January 2020 - Aur-dev - lists.archlinux.org

[PATCH] rendercomment: respectful linkification of Git commits
by Lukas Fleischer 30 Jan '20

30 Jan '20

From: Frédéric Mangano-Tarumi <fmang(a)mg0.fr> Turn the git-commits markdown processor into an inline processor, which is smart enough not to convert Git hashes contained in code blocks or links. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- aurweb/scripts/rendercomment.py | 36 ++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/aurweb/scripts/rendercomment.py b/aurweb/scripts/rendercomment.py index 5e18fd5..5c59748 100755 --- a/aurweb/scripts/rendercomment.py +++ b/aurweb/scripts/rendercomment.py @@ -40,19 +40,26 @@ class FlysprayLinksExtension(markdown.extensions.Extension): md.preprocessors.add('flyspray-links', preprocessor, '_end') -class GitCommitsPreprocessor(markdown.preprocessors.Preprocessor): - _oidre = re.compile(r'(\b)([0-9a-f]{7,40})(\b)') +class GitCommitsInlineProcessor(markdown.inlinepatterns.InlineProcessor): + """ + Turn Git hashes like f7f5152be5ab into links to AUR's cgit. + + Only commit references that do exist are linkified. Hashes are shortened to + shorter non-ambiguous prefixes. Only hashes with at least 7 digits are + considered. + """ + _repo = pygit2.Repository(repo_path) - _head = None def __init__(self, md, head): self._head = head - super(markdown.preprocessors.Preprocessor, self).__init__(md) + super().__init__(r'\b([0-9a-f]{7,40})\b', md) - def handleMatch(self, m): - oid = m.group(2) + def handleMatch(self, m, data): + oid = m.group(1) if oid not in self._repo: - return oid + # Unkwown OID; preserve the orginal text. + return None, None, None prefixlen = 12 while prefixlen < 40: @@ -60,13 +67,10 @@ class GitCommitsPreprocessor(markdown.preprocessors.Preprocessor): break prefixlen += 1 - html = '[`' + oid[:prefixlen] + '`]' - html += '(' + commit_uri % (self._head, oid[:prefixlen]) + ')' - - return html - - def run(self, lines): - return [self._oidre.sub(self.handleMatch, line) for line in lines] + el = markdown.util.etree.Element('a') + el.set('href', commit_uri % (self._head, oid[:prefixlen])) + el.text = markdown.util.AtomicString(oid[:prefixlen]) + return el, m.start(0), m.end(0) class GitCommitsExtension(markdown.extensions.Extension): @@ -77,8 +81,8 @@ class GitCommitsExtension(markdown.extensions.Extension): super(markdown.extensions.Extension, self).__init__() def extendMarkdown(self, md, md_globals): - preprocessor = GitCommitsPreprocessor(md, self._head) - md.preprocessors.add('git-commits', preprocessor, '_end') + processor = GitCommitsInlineProcessor(md, self._head) + md.inlinePatterns.add('git-commits', processor, '_end') class HeadingTreeprocessor(markdown.treeprocessors.Treeprocessor): -- 2.25.0

