From patchwork Sun Apr 5 15:06:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Fleischer X-Patchwork-Id: 1575 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id 300E418070D74 for ; Sun, 5 Apr 2020 15:06:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on apollo.archlinux.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1, MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001, T_DMARC_POLICY_NONE=0.01 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-BL-Results: [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Sun, 5 Apr 2020 15:06:27 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 433181AC2E0F06; Sun, 5 Apr 2020 15:06:17 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: luna) by orion.archlinux.org (Postfix) with ESMTPSA id 063751AC2E0F00; Sun, 5 Apr 2020 15:06:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1586099177; bh=2Fq7IpVA20h2yPK0cbb/YO4yfq9itstbA33e3TqwO0I=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=USIriHs5YmGCwoIJ/eRni00aXF9frUGaxZgTzmXKanlkZM0jSPO69HmB7Mle2XkUS 6wvuT7A/duHdaM0STwHwivoi0OVNAMBwBBeRCrx0FEJujJYWIO2kx5BEoAwCGxEMEs 8goghZB2zcMZN+ZfiA9n/AsCjxpt+7jJW9LLmiyYGXYsrXsyGKZaT9IvXQF5kGKyjI NVuwzyxnLMVwp2yzmSwOxmkf7TWf9aKFtEkVEqXIgpFAfAiLKX7P9+HOHRefU1uDo4 cLSHYAR5M4u6etACVi93CVc/OetqhBbR5s2c9suZtiUCe0cYjC5xH9LhGw8PEmddB+ TBSlCiSleK+0FJQTVX84NSw892KJAuPQlPXDymvSPOVQ6V7JzPoK0LMya7lx5FBZyA MKF3lZJrbrPXgPEKblQOwLMBTTH3sIznyVgzcHWESs+HL9nK0Qj6RgonWP20ysap5/ Ub31dacFekZeDWeSoEBdg0U+5TSJep7s8k+LhvK1F9ePQRG0IFFzPWhbeZaeSUV4K1 gLU3tVgsbXJTf62t3VNJ8jD4l+KdPKRW26Im/R9xGHaHtUods96hb1n2Hhl2+4jAVb S8g/1xyjSeJPC41kG1pw8/hHUdqTt7V2xHcdaIQxtCPiFPv6SfdXoY6HXE5AW8/ZJZ zBYwRFcs3GLQuCLeI9o9Yc7s= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id DDF552B28C; Sun, 5 Apr 2020 15:06:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=luna2; t=1586099176; bh=2Fq7IpVA20h2yPK0cbb/YO4yfq9itstbA33e3TqwO0I=; h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe; b=NervUAQVoauYi7IgdDUnhtRINDhJWQE02TCkWrp5GtmYbK9bStW+//kWj4osOMel6 ehMBz7LIc52Lp5QAD7omOEKu8K9viTciKpdsgeGGOALYG03c4Vs4Q5V521qsvHp+rN mZ/yu4Kci5rwTKuUTYNtSzcQxRGCu+h+uPBkuy4/nt1jzrOswD7BPCtNJy6utn39cM 2nY7+DbrybXwASqe6zzRUKtJHRqMrGwzYFP33iL9V0r1wtJy+K4cVzb/XcssENtkPs wjnUUWpfE+OVdJPk/n+w6dVMZSkaW2rFY2WVRDUyxlk4eTzXy+gva5IvItiVH/jOYE s4OF9DNInPZV3+fF8+b9K2W0y0JJ/pUQmZWU+gd9Hp7K2QxipVM3eGFjA+CvwYlmYC Dne4IvmNZbcgwZkytWmd3qT3cFg3nw/4zHNLp0HdmwPcq2OsWq1zwgHbmPUWHsno14 VM3g1sApKGjEMBvBBQ0F2l/dXprAW7fNGUeTHDlvs+caqaLsWsp9YJCmmvihtpCmqD H1Yn8uqQoT4xLzK8CzUIADnMcPUHmtTMdjLPnSXRB/gMZXSLLehuoHMWw/lnbI6drR Ik9whDku94rGzXdxRWLMEAGtcgDJ7C9/ON2vNNuVud6T8rUPClVfY0pjMz++rfvAPn zEFuWyn5/W12ytixdtrOaf7I= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 405A32A93F for ; Sun, 5 Apr 2020 15:06:14 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by luna.archlinux.org (Postfix) with ESMTPS for ; Sun, 5 Apr 2020 15:06:14 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 688B41AC2E0EF6 for ; Sun, 5 Apr 2020 15:06:09 +0000 (UTC) Received: from localhost (unknown [72.138.14.