search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove double htmlspecialchars
[aur.git] / web / lib / aur.inc.php
blob387d81de0578883d47ee6dcdc2f22520d2da7f25
1 <?php
2 set_include_path(get_include_path() . PATH_SEPARATOR . '../lib' . PATH_SEPARATOR . '../template');
3 header('Content-Type: text/html; charset=utf-8');
4 header('Cache-Control: no-cache, must-revalidate');
5 header('Expires: Tue, 11 Oct 1988 22:00:00 GMT'); // quite a special day
6 header('Pragma: no-cache');
7
8 date_default_timezone_set('UTC');
9
10 include_once('translator.inc.php');
11 set_lang();
12
13 include_once("config.inc.php");
14 include_once("routing.inc.php");
15 include_once("version.inc.php");
16 include_once("acctfuncs.inc.php");
17 include_once("cachefuncs.inc.php");
18
19 /**
20 * Check if a visitor is logged in
21 *
22 * Query "Sessions" table with supplied cookie. Determine if the cookie is valid
23 * or not. Unset the cookie if invalid or session timeout reached. Update the
24 * session timeout if it is still valid.
25 *
26 * @global array $_COOKIE User cookie values
27 * @global string $LOGIN_TIMEOUT Time until session times out
28 * @param \PDO $dbh Already established database connection
29 *
30 * @return void
31 */
32 function check_sid($dbh=NULL) {
33 global $_COOKIE;
34 global $LOGIN_TIMEOUT;
35
36 if (isset($_COOKIE["AURSID"])) {
37 $failed = 0;
38 # the visitor is logged in, try and update the session
39 #
40 if(!$dbh) {
41 $dbh = db_connect();
42 }
43 $q = "SELECT LastUpdateTS, UNIX_TIMESTAMP() FROM Sessions ";
44 $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
45 $result = $dbh->query($q);
46 $row = $result->fetch(PDO::FETCH_NUM);
47
48 if (!$row[0]) {
49 # Invalid SessionID - hacker alert!
50 #
51 $failed = 1;
52 } else {
53 $last_update = $row[0];
54 if ($last_update + $LOGIN_TIMEOUT <= $row[1]) {
55 $failed = 2;
56 }
57 }
58
59 if ($failed == 1) {
60 # clear out the hacker's cookie, and send them to a naughty page
61 # why do you have to be so harsh on these people!?
62 #
63 setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
64 unset($_COOKIE['AURSID']);
65 } elseif ($failed == 2) {
66 # session id timeout was reached and they must login again.
67 #
68 delete_session_id($_COOKIE["AURSID"], $dbh);
69
70 setcookie("AURSID", "", 1, "/", null, !empty($_SERVER['HTTPS']), true);
71 unset($_COOKIE['AURSID']);
72 } else {
73 # still logged in and haven't reached the timeout, go ahead
74 # and update the idle timestamp
75
76 # Only update the timestamp if it is less than the
77 # current time plus $LOGIN_TIMEOUT.
78 #
79 # This keeps 'remembered' sessions from being
80 # overwritten.
