search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fixed XSS in login error messages. Resolves FS 7901.
[aur-xilon.git] / web / html / index.php
blob5ff1d52c61345cc4b498a15462b52e3e3053575b
1 <?
2
3 set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../lang');
4
5 include("index_po.inc");
6 include("pkgfuncs_po.inc"); # Add to handle the i18n of My Packages
7 include("aur.inc");
8 set_lang();
9 check_sid();
10
11 # Need to do the authentication prior to sending any HTML (including header)
12 #
13 $login_error = "";
14 if (isset($_REQUEST["user"]) || isset($_REQUEST["pass"])) {
15 # Attempting to log in
16 #
17 if (!isset($_REQUEST["user"])) {
18 $login_error = __("You must supply a username.");
19 }
20 if (!isset($_REQUEST["pass"])) {
21 $login_error = __("You must supply a password.");
22 }
23 if (!$login_error) {
24 # Try and authenticate the user
25 #
26
27 #md5 hash it
28 $_REQUEST["pass"] = md5($_REQUEST["pass"]);
29 $dbh = db_connect();
30 $q = "SELECT ID, Suspended FROM Users ";
31 $q.= "WHERE Username = '" . mysql_real_escape_string($_REQUEST["user"]) . "' ";
32 $q.= "AND Passwd = '" . mysql_real_escape_string($_REQUEST["pass"]) . "'";
33 $result = db_query($q, $dbh);
34 if (!$result) {
35 $login_error = __("Error looking up username, %s.",
36 array(htmlspecialchars($_REQUEST["user"])));
37 } else {
38 $row = mysql_fetch_row($result);
39 if (empty($row)) {
40 $login_error = __("Incorrect password for username, %s.",
41 array(htmlspecialchars($_REQUEST["user"])));
42 } elseif ($row[1]) {
43 $login_error = __("Your account has been suspended.");
44 }
45 }
46
47 if (!$login_error) {
48 # Account looks good. Generate a SID and store it.
49 #
50 $logged_in = 0;
51 $num_tries = 0;
52 while (!$logged_in && $num_tries < 5) {
53 $new_sid = new_sid();
54 $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS) ";
55 $q.="VALUES (". $row[0]. ", '" . $new_sid . "', UNIX_TIMESTAMP())";
56 $result = db_query($q, $dbh);
57 # Query will fail if $new_sid is not unique
58 #
59 if ($result) {
60 $logged_in = 1;
61 break;
62 }
63 $num_tries++;
64 }
65 if ($logged_in) {
66 # set our SID cookie
67 #
68 setcookie("AURSID", $new_sid, 0, "/");
69 header("Location: /index.php");
70 } else {
71 $login_error = __("Error trying to generate session id.");
72 }
73 }
74 }
75 }
76
77 # Any cookies have been sent, can now display HTML
78 #
79 html_header();
80
81 # Big Top Level Table (Table 1)
82 print "<table border='0' cellpadding='0' cellspacing='3' width='90%'>\n";
83 print "<tr>\n";
84
85 # MAIN: Top Left
86 print "<td class='boxSoft' valign='top'>";
87
88 print "<p>".__("Welcome to the AUR! Please read the %hAUR User Guidelines%h and %hAUR TU Guidelines%h for more information.", array('<a href="http://wiki.archlinux.org/index.php/AUR_User_Guidelines">', '</a>', '<a href="http://wiki.archlinux.org/index.php/AUR_Trusted_User_Guidelines">', '</a>'))."<br>";
89 print __("Contributed PKGBUILDs <b>must</b> conform to the %hArch Packaging Standards%h otherwise they will be deleted!", array('<a href="http://wiki.archlinux.org/index.php/Arch_Packaging_Standards">', '</a>'))."</p>";
90 #print "<p>".__("If you have feedback about the AUR, please leave it in %hFlyspray%h.", array('<a href="http://bugs.archlinux.org/index.php?tasks=all&amp;project=2">', '</a>'))."<br>";
91 #print __("Email discussion about the AUR takes place on the %sTUR Users List%s.", array('<a href="http://www.archlinux.org/mailman/listinfo/tur-users">', '</a>'))."</p>";