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: lfleischer) by orion.archlinux.org (Postfix) with ESMTPSA id E57431AC2E0EF4 for ; Sun, 5 Apr 2020 15:06:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1586099169; bh=2Fq7IpVA20h2yPK0cbb/YO4yfq9itstbA33e3TqwO0I=; h=From:To:Subject:Date; b=M97uhTUuOsHfKbbzi9QkCiB2cPWLtzIpnWmH6+aMbWTrWCyfFpaa+fzTcUjOHRv0h WT+6NAQCSqkFPPS3akrGAAMfP5Xtp7mLOZAdzdi803w11IF5pdZtz1XhCak7a11Mhl oJyb5bW6shMrLGhk6UgsOc3gd52gd4COYYprf9lwtObmMCR/gWo+BO+cH2QVnzJGM4 D0Od0ZH3+wmXoW5TMXp7r9iPEccEDGL/mWG6y59022IAx7Z6+1Cz3szZKKLnfnFioK JIjRPF80ffjU7BUxPsp4aNW9KEAXUgZbK/WIHkptZDPp8QROmCLaHNS7sl0l4atRlq Kmh2FW+akunaGynOfwqgIlLHJsVcppIt7q9jo75BoEkqT/XwH3IyGfDWcpWJYB3Kg+ 5bBgqdbvEjy79z4rXA/Bz5cV85mh/X6/jxrTkvpj8RnvXrPK67D7pYeVJTA0z+MbZm PNKvY3fIUCGjVHWcbVokRNKBplwVSquaTEWBISg4nd0AcJixzQigmHms8EaBctdkKF TZZJ+EinircT7K0Yw1IsioazLoAqeSfr1v9ffYZ+Nv+DVFqzQf9k4TXa8UUFyjE/Lz oIJxxW308qvQXnhOElTob1/srYphaqIUCfe1N5AsBYDimDTKvxjVh9DFX432UBA8sn ruoMx1i0S02EQjgfQEBoQYSI= From: Lukas Fleischer To: aur-dev@archlinux.org Subject: [PATCH 1/2] Fix invalid session ID check Date: Sun, 5 Apr 2020 11:06:05 -0400 Message-Id: <20200405150606.26586-1-lfleischer@archlinux.org> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-BeenThere: aur-dev@archlinux.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Arch User Repository \(AUR\) Development" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index dbcc23a..f4ad6b4 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -50,7 +50,7 @@ function check_sid() { $result = $dbh->query($q); $row = $result->fetch(PDO::FETCH_NUM); - if (!$row[0]) { + if (!$row) { # Invalid SessionID - hacker alert! # $failed = 1; From patchwork Sun Apr 5 15:06:06 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Fleischer X-Patchwork-Id: 1576 Return-Path: Delivered-To: patchwork@archlinux.org Received: from apollo.archlinux.org (localhost [127.0.0.1]) by apollo.archlinux.org (Postfix) with ESMTP id 4658218070D8F for ; Sun, 5 Apr 2020 15:06:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on apollo.archlinux.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1, MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001,T_DMARC_POLICY_NONE=0.01 autolearn=ham autolearn_force=no version=3.4.4 X-Spam-BL-Results: [127.0.9.2] Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70]) by apollo.archlinux.org (Postfix) with ESMTPS for ; Sun, 5 Apr 2020 15:06:31 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id BBBEA1AC2E0F18; Sun, 5 Apr 2020 15:06:19 +0000 (UTC) Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: luna) by orion.archlinux.org (Postfix) with ESMTPSA id 341C41AC2E0F11; Sun, 5 Apr 2020 