81 if ($last_update < time() + $LOGIN_TIMEOUT) {
82 $q = "UPDATE Sessions SET LastUpdateTS = UNIX_TIMESTAMP() ";
83 $q.= "WHERE SessionID = " . $dbh->quote($_COOKIE["AURSID"]);
84 $dbh->exec($q);
85 }
86 }
87 }
88 return;
89 }
90
91 /**
92 * Verify the supplied CSRF token matches expected token
93 *
94 * @return bool True if the CSRF token is the same as the cookie SID, otherwise false
95 */
96 function check_token() {
97 if (isset($_POST['token'])) {
98 return ($_POST['token'] == $_COOKIE['AURSID']);
99 } else {
100 return false;
101 }
102 }
103
104 /**
105 * Verify a user supplied e-mail against RFC 3696 and DNS records
106 *
107 * @param string $addy E-mail address being validated in foo@example.com format
108 *
109 * @return bool True if e-mail passes validity checks, otherwise false
110 */
111 function valid_email($addy) {
112 // check against RFC 3696
113 if (filter_var($addy, FILTER_VALIDATE_EMAIL) === false) {
114 return false;
115 }
116
117 // check dns for mx, a, aaaa records
118 list($local, $domain) = explode('@', $addy);
119 if (!(checkdnsrr($domain, 'MX') || checkdnsrr($domain, 'A') || checkdnsrr($domain, 'AAAA'))) {
120 return false;
121 }
122
123 return true;
124 }
125
126 /**
127 * Generate a unique session ID
128 *
129 * @return string MD5 hash of the concatenated user IP, random number, and current time
130 */
131 function new_sid() {
132 return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true));
133 }
134
135 /**
136 * Determine the user's username in the database using a user ID
137 *
138 * @param string $id User's ID
139 * @param \PDO $dbh Already established database connection
140 *
141 * @return string Username if it exists, otherwise "None"
142 */
143 function username_from_id($id="", $dbh=NULL) {
144 if (!$id) {
145 return "";
146 }
147 if(!$dbh) {
148 $dbh = db_connect();
149 }
150 $q = "SELECT Username FROM Users WHERE ID = " . $dbh->quote($id);
151 $result = $dbh->query($q);
152 if (!$result) {
153 return "None";
154 }
155 $row = $result->fetch(PDO::FETCH_NUM);
156
157 return $row[0];
158 }
159
160 /**
161 * Determine the user's username in the database using a session ID
162 *
163 * @param string $sid User's session ID
164 * @param \PDO $dbh Already established database connection
165 *
166 * @return string Username of the visitor
167 */
168 function username_from_sid($sid="", $dbh=NULL) {
169 if (!$sid) {
170 return "";
171 }
172 if(!$dbh) {
173 $dbh = db_connect();
174 }
175 $q = "SELECT Username ";
176 $q.= "FROM Users, Sessions ";
177 $q.= "WHERE Users.ID = Sessions.UsersID ";
178 $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
179 $result = $dbh->query($q);
180 if (!$result) {
181 return "";
182 }
183 $row = $result->fetch(PDO::FETCH_NUM);
184
185 return $row[0];
186 }
187
188 /**
189 * Determine the user's e-mail address in the database using a session ID
190 *
191 * @param string $sid User's session ID
192 * @param \PDO $dbh Already established database connection
193 *
194 * @return string User's e-mail address as given during registration
195 */
196 function email_from_sid($sid="", $dbh=NULL) {
197 if (!$sid) {
198 return "";
199 }
200 if(!$dbh) {
201 $dbh = db_connect();
202 }
203 $q = "SELECT Email ";
204 $q.= "FROM Users, Sessions ";
205 $q.= "WHERE Users.ID = Sessions.UsersID ";
206 $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
207 $result = $dbh->query($q);
208 if (!$result) {
209 return "";
210 }
211 $row = $result->fetch(PDO::FETCH_NUM);
212
213 return $row[0];
214 }
215
216 /**
217 * Determine the user's account type in the database using a session ID
218 *
219 * @param string $sid User's session ID