92 print "<p>".__("Remember to vote for your favourite packages!")."<br>";
93 print __("The most popular packages will be provided as binary packages in [community].")."</p>";
94 #print "<p>".__("Though we can't vouch for their contents, we provide a %hlist of user repositories%h for your convenience.", array('<a href="http://wiki2.archlinux.org/index.php/Unofficial%20Repositories">', '</a>'))."</p>";
95
96 # MAIN: Top Right
97 print "</td>";
98 print "<td class='boxSoft' valign='top'>";
99
100 # Now present the user login stuff
101 if (!isset($_COOKIE["AURSID"])) {
102 # the user is not logged in, give them login widgets
103 #
104 if ($login_error) {
105 print "<span class='error'>" . $login_error . "</span><br />\n";
106 }
107 print "<table border='0' cellpadding='0' cellspacing='0' width='100%'>\n";
108 print "<form action='/index.php' method='post'>\n";
109 print "<tr>\n";
110 print "<td>".__("Username:")."</td>";
111 print "<td><input type='text' name='user' size='30' maxlength='64'></td>";
112 print "</tr>\n";
113 print "<tr>\n";
114 print "<td>".__("Password:")."</td>";
115 print "<td><input type='password' name='pass' size='30' maxlength='32'></td>";
116 print "</tr>\n";
117 print "<tr>\n";
118 print "<td colspan='2' align='right'>&nbsp;<br />";
119 print "<input type='submit' class='button'";
120 print " value='".__("Login")."'></td>";
121 print "</tr>\n";
122 print "</form>\n";
123 print "</table>\n";
124
125 } else {
126 print __("Logged-in as: %h%s%h",
127 array("<b>", username_from_sid($_COOKIE["AURSID"]), "</b>"));
128 }
129
130 # MAIN: Bottom Left
131 print "</td>";
132 print "</tr>";
133 print "<tr>";
134 print "<td class='boxSoft' valign='top'>";
135
136 #Hey, how about listing the newest pacakges? :D
137 $q = "SELECT * FROM Packages ";
138 $q.= "WHERE DummyPkg != 1 ";
139 $q.= "ORDER BY GREATEST(SubmittedTS,ModifiedTS) DESC ";
140 $q.= "LIMIT 0 , 10";
141 $result = db_query($q,$dbh);
142 # Table 2
143 print '<table class="boxSoft">';
144 print '<tr>';
145 print '<th colspan="2" class="boxSoftTitle" style="text-align: right">';
146 print ' <a href="/rss2.php"><img src="/images/rss.gif"></a> <span class="f3">'.__("Recent Updates").' <span class="f5"></span></span>';
147 print '</th>';
148 print '</tr>';
149
150 while ($row = mysql_fetch_assoc($result)) {
151 print '<tr>';
152 print '<td class="boxSoft">';
153
154 print '<span class="f4"><span class="blue"><a href="/packages.php?do_Details=1&ID='.intval($row["ID"]).'">';
155 print $row["Name"]." ".$row["Version"]."</a></span></span>";
156
157 print '</td>';
158 print '<td class="boxSoft" style="text-align: right">';
159
160 # figure out the mod string
161 $mod_int = intval($row["ModifiedTS"]);
162 $sub_int = intval($row["SubmittedTS"]);
163 if ($mod_int != 0) {
164 $modstring = gmdate("r", $mod_int);
165 }
166 elseif ($sub_int != 0) {
167 $modstring = '<img src="/images/new.gif"/> '.gmdate("r", $sub_int);
168 }
169 else {
170 $mod_string = "(unknown)";
171 }
172 print '<span class="f4">'.$modstring.'</span>';
173 print '</td>';
174 print '</tr>'."\n";
175 }
176 print "</td>";
177 print "</tr>";
178 print "</table>";
179 # End Table 2
180
181 #print " <td>&nbsp;&nbsp;</td>";
182 #print " <td align='left' valign='top' nowrap>\n";
183
184 # MAIN: Bottom Right
185 print "</td>";
186 print "<td class='boxSoft' valign='top'>";
187