15:06:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1586099179; bh=Wk0gMsGVfrgZvEkOWNBhvyGJ2KnenZyRK9mshoir2u8=; h=From:To:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe; b=WsrsKJ9Gaq6oexfswoU4QZYZPCN1BrZ5WJ6Jk33kxWVHANUGqNkGIV/njsxO7p6im xGqCjRx4JGAV1YTzpPaITi78tQgr3uoIHSaPMm3zuWKqU8jjo6HsY+jkwNvooCD5fj 7yBunpk2uNwKYPak+tyzZuYdi5w+dpQLEJ8r8LWMk87KfU5z4NDZ8evjoVgM8HGZre Q8XeYC/3/7j7FfHYCI7Q0KfOqBA7wjQfjUL1PCdk+d8JjaA0WrvK+5Jo0wYyKBymE1 BcN2TkKjFf6GVUZvWQ6z4aoOteCrA1WVNHvl9MnE5u2ErVmXyAAJI09UFSrN/w4IgQ UY0XhW8Zyc4oNgiv6csT+jOe4s7RW4cPl9GL/y5iqhm4PwUhxnnFLELiYtUkhcXaCt EVJlmeEcHcysCl53Qd3QcWiRSGp0QC/8uEVCiQ0VyZTjrxyt0b8AyAkzN3Ub65p7QV RBh2zIH6Yad6zryN3UGQM0IOA5gQN97FJdtsnTkTcj5HJVfVjof7+sT8mMBgYcPOrC giHTtYWwE5QZNgFWpLJ1b5hoMTTdMuK979mnhHx6yzT6AJzY/Ni9w8US7t4H2UBDMp pM6aon+HLCO6BFy4e6OcWx4gckl8gkhM+c+Dc08skzUFFciljnMH+JS2ur7tviiuuW DXnU3jogZBMhrgJTEKMmWc1s= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 2431B2B2A0; Sun, 5 Apr 2020 15:06:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=luna2; t=1586099179; bh=Wk0gMsGVfrgZvEkOWNBhvyGJ2KnenZyRK9mshoir2u8=; h=From:To:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe; b=VF1mDg2mSDJMeEO2QLhhqDye5D2S9DFkXDz4InK5hug291+ocIBvlTQJm0uzRxOz/ 2ONvjQOuAs8p20AQXPbulpG8iC/vNAXzPV+j16ajGxPRDWAdPHn5yto25IF/Si2HNS mB9yCk+Wx8DAE5Y4fYBgGgqkqwvYvbM+IGqDtbZv1WTmYUsQrS8MsN1iIPDUcDtP62 zP0G0zTSJ7jBlBQCuIARHOkfxa6i6I4bO6ApRMQbF7U00M7L8cfxYgvPWfbRWxB7ry KEFlT3RRdTEW1EAAQI1/AtWr0r7GJnMogqyRfzXnWl3ApXmn6QfRPyZ8QrBnT2gnUp mvqOPbBfAyRc6eSAOYCrEwUq9sqNZWTbMnS9MaysvMuDj/3PhRoEEGGkDq3Y/f3Mpl O9E/AuEzmEHtyFvGdpIzOfss6gO28So8D1OfuonbG/mtI/lyaXoZFbONh0Y8Cd/AD9 Rw9abv/8Jyh2buDoLxKYi3aA4UqB+QxgFTcx3qKrk/CMXhDY5MYAvXPqhDDVoKnU16 hcpLYYfxfEkwxsF1U3FmaqHO/zUGdXEbL4zT0uYNAf7kS8UI+ZT224brlNkLd9rKbm xWNsEFeTD1zpCadPuZ8+4SdhM1SIjtmGBSgrllCYNM69+M0NVL1+m+i3ehqX4erzVZ qsE0KNQAt0HCr7URwzEZ5i1w= Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1]) by luna.archlinux.org (Postfix) with ESMTP id 5B4F32A93F for ; Sun, 5 Apr 2020 15:06:16 +0000 (UTC) Received: from orion.archlinux.org (orion.archlinux.org [IPv6:2a01:4f8:160:6087::1]) by luna.archlinux.org (Postfix) with ESMTPS for ; Sun, 5 Apr 2020 15:06:16 +0000 (UTC) Received: from orion.archlinux.org (localhost [127.0.0.1]) by orion.archlinux.org (Postfix) with ESMTP id 8A77A1AC2E0EFA for ; Sun, 5 Apr 2020 15:06:11 +0000 (UTC) Received: from localhost (unknown [72.138.14.22]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: lfleischer) by orion.archlinux.org (Postfix) with ESMTPSA id 095901AC2E0EF7 for ; Sun, 5 Apr 2020 15:06:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1586099171; bh=Wk0gMsGVfrgZvEkOWNBhvyGJ2KnenZyRK9mshoir2u8=; h=From:To:Subject:Date:In-Reply-To:References; b=yAhpIyzEpMfOlh7IGbpqAY9geczqfjJPjIzUTgsZj++AekQ+iB7osPnr3/EbRrQ1y XRNgHZ/7IUxz0JojjGei8XcLPB6QxD9dQ+FtXZBZt1eHtgyubb/iQ5HXGhTxUJiqeu