1 1

[PATCH] Require password when deleting an account
by Lukas Fleischer 30 Jan '20

30 Jan '20

Further reduce the attack surface in case of a stolen session ID. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/html/account.php | 17 +++++++++++++---- web/template/account_delete.php | 11 +++++++++-- 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 7c6c424..03af8d4 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -120,12 +120,21 @@ if (isset($_COOKIE["AURSID"])) { } elseif ($action == "DeleteAccount") { /* Details for account being deleted. */ if (can_edit_account($row)) { - $UID = $row['ID']; + $uid_removal = $row['ID']; + $uid_session = uid_from_sid($_COOKIE['AURSID']); + $username = $row['Username']; + if (in_request('confirm') && check_token()) { - user_delete($UID); - header('Location: /'); + if (check_passwd($uid_session, $_REQUEST['passwd']) == 1) { + user_delete($uid_removal); + header('Location: /'); + } else { + echo "<ul class='errorlist'><li>"; + echo __("Invalid password."); + echo "</li></ul>"; + include("account_delete.php"); + } } else { - $username = $row['Username']; include("account_delete.php"); } } else { diff --git a/web/template/account_delete.php b/web/template/account_delete.php index 718b172..d0c6e74 100644 --- a/web/template/account_delete.php +++ b/web/template/account_delete.php @@ -12,8 +12,15 @@ <input type="hidden" name="token" value="<?= htmlspecialchars($_COOKIE['AURSID']) ?>" /> </fieldset> <fieldset> - <p><label class="confirmation"><input type="checkbox" name="confirm" value="1" /> - <?= __("Confirm deletion") ?></label></p> + <p> + <label for="id_passwd"><?= __("Password") ?>:</label> + <input type="password" size="30" name="passwd" id="id_passwd" value="" /> + </p> + + <p> + <label class="confirmation"><input type="checkbox" name="confirm" value="1" /> + <?= __("Confirm deletion") ?></label> + </p> <p> <input type="submit" class="button" value="<?= __("Delete") ?>" /> -- 2.25.0

1 0

[PATCH] Verify current password against logged in user
by Lukas Fleischer 30 Jan '20

30 Jan '20

When changing the password of an account, instead of asking for the old password of the account, ask for the password of the currently logged in user. This allows privileged users to edit other accounts without knowing their passwords. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/lib/acctfuncs.inc.php | 9 ++++----- web/template/account_edit_form.php | 4 ++-- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 601d4ce..d2144c2 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -134,10 +134,9 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" $dbh = DB::connect(); if(isset($_COOKIE['AURSID'])) { - $editor_user = uid_from_sid($_COOKIE['AURSID']); - } - else { - $editor_user = null; + $uid_session = uid_from_sid($_COOKIE['AURSID']); + } else { + $uid_session = null; } if (empty($E) || empty($U)) { @@ -169,7 +168,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } - if (!$error && $P && check_passwd($UID, $PO) != 1) { + if (!$error && $P && check_passwd($uid_session, $PO) != 1) { $error = __("The old password is invalid."); } if (!$error && $P != '' && !good_passwd($P)) { diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 25e9185..7bd233a 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -140,9 +140,9 @@ <?php if ($A == "UpdateAccount"): ?> <fieldset> - <legend><?= __("If you want to change your password, enter your current passport, your new password and confirm the new password by entering it again.") ?></legend> + <legend><?= __("If you want to change the password, enter your current passport, the new password and confirm the new password by entering it again.") ?></legend> <p> - <label for="id_passwd_old"><?= __("Old password") ?>:</label> + <label for="id_passwd_old"><?= __("Your current password") ?>:</label> <input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" /> </p> -- 2.25.0

1 0

[PATCH] Undo accidental code addition
by Lukas Fleischer 30 Jan '20

30 Jan '20

Rollback an accidental change that sneaked into commit daee20c (Require current password when setting a new one, 2020-01-30). Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/lib/acctfuncs.inc.php | 1 - 1 file changed, 1 deletion(-) diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 1de49b0..601d4ce 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -135,7 +135,6 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P=" if(isset($_COOKIE['AURSID'])) { $editor_user = uid_from_sid($_COOKIE['AURSID']); - $row = account_details(in_request("ID"), in_request("U")); } else { $editor_user = null; -- 2.25.0

1 0

[PATCH] Require current password when setting a new one
by Lukas Fleischer 30 Jan '20