188 # AUR STATISTICS
189
190 $q = "SELECT count(*) FROM Packages,PackageLocations WHERE Packages.LocationID = PackageLocations.ID AND PackageLocations.Location = 'unsupported'";
191 $result = db_query($q, $dbh);
192 $row = mysql_fetch_row($result);
193 $unsupported_count = $row[0];
194
195 $q = "SELECT count(*) FROM Packages,PackageLocations WHERE Packages.LocationID = PackageLocations.ID AND PackageLocations.Location = 'community'";
196 $result = db_query($q, $dbh);
197 $row = mysql_fetch_row($result);
198 $community_count = $row[0];
199
200 $q = "SELECT count(*) from Users";
201 $result = db_query($q, $dbh);
202 $row = mysql_fetch_row($result);
203 $user_count = $row[0];
204
205 $q = "SELECT count(*) from Users,AccountTypes WHERE Users.AccountTypeID = AccountTypes.ID AND AccountTypes.AccountType = 'Trusted User'";
206 $result = db_query($q, $dbh);
207 $row = mysql_fetch_row($result);
208 $tu_count = $row[0];
209
210 $targstamp = intval(strtotime("-7 days"));
211 $q = "SELECT count(*) from Packages WHERE (Packages.SubmittedTS >= $targstamp OR Packages.ModifiedTS >= $targstamp)";
212 $result = db_query($q, $dbh);
213 $row = mysql_fetch_row($result);
214 $update_count = $row[0];
215
216 $q = "SELECT count(*) FROM Packages,PackageLocations WHERE Packages.LocationID = PackageLocations.ID AND PackageLocations.Location = 'unsupported' AND Packages.Safe = 1";
217 $result = db_query($q, $dbh);
218 $row = mysql_fetch_row($result);
219 $safe_count = $row[0];
220
221 # Added the user statistcs.
222 # Added by: dsa <dsandrade@gmail.com>
223 $user = username_from_sid($_COOKIE["AURSID"]);
224
225 if (!empty($user)) {
226 $q = "SELECT count(*) FROM Packages,PackageLocations,Users WHERE Packages.MaintainerUID = Users.ID AND Packages.LocationID = PackageLocations.ID AND PackageLocations.Location = 'unsupported' AND Users.Username='".mysql_real_escape_string($user)."'";
227 $result = db_query($q, $dbh);
228 $row = mysql_fetch_row($result);
229 $maintainer_unsupported_count = $row[0];
230
231 $q = "SELECT count(*) FROM Packages,Users WHERE Packages.OutOfDate = 1 AND Packages.MaintainerUID = Users.ID AND Users.Username='".mysql_real_escape_string($user)."'";
232 $result = db_query($q, $dbh);
233 $row = mysql_fetch_row($result);
234 $flagged_outdated = $row[0];
235
236 print "<table class='boxSoft'>";
237
238 print "<tr>";
239 print "<th colspan='2' class='boxSoftTitle' style='text-align: right'>";
240 print "<span class='f3'>".__("My Statistics")."</span>";
241 print "</th>";
242 print "</tr>";
243
244 # Number of packages in unsupported
245 print "<tr>";
246 print "<td class='boxSoft'>";
247 print "<span class='f4'>".__("Packages in unsupported")."</span>";
248 print "</td>";
249 print "<td class='boxSoft'><span class='f4'>$maintainer_unsupported_count</span></td>";
250 print "</tr>";
251
252 # If the user is a TU calculate the number of the packages
253 $atype = account_from_sid($_COOKIE["AURSID"]);
254
255 if ($atype == 'Trusted User') {
256 $q = "SELECT count(*) FROM Packages,PackageLocations,Users WHERE Packages.MaintainerUID = Users.ID AND Packages.LocationID = PackageLocations.ID AND PackageLocations.Location = 'community' AND Users.Username='".mysql_real_escape_string($user)."'";
257 $result = db_query($q, $dbh);
258 $row = mysql_fetch_row($result);
259 $maintainer_community_count = $row[0];
260
261 print "<tr>";
262 print "<td class='boxSoft'>";