z5x6YlXlxXa9aYxB7ZRQGCDBby91zDyWO5sACzTWegNaZrunie/Y1h9eI7xavufs3N UZWxq6qMsIkONq1HSf75XbmrO5vS0lRP0DibFj4pTd6kN8UitqC18Kz+HO2dHp9/om 5WkCeKdQJYg3GW4lGWkQTR1JmxDCm4SAY1d8v024Llm9q3gdCqR7BWnYzvAXnMB5QY ap16DjFD9kIBpx9INbf63TZHuRLIIIy0UYv5ODgR/8+fTc/rINKpkt5aBuSseCJvpy 3yLRZyuNmLviztamgZEuOX5eITxcsHld6Zkhy8Zy+qsJIXqN6TXYvuuDYo3sIn6oJe uDDFwTeVH5/xcFBHqYRD64fxSbU7F1FR3dzVaHJVuTYuPZmG6ftTvWh7wvuLPlVG3J kVQhAxhnaFXBmsVs3Y4jSfFZl2+GWsJ/hXv+hD7aI36esCEy0a3hO7jgIp2mkJ2P2f 4FUDJWlVQ05JdxE0dJnl5+YqGtzsI7hNOq3G2cx9R9LuvyfvN2geZa5RIPDZaH9I8I 6tcUC7cGYLKM77LdyHiAxh5w= From: Lukas Fleischer To: aur-dev@archlinux.org Subject: [PATCH 2/2] Fix PHP notices in the account form Date: Sun, 5 Apr 2020 11:06:06 -0400 Message-Id: <20200405150606.26586-2-lfleischer@archlinux.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200405150606.26586-1-lfleischer@archlinux.org> References: <20200405150606.26586-1-lfleischer@archlinux.org> MIME-Version: 1.0 X-BeenThere: aur-dev@archlinux.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Arch User Repository \(AUR\) Development" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: aur-dev-bounces@archlinux.org Sender: "aur-dev" Signed-off-by: Lukas Fleischer --- web/html/account.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index c05d136..d70f4ce 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -25,7 +25,7 @@ if ($action == "UpdateAccount") { $update_account_message = ''; /* Details for account being updated */ /* Verify user permissions and that the request is a valid POST */ - if (can_edit_account($row) && check_token()) { + if ($row && can_edit_account($row) && check_token()) { /* Update the details for the existing account */ list($success, $update_account_message) = process_account_form( "edit", "UpdateAccount", @@ -55,7 +55,7 @@ if ($action == "UpdateAccount") { } } -if ($action == "AccountInfo") { +if ($row && $action == "AccountInfo") { html_header(__('Account') . ' ' . $row['Username']); } else { html_header(__('Accounts')); @@ -122,7 +122,7 @@ if (isset($_COOKIE["AURSID"])) { } elseif ($action == "DeleteAccount") { /* Details for account being deleted. */ - if (can_edit_account($row)) { + if ($row && can_edit_account($row)) { $uid_removal = $row['ID']; $uid_session = uid_from_sid($_COOKIE['AURSID']); $username = $row['Username']; @@ -155,7 +155,7 @@ if (isset($_COOKIE["AURSID"])) { } elseif ($action == "UpdateAccount") { print $update_account_message; - if (!$success) { + if ($row && !$success) { display_account_form("UpdateAccount", in_request("U"), in_request("T"), @@ -181,7 +181,7 @@ if (isset($_COOKIE["AURSID"])) { } } elseif ($action == "ListComments") { - if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) { + if ($row && has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) { # display the comment list if they're a TU/dev $total_comment_count = account_comments_count($row["ID"]);