" cookie value. Random nature of the token limits potential for CSRF. Signed-off-by:
-
- 24 Mar, 2012 2 commits
-
-
Lukas Fleischer authored
Always put the opening brace on the same line as the beginning of the function declaration. Signed-off-by: -
Lukas Fleischer authored
This is handy for verifying the PGP key of new Trusted Users. Also, this could potentially used as a basis to allow signed package uploads in the future. Implements FS#29028. Signed-off-by:
-
- 25 Oct, 2011 2 commits
-
-
Lukas Fleischer authored
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb66 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by:Dan McGee <dan@archlinux.org>
-
Lukas Fleischer authored
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by:
-
- 24 Oct, 2011 2 commits
-
-
Lukas Fleischer authored
Percent signs ("%") and underscores ("_") are not escaped by mysql_real_escape_string() and are interpreted as wildcards if combined with "LIKE". Write a wrapper function db_escape_like() and use it where appropriate. Note that we already fixed this for the RPC interface in commit da2ebb66 but missed the other places. This patch should fix all remaining flaws reported in FS#26527. Signed-off-by: -
Lukas Fleischer authored
Wrap mysql_real_escape_string() in a wrapper function db_escape_string() to ease porting to other databases, and as another step to pulling more of the database code into a central location. This is a rebased version of a patch by elij submitted about half a year ago. Thanks-to: elij <elij.mx@gmail.com> Signed-off-by:
-