263 print "<span class='f4'>".__("Packages in [community]")."</span>";
264 print "</td>";
265 print "<td class='boxSoft'><span class='f4'>$maintainer_community_count</span></td>";
266 print "</tr>";
267 }
268
269 # Number of outdated packages
270 print "<tr>";
271 print "<td class='boxSoft'>";
272 print "<span class='f4'>".__("Out-of-date")."</span>";
273 print "</td>";
274 print "<td class='boxSoft'><span class='f4'>$flagged_outdated</span></td>";
275 print "</tr>";
276
277 # Number of safe packages
278 print "<tr>";
279 print "<td class='boxSoft'>";
280 if ($atype == 'Trusted User') {
281 $q = "SELECT count(*) FROM Packages,Users WHERE Packages.Safe = 1 AND Packages.VerifiedBy = Users.ID AND Users.Username='".mysql_real_escape_string($user)."'";
282 $result = db_query($q, $dbh);
283 $row = mysql_fetch_row($result);
284 $flagged_safe = $row[0];
285
286 print "<span class='f4'>".__("Flagged as safe by me")."</span>";
287 }
288 else
289 {
290 $q = "SELECT count(*) FROM Packages,Users WHERE Packages.Safe = 1 AND Packages.MaintainerUID = Users.ID AND Users.Username='".mysql_real_escape_string($user)."'";
291 $result = db_query($q, $dbh);
292 $row = mysql_fetch_row($result);
293 $flagged_safe = $row[0];
294
295 print "<span class='f4'>".__("Flagged as safe")."</span>";
296 }
297 print "</td>";
298 print "<td class='boxSoft'><span class='f4'>$flagged_safe</span></td>";
299 print "</tr>";
300
301 print "</table><br />";
302 }
303
304 print "<table class='boxSoft'>";
305
306 print "<tr>";
307 print "<th colspan='2' class='boxSoftTitle' style='text-align: right'>";
308 print "<span class='f3'>".__("Statistics")."</span>";
309 print "</th>";
310 print "</tr>";
311
312 print "<tr>";
313 print "<td class='boxSoft'>";
314 print "<span class='f4'>".__("Packages in unsupported")."</span>";
315 print "</td>";
316 print "<td class='boxSoft'><span class='f4'>$unsupported_count</span></td>";
317 print "</tr>";
318
319 print "<tr>";
320 print "<td class='boxSoft'>";
321 print "<span class='f4'>".__("Packages in unsupported and flagged as safe")."</span>";
322 print "</td>";
323 print "<td class='boxSoft'><span class='f4'>$safe_count</span></td>";
324 print "</tr>";
325
326 print "<tr>";
327 print "<td class='boxSoft'>";
328 print "<span class='f4'>".__("Packages in [community]")."</span>";
329 print "</td>";
330 print "<td class='boxSoft'><span class='f4'>$community_count</span></td>";
331 print "</tr>";
332
333 print "<tr>";
334 print "<td class='boxSoft'>";
335 print "<span class='f4'>".__("Packages added or updated in the past 7 days")."</span>";
336 print "</td>";
337 print "<td class='boxSoft'><span class='f4'>$update_count</span></td>";
338 print "</tr>";
339
340 print "<tr>";
341 print "<td class='boxSoft'>";
342 print "<span class='blue'><span class='f4'>".__("Registered Users")."</span></span>";
343 print "</td>";
344 print "<td class='boxSoft'><span class='f4'>$user_count</span></td>";
345 print "</tr>";
346
347 print "<tr>";
348 print "<td class='boxSoft'>";
349 print "<span class='f4'>".__("Trusted Users")."</span>";
350 print "</td>";
351 print "<td class='boxSoft'><span class='f4'>$tu_count</span></td>";
352 print "</tr>";
353
354 print "</table>";
355
356 # Close out the right column
357 print " </td>";
358 print "</tr>\n";
359 print "</table>\n";
360 # End Table 1
361
362 html_footer("<b>Version 1.3.0</b> \$Id: index.php 340 2007-02-25 22:11:41Z swiergot $");
363 # vim: ts=2 sw=2 noet ft=php
364 ?>