220 * @param \PDO $dbh Already established database connection
221 *
222 * @return string Account type of user ("User", "Trusted User", or "Developer")
223 */
224 function account_from_sid($sid="", $dbh=NULL) {
225 if (!$sid) {
226 return "";
227 }
228 if(!$dbh) {
229 $dbh = db_connect();
230 }
231 $q = "SELECT AccountType ";
232 $q.= "FROM Users, AccountTypes, Sessions ";
233 $q.= "WHERE Users.ID = Sessions.UsersID ";
234 $q.= "AND AccountTypes.ID = Users.AccountTypeID ";
235 $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
236 $result = $dbh->query($q);
237 if (!$result) {
238 return "";
239 }
240 $row = $result->fetch(PDO::FETCH_NUM);
241
242 return $row[0];
243 }
244
245 /**
246 * Determine the user's ID in the database using a session ID
247 *
248 * @param string $sid User's session ID
249 * @param \PDO $dbh Already established database connection
250 *
251 * @return string|int The user's name, 0 on query failure
252 */
253 function uid_from_sid($sid="", $dbh=NULL) {
254 if (!$sid) {
255 return "";
256 }
257 if(!$dbh) {
258 $dbh = db_connect();
259 }
260 $q = "SELECT Users.ID ";
261 $q.= "FROM Users, Sessions ";
262 $q.= "WHERE Users.ID = Sessions.UsersID ";
263 $q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
264 $result = $dbh->query($q);
265 if (!$result) {
266 return 0;
267 }
268 $row = $result->fetch(PDO::FETCH_NUM);
269
270 return $row[0];
271 }
272
273 /**
274 * Establish a connection with a database using PDO
275 *
276 * @return \PDO A database connection
277 */
278 function db_connect() {
279 try {
280 $dbh = new PDO(AUR_db_DSN_prefix . ":" . AUR_db_host . ";dbname=" . AUR_db_name, AUR_db_user, AUR_db_pass);
281 }
282 catch (PDOException $e) {
283 echo "Error - Could not connect to AUR database: " . $e->getMessage();
284 }
285
286 $dbh->exec("SET NAMES 'utf8' COLLATE 'utf8_general_ci';");
287
288 return $dbh;
289 }
290
291 /**
292 * Common AUR header displayed on all pages
293 *
294 * @global string $LANG Language selected by the visitor
295 * @global array $SUPPORTED_LANGS Languages that are supported by the AUR
296 * @param string $title Name of the AUR page to be displayed on browser
297 *
298 * @return void
299 */
300 function html_header($title="") {
301 global $AUR_LOCATION;
302 global $DISABLE_HTTP_LOGIN;
303 global $LANG;
304 global $SUPPORTED_LANGS;
305
306 include('header.php');
307 return;
308 }
309
310 /**
311 * Common AUR footer displayed on all pages
312 *
313 * @param string $ver The AUR version
314 *
315 * @return void
316 */
317 function html_footer($ver="") {
318 include('footer.php');
319 return;
320 }
321
322 /**
323 * Determine if a user has permission to submit a package
324 *
325 * @param string $name Name of the package to be submitted
326 * @param string $sid User's session ID
327 * @param \PDO $dbh Already established database connection
328 *
329 * @return int 0 if the user can't submit, 1 if the user can submit
330 */
331 function can_submit_pkg($name="", $sid="", $dbh=NULL) {
332 if (!$name || !$sid) {return 0;}
333 if(!$dbh) {
334 $dbh = db_connect();
335 }
336 $q = "SELECT MaintainerUID ";
337 $q.= "FROM Packages WHERE Name = " . $dbh->quote($name);
338 $result = $dbh->query($q);
339 $row = $result->fetch(PDO::FETCH_NUM);
340
341 if (!$row[0]) {
342 return 1;
343 }
344 $my_uid = uid_from_sid($sid, $dbh);
345
346 if ($row[0] === NULL || $row[0] == $my_uid) {
347 return 1;
348 }
349
350 return 0;
351 }
352
353 /**
354 * Recursively delete a directory
355 *
356 * @param string $dirname Name of the directory to be removed
357 *
358 * @return void
359 */
360 function rm_tree($dirname) {
