I've tested some basic AUR functionality and it still worked fine, so please merge. Cgit (with pull URL) is available at http://git.server-speed.net/users/flo/aur/?h=working
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/README | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/web/README b/web/README index b8d1b72..0c081f2 100644 --- a/web/README +++ b/web/README @@ -1,7 +1,7 @@ Setup on Arch Linux: ==================== 1) Install Apache, MySQL, PHP, and git - # pacman -Sy apache mysql php git + # pacman -Syu apache mysql php git 2) Set a local 'hostname' of 'aur' - Edit /etc/hosts and append 'aur' to loopback address -- 1.7.5.4
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/lib/aur.inc.php | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 4c2cc55..3250133 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -78,7 +78,7 @@ function check_sid() { # verify that an email address looks like it is legitimate # function valid_email($addy) { - return strpos($addy, '@'); + return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE; } # a new seed value for mt_srand() -- 1.7.5.4
On Wed, Jun 22, 2011 at 9:36 PM, Florian Pritz <bluewind@xinu.at> wrote:
+ return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE;
Some legitimate email address will not be matched by your regexp. Better use built-in PHP functions: return filter_var($addy,FILTER_VALIDATE_EMAIL); -- Cédric Girard
On Wed, Jun 22, 2011 at 10:11:28PM +0200, Cédric Girard wrote:
On Wed, Jun 22, 2011 at 9:36 PM, Florian Pritz <bluewind@xinu.at> wrote:
+ return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE;
Some legitimate email address will not be matched by your regexp.
Better use built-in PHP functions:
return filter_var($addy,FILTER_VALIDATE_EMAIL);
I prefer this one. Given that the PHP release enabling filter extensions by default was released about 4.5 years ago, I'd say we can push this. Objections?
2011/6/24 Lukas Fleischer <archlinux@cryptocrack.de>:
On Wed, Jun 22, 2011 at 10:11:28PM +0200, Cédric Girard wrote:
On Wed, Jun 22, 2011 at 9:36 PM, Florian Pritz <bluewind@xinu.at> wrote:
+ return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE;
Some legitimate email address will not be matched by your regexp.
Better use built-in PHP functions:
return filter_var($addy,FILTER_VALIDATE_EMAIL);
I prefer this one. Given that the PHP release enabling filter extensions by default was released about 4.5 years ago, I'd say we can push this.
Objections?
None objections. +1 for Cédric suggestion -- Angel Velásquez angvp @ irc.freenode.net Arch Linux Developer / Trusted User Linux Counter: #359909 http://www.angvp.com
Note: As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically.
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/lib/aur.inc.php | 12 +----------- 1 files changed, 1 insertions(+), 11 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 3250133..382578c 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -81,25 +81,15 @@ function valid_email($addy) { return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE; } -# a new seed value for mt_srand() -# -function make_seed() { - list($usec, $sec) = explode(' ', microtime()); - return (float) $sec + ((float) $usec * 10000); -} - # generate a (hopefully) unique session id # function new_sid() { - mt_srand(make_seed()); $ts = time(); $pid = getmypid(); - $rand_num = mt_rand(); - mt_srand(make_seed()); $rand_str = substr(md5(mt_rand()),2, 20); - $id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num; + $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand(); return strtoupper(md5($id)); } -- 1.7.5.4
On Wed, Jun 22, 2011 at 09:36:42PM +0200, Florian Pritz wrote:
Note: As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically.
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/lib/aur.inc.php | 12 +----------- 1 files changed, 1 insertions(+), 11 deletions(-)
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 3250133..382578c 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -81,25 +81,15 @@ function valid_email($addy) { return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE; }
-# a new seed value for mt_srand() -# -function make_seed() { - list($usec, $sec) = explode(' ', microtime()); - return (float) $sec + ((float) $usec * 10000); -} - # generate a (hopefully) unique session id # function new_sid() { - mt_srand(make_seed()); $ts = time(); $pid = getmypid();
- $rand_num = mt_rand(); - mt_srand(make_seed()); $rand_str = substr(md5(mt_rand()),2, 20);
- $id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num; + $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand(); return strtoupper(md5($id));
The session ID generation seems more of a arbitrary composition of commands to me anyway. Looking at the "$rand_str" calculation and the last two lines of code, it's easy to see that the amount of self-information of a session ID generated by current new_sid() even is below MD5's digest size of 128 bit. How about just using something like this: ---- return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true)); ---- This is (kind of) clear and results in all session IDs of our session ID universe being used (assuming that at least 256 different IP addresses are in use and without taking MD5 vulnerabilities into account, of course).
}
-- 1.7.5.4
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/README | 4 ---- web/template/header.php | 2 +- 2 files changed, 1 insertions(+), 5 deletions(-) diff --git a/web/README b/web/README index 0c081f2..37a224e 100644 --- a/web/README +++ b/web/README @@ -62,10 +62,6 @@ Setup on Arch Linux: PEAR's path may vary depending on your set up. - - AUR does not work properly with PHP's short open tag enabled. - Be sure you have this in php.ini: - short_open_tag = Off - 6) Configure MySQL - Start the MySQL service. Example: # /etc/rc.d/mysqld start diff --git a/web/template/header.php b/web/template/header.php index 3ea2798..8313bb3 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -1,4 +1,4 @@ -<?xml version="1.0" encoding="UTF-8"?> +<?php echo '<?xml version="1.0" encoding="UTF-8"?>'; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" -- 1.7.5.4
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/lib/aur.inc.php | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 382578c..3d1688a 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -89,8 +89,16 @@ function new_sid() { $rand_str = substr(md5(mt_rand()),2, 20); - $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand(); - return strtoupper(md5($id)); + $id = strtoupper(md5($rand_str . strtolower(md5($ts.$pid)) . mt_rand())); + + $dbh = db_connect(); + $q = "SELECT SessionID FROM Sessions WHERE `SessionID` = '".mysql_real_escape_string($id)."'"; + $result = db_query($q, $dbh); + if (mysql_num_rows($result) == 0) { + return $id; + } else { + return new_sid(); + } } -- 1.7.5.4
On Wed, Jun 22, 2011 at 09:36:44PM +0200, Florian Pritz wrote:
Signed-off-by: Florian Pritz <bluewind@xinu.at> --- web/lib/aur.inc.php | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 382578c..3d1688a 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -89,8 +89,16 @@ function new_sid() {
$rand_str = substr(md5(mt_rand()),2, 20);
- $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand(); - return strtoupper(md5($id)); + $id = strtoupper(md5($rand_str . strtolower(md5($ts.$pid)) . mt_rand())); + + $dbh = db_connect(); + $q = "SELECT SessionID FROM Sessions WHERE `SessionID` = '".mysql_real_escape_string($id)."'"; + $result = db_query($q, $dbh); + if (mysql_num_rows($result) == 0) { + return $id; + } else { + return new_sid(); + }
-1. new_sid() is (mis-)used at some other places as well, plus there's an additional check in try_login() which ensures we don't use the same session ID twice (even tough there's only a 8.27E-25 chance this will ever happen).
}
-- 1.7.5.4
participants (4)
-
Cédric Girard
-
Florian Pritz
-
Lukas Fleischer
-
Ángel Velásquez