[aur-dev] [PATCH 1/3] routing.inc.php: Return proper (non-virtual) URIs
Make sure we always return root-relative URIs in get_pkg_uri() and in get_user_uri() and prepend a slash ("/") if the virtual URL feature is disabled. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/routing.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/web/lib/routing.inc.php b/web/lib/routing.inc.php index dfd6942..206886c 100644 --- a/web/lib/routing.inc.php +++ b/web/lib/routing.inc.php @@ -54,7 +54,7 @@ function get_pkg_uri($pkgname) { if ($USE_VIRTUAL_URLS) { return $PKG_PATH . '/' . urlencode($pkgname) . '/'; } else { - return get_route($PKG_PATH) . '?N=' . urlencode($pkgname); + return '/' . get_route($PKG_PATH) . '?N=' . urlencode($pkgname); } } @@ -70,6 +70,6 @@ function get_user_uri($username) { if ($USE_VIRTUAL_URLS) { return $USER_PATH . '/' . urlencode($username) . '/'; } else { - return get_route($USER_PATH) . '?U=' . urlencode($username); + return '/' . get_route($USER_PATH) . '?U=' . urlencode($username); } } -- 1.8.0
Both get_pkg_uri() and get_user_uri() should always return root-relative URLs -- do not prepend another "/". Fixes FS#32460. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/lib/pkgfuncs.inc.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index baa9aa1..8f84cdf 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -302,7 +302,7 @@ function add_package_comment($pkgid, $uid, $comment, $dbh=NULL) { # Simply making these strings translatable won't work, users would be # getting emails in the language that the user who posted the comment was in $body = - 'from ' . $AUR_LOCATION . '/' . get_pkg_uri($row['Name']) . "\n" + 'from ' . $AUR_LOCATION . get_pkg_uri($row['Name']) . "\n" . username_from_sid($_COOKIE['AURSID'], $dbh) . " wrote:\n\n" . $comment . "\n\n---\nIf you no longer wish to receive notifications about this package, please go the the above package page and click the UnNotify button."; @@ -838,7 +838,7 @@ function pkg_flag ($atype, $ids, $action=true, $dbh=NULL) { if ($result) { while ($row = $result->fetch(PDO::FETCH_ASSOC)) { # construct email - $body = "Your package " . $row['Name'] . " has been flagged out of date by " . $f_name . " [1]. You may view your package at:\n" . $AUR_LOCATION . "/" . get_pkg_uri($row['Name']) . "\n\n[1] - " . $AUR_LOCATION . "/" . get_user_uri($f_name); + $body = "Your package " . $row['Name'] . " has been flagged out of date by " . $f_name . " [1]. You may view your package at:\n" . $AUR_LOCATION . get_pkg_uri($row['Name']) . "\n\n[1] - " . $AUR_LOCATION . get_user_uri($f_name); $body = wordwrap($body, 70); $headers = "Reply-to: nobody@archlinux.org\nFrom:aur-notify@archlinux.org\nX-Mailer: PHP\nX-MimeOLE: Produced By AUR\n"; @mail($row['Email'], "AUR Out-of-date Notification for ".$row['Name'], $body, $headers); @@ -907,7 +907,7 @@ function pkg_delete ($atype, $ids, $mergepkgid, $dbh=NULL) { $body = ""; if ($mergepkgid) { $body .= username_from_sid($_COOKIE['AURSID']) . " merged \"".$pkgname."\" into \"$mergepkgname\".\n\n"; - $body .= "You will no longer receive notifications about this package, please go to https://aur.archlinux.org/" . get_pkg_uri($mergepkgname) . " and click the Notify button if you wish to recieve them again."; + $body .= "You will no longer receive notifications about this package, please go to https://aur.archlinux.org" . get_pkg_uri($mergepkgname) . " and click the Notify button if you wish to recieve them again."; } else { $body .= username_from_sid($_COOKIE['AURSID']) . " deleted \"".$pkgname."\".\n\n"; $body .= "You will no longer receive notifications about this package."; -- 1.8.0
Use the routing library to build proper URIs instead of relying on the "REQUEST_URI" server variable which can be manipulated and might return bogus URIs. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- web/html/login.php | 4 ++-- web/template/pkg_comment_form.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/web/html/login.php b/web/html/login.php index d5bb1e7..9b3715b 100644 --- a/web/html/login.php +++ b/web/html/login.php @@ -20,7 +20,7 @@ html_header('AUR ' . __("Login")); <a href="<?php get_uri('/logout/'); ?>">[<?= __("Logout"); ?>]</a> </p> <?php elseif (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])): ?> - <form method="post" action="<?= htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) ?>"> + <form method="post" action="<?= get_uri('/login') ?>"> <fieldset> <legend><?= __('Enter login credentials') ?></legend> <?php if (!empty($login_error)): ?> @@ -47,7 +47,7 @@ html_header('AUR ' . __("Login")); <?php else: ?> <p> <?php printf(__("HTTP login is disabled. Please %sswitch to HTTPs%s if you want to login."), - '<a href="' . $AUR_LOCATION . htmlspecialchars($_SERVER['REQUEST_URI'], ENT_QUOTES) . '">', '</a>'); ?> + '<a href="' . $AUR_LOCATION . get_uri('/login') . '">', '</a>'); ?> </p> <?php endif; ?> </div> diff --git a/web/template/pkg_comment_form.php b/web/template/pkg_comment_form.php index da871ec..8e74fe6 100644 --- a/web/template/pkg_comment_form.php +++ b/web/template/pkg_comment_form.php @@ -1,6 +1,6 @@ <div id="generic-form" class="box"> <h2><?= __("Add Comment"); ?></h2> - <form action="<?= $_SERVER['REQUEST_URI'] ?>" method="post"> + <form action="<?= get_pkg_uri($row['Name']) ?>" method="post"> <fieldset> <?php if (isset($_REQUEST['comment']) && check_token()) { -- 1.8.0
participants (1)
-
Lukas Fleischer