361 if (empty($dirname) || !is_dir($dirname)) return;
362
363 foreach (scandir($dirname) as $item) {
364 if ($item != '.' && $item != '..') {
365 $path = $dirname . '/' . $item;
366 if (is_file($path) || is_link($path)) {
367 unlink($path);
368 }
369 else {
370 rm_tree($path);
371 }
372 }
373 }
374
375 rmdir($dirname);
376
377 return;
378 }
379
380 /**
381 * Determine the user's ID in the database using a username
382 *
383 * @param string $username The username of an account
384 * @param \PDO $dbh Already established database connection
385 *
386 * @return string Return user ID if exists for username, otherwise "None"
387 */
388 function uid_from_username($username="", $dbh=NULL) {
389 if (!$username) {
390 return "";
391 }
392 if(!$dbh) {
393 $dbh = db_connect();
394 }
395 $q = "SELECT ID FROM Users WHERE Username = " . $dbh->quote($username);
396 $result = $dbh->query($q);
397 if (!$result) {
398 return "None";
399 }
400 $row = $result->fetch(PDO::FETCH_NUM);
401
402 return $row[0];
403 }
404
405 /**
406 * Determine the user's ID in the database using an e-mail address
407 *
408 * @param string $email An e-mail address in foo@example.com format
409 * @param \PDO $dbh Already established database connection
410 *
411 * @return string The user's ID
412 */
413 function uid_from_email($email="", $dbh=NULL) {
414 if (!$email) {
415 return "";
416 }
417 if(!$dbh) {
418 $dbh = db_connect();
419 }
420 $q = "SELECT ID FROM Users WHERE Email = " . $dbh->quote($email);
421 $result = $dbh->query($q);
422 if (!$result) {
423 return "None";
424 }
425 $row = $result->fetch(PDO::FETCH_NUM);
426
427 return $row[0];
428 }
429
430 /**
431 * Determine if a user has TU or Developer privileges
432 *
433 * @return bool Return true if the user is a TU or developer, otherwise false
434 */
435 function check_user_privileges() {
436 $type = account_from_sid($_COOKIE['AURSID']);
437 return ($type == 'Trusted User' || $type == 'Developer');
438 }
439
440 /**
441 * Generate clean url with edited/added user values
442 *
443 * Makes a clean string of variables for use in URLs based on current $_GET and
444 * list of values to edit/add to that. Any empty variables are discarded.
445 *
446 * @example print "http://example.com/test.php?" . mkurl("foo=bar&bar=baz")
447 *
448 * @param string $append string of variables and values formatted as in URLs
449 *
450 * @return string clean string of variables to append to URL, urlencoded
451 */
452 function mkurl($append) {
453 $get = $_GET;
454 $append = explode('&', $append);
455 $uservars = array();
456 $out = '';
457
458 foreach ($append as $i) {
459 $ex = explode('=', $i);
460 $uservars[$ex[0]] = $ex[1];
461 }
462
463 foreach ($uservars as $k => $v) { $get[$k] = $v; }
464
465 foreach ($get as $k => $v) {
466 if ($v !== '') {
467 $out .= '&amp;' . urlencode($k) . '=' . urlencode($v);
468 }
469 }
470
471 return substr($out, 5);
472 }
473
474 /**
475 * Determine a user's salt from the database
476 *
477 * @param string $user_id The user ID of the user trying to log in
478 * @param \PDO $dbh Already established database connection
479 *
480 * @return string|void Return the salt for the requested user, otherwise void
481 */
482 function get_salt($user_id, $dbh=NULL) {
483 if(!$dbh) {
484 $dbh = db_connect();
485 }
486 $q = "SELECT Salt FROM Users WHERE ID = " . $user_id;
487 $result = $dbh->query($q);
488 if ($result) {
489 $row = $result->fetch(PDO::FETCH_NUM);
490 return $row[0];
491 }
492 return;
493 }
494
495 /**
496 * Save a user's salted password in the database
497 *
498 * @param string $user_id The user ID of the user who is salting their password