30 Jan '20

Prevent from easily taking over an account by changing the password with a stolen session ID. Fixes FS#65325. Signed-off-by: Lukas Fleischer <lfleischer(a)archlinux.org> --- web/html/account.php | 1 + web/html/register.php | 2 ++ web/lib/acctfuncs.inc.php | 15 ++++++++++++-- web/template/account_edit_form.php | 32 +++++++++++++++++++----------- 4 files changed, 36 insertions(+), 14 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 1d59e9c..7c6c424 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -34,6 +34,7 @@ if ($action == "UpdateAccount") { in_request("S"), in_request("E"), in_request("H"), + in_request("PO"), in_request("P"), in_request("C"), in_request("R"), diff --git a/web/html/register.php b/web/html/register.php index a426482..8174e34 100644 --- a/web/html/register.php +++ b/web/html/register.php @@ -26,6 +26,7 @@ if (in_request("Action") == "NewAccount") { in_request("H"), '', '', + '', in_request("R"), in_request("L"), in_request("TZ"), @@ -54,6 +55,7 @@ if (in_request("Action") == "NewAccount") { in_request("H"), '', '', + '', in_request("R"), in_request("L"), in_request("TZ"), diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index e754989..1de49b0 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -96,6 +96,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * @param string $S Whether or not the account is suspended * @param string $E The e-mail address for the user * @param string $H Whether or not the e-mail address should be hidden + * @param string $PO The old password of the user * @param string $P The password for the user * @param string $C The confirmed password for the user * @param string $R The real name of the user @@ -116,7 +117,7 @@ function display_account_form($A,$U="",$T="",$S="",$E="",$H="",$P="",$C="",$R="" * * @return array Boolean indicating success and message to be printed */ -function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="", +function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$PO="",$P="",$C="", $R="",$L="",$TZ="",$HP="",$I="",$K="",$PK="",$J="",$CN="",$UN="",$ON="",$UID=0,$N="",$captcha_salt="",$captcha="") { global $SUPPORTED_LANGS; @@ -134,6 +135,7 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" if(isset($_COOKIE['AURSID'])) { $editor_user = uid_from_sid($_COOKIE['AURSID']); + $row = account_details(in_request("ID"), in_request("U")); } else { $editor_user = null; @@ -159,9 +161,18 @@ function process_account_form($TYPE,$A,$U="",$T="",$S="",$E="",$H="",$P="",$C="" . "</li>\n</ul>"; } - if (!$error && $P && $C && ($P != $C)) { + if (!$error && $P && !$C) { + $error = __("Please confirm your new password."); + } + if (!$error && $P && !$PO) { + $error = __("Please enter your old password in order to set a new one."); + } + if (!$error && $P && $P != $C) { $error = __("Password fields do not match."); } + if (!$error && $P && check_passwd($UID, $PO) != 1) { + $error = __("The old password is invalid."); + } if (!$error && $P != '' && !good_passwd($P)) { $length_min = config_get_int('options', 'passwd_min_len'); $error = __("Your password must be at least %s characters.", diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php index 5e84aa7..25e9185 100644 --- a/web/template/account_edit_form.php +++ b/web/template/account_edit_form.php @@ -86,18 +86,6 @@ <input type="checkbox" name="H" id="id_hide" <?= $H ? 'checked="checked"' : '' ?> /> </p> - <?php if ($A == "UpdateAccount"): ?> - <p> - <label for="id_passwd1"><?= __("Password") ?>:</label> - <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> - </p> - - <p> - <label for="id_passwd2"><?= __("Re-type password") ?>:</label> - <input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" /> - </p> - <?php endif; ?> - <p> <label for="id_realname"><?= __("Real Name") ?>:</label> <input type="text" size="30" maxlength="32" name="R" id="id_realname" value="<?= htmlspecialchars($R,ENT_QUOTES) ?>" /> @@ -150,6 +138,26 @@ </p> </fieldset> + <?php if ($A == "UpdateAccount"): ?> + <fieldset> + <legend><?= __("If you want to change your password, enter your current passport, your new password and confirm the new password by entering it again.") ?></legend> + <p> + <label for="id_passwd_old"><?= __("Old password") ?>:</label> + <input type="password" size="30" name="PO" id="id_passwd_old" value="<?= $PO ?>" /> + </p> + + <p> + <label for="id_passwd1"><?= __("Password") ?>:</label> + <input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" /> + </p> + + <p> + <label for="id_passwd2"><?= __("Re-type password") ?>:</label> + <input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" /> + </p> + </fieldset> + <?php endif; ?> + <fieldset> <legend><?= __("The following information is only required if you want to submit packages to the Arch User Repository.") ?></legend> <p> -- 2.25.0

1 0