499 * @param string $passwd The password of the user logging in
500 * @param \PDO $dbh Already established database connection
501 */
502 function save_salt($user_id, $passwd, $dbh=NULL) {
503 if(!$dbh) {
504 $dbh = db_connect();
505 }
506 $salt = generate_salt();
507 $hash = salted_hash($passwd, $salt);
508 $q = "UPDATE Users SET Salt = " . $dbh->quote($salt) . ", ";
509 $q.= "Passwd = " . $dbh->quote($hash) . " WHERE ID = " . $user_id;
510 $result = $dbh->exec($q);
511 }
512
513 /**
514 * Generate a string to be used for salting passwords
515 *
516 * @return string MD5 hash of concatenated random number and current time
517 */
518 function generate_salt() {
519 return md5(uniqid(mt_rand(), true));
520 }
521
522 /**
523 * Combine salt and password to form a hash
524 *
525 * @param string $passwd User plaintext password
526 * @param string $salt MD5 hash to be used as user salt
527 *
528 * @return string The MD5 hash of the concatenated salt and user password
529 */
530 function salted_hash($passwd, $salt) {
531 if (strlen($salt) != 32) {
532 trigger_error('Salt does not look like an md5 hash', E_USER_WARNING);
533 }
534 return md5($salt . $passwd);
535 }
536
537 /**
538 * Process submitted comments so any links can be followed
539 *
540 * @param string $comment Raw user submitted package comment
541 *
542 * @return string User comment with links printed in HTML
543 */
544 function parse_comment($comment) {
545 $url_pattern = '/(\b(?:https?|ftp):\/\/[\w\/\#~:.?+=&%@!\-;,]+?' .
546 '(?=[.:?\-;,]*(?:[^\w\/\#~:.?+=&%@!\-;,]|$)))/iS';
547
548 $matches = preg_split($url_pattern, $comment, -1,
549 PREG_SPLIT_DELIM_CAPTURE);
550
551 $html = '';
552 for ($i = 0; $i < count($matches); $i++) {
553 if ($i % 2) {
554 # convert links
555 $html .= '<a href="' . htmlspecialchars($matches[$i]) .
556 '">' . htmlspecialchars($matches[$i]) . '</a>';
557 }
558 else {
559 # convert everything else
560 $html .= nl2br(htmlspecialchars($matches[$i]));
561 }
562 }
563
564 return $html;
565 }
566
567 /**
568 * Wrapper for beginning a database transaction
569 *
570 * @param \PDO $dbh Already established database connection
571 */
572 function begin_atomic_commit($dbh=NULL) {
573 if(!$dbh) {
574 $dbh = db_connect();
575 }
576 $dbh->beginTransaction();
577 }
578
579 /**
580 * Wrapper for committing a database transaction
581 *
582 * @param \PDO $dbh Already established database connection
583 */
584 function end_atomic_commit($dbh=NULL) {
585 if(!$dbh) {
586 $dbh = db_connect();
587 }
588 $dbh->commit();
589 }
590
591 /**
592 *
593 * Determine the row ID for the most recently insterted row
594 *
595 * @param \PDO $dbh Already established database connection
596 *
597 * @return string The ID of the last inserted row
598 */
599 function last_insert_id($dbh=NULL) {
600 if(!$dbh) {
601 $dbh = db_connect();
602 }
603 return $dbh->lastInsertId();
604 }
605
606 /**
607 * Determine package information for latest package
608 *
609 * @param int $numpkgs Number of packages to get information on
610 * @param \PDO $dbh Already established database connection
611 *
612 * @return array $packages Package info for the specified number of recent packages
613 */
614 function latest_pkgs($numpkgs, $dbh=NULL) {
615 if(!$dbh) {
616 $dbh = db_connect();
617 }
618
619 $q = "SELECT * FROM Packages ";
620 $q.= "ORDER BY SubmittedTS DESC ";
621 $q.= "LIMIT " .intval($numpkgs);
622 $result = $dbh->query($q);
623
624 if ($result) {
625 while ($row = $result->fetch(PDO::FETCH_ASSOC)) {
626 $packages[] = $row;
627 }
628 }
629
630 return $packages;
631 }
Arch User-Community Repository (AUR)