I've tested some basic AUR functionality and it still worked fine, so please merge. Cgit (with pull URL) is available at http://git.server-speed.net/users/flo/aur/?h=working
Signed-off-by: Florian Pritz
Signed-off-by: Florian Pritz
On Wed, Jun 22, 2011 at 9:36 PM, Florian Pritz
+ return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE;
Some legitimate email address will not be matched by your regexp. Better use built-in PHP functions: return filter_var($addy,FILTER_VALIDATE_EMAIL); -- Cédric Girard
On Wed, Jun 22, 2011 at 10:11:28PM +0200, Cédric Girard wrote:
On Wed, Jun 22, 2011 at 9:36 PM, Florian Pritz
wrote: + return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE;
Some legitimate email address will not be matched by your regexp.
Better use built-in PHP functions:
return filter_var($addy,FILTER_VALIDATE_EMAIL);
I prefer this one. Given that the PHP release enabling filter extensions by default was released about 4.5 years ago, I'd say we can push this. Objections?
2011/6/24 Lukas Fleischer
On Wed, Jun 22, 2011 at 10:11:28PM +0200, Cédric Girard wrote:
On Wed, Jun 22, 2011 at 9:36 PM, Florian Pritz
wrote: + return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE;
Some legitimate email address will not be matched by your regexp.
Better use built-in PHP functions:
return filter_var($addy,FILTER_VALIDATE_EMAIL);
I prefer this one. Given that the PHP release enabling filter extensions by default was released about 4.5 years ago, I'd say we can push this.
Objections?
None objections. +1 for Cédric suggestion -- Angel Velásquez angvp @ irc.freenode.net Arch Linux Developer / Trusted User Linux Counter: #359909 http://www.angvp.com
Note: As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically.
Signed-off-by: Florian Pritz
On Wed, Jun 22, 2011 at 09:36:42PM +0200, Florian Pritz wrote:
Note: As of PHP 4.2.0, there is no need to seed the random number generator with srand() or mt_srand() as this is now done automatically.
Signed-off-by: Florian Pritz
--- web/lib/aur.inc.php | 12 +----------- 1 files changed, 1 insertions(+), 11 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 3250133..382578c 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -81,25 +81,15 @@ function valid_email($addy) { return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $addy)) ? FALSE : TRUE; }
-# a new seed value for mt_srand() -# -function make_seed() { - list($usec, $sec) = explode(' ', microtime()); - return (float) $sec + ((float) $usec * 10000); -} - # generate a (hopefully) unique session id # function new_sid() { - mt_srand(make_seed()); $ts = time(); $pid = getmypid();
- $rand_num = mt_rand(); - mt_srand(make_seed()); $rand_str = substr(md5(mt_rand()),2, 20);
- $id = $rand_str . strtolower(md5($ts.$pid)) . $rand_num; + $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand(); return strtoupper(md5($id));
The session ID generation seems more of a arbitrary composition of commands to me anyway. Looking at the "$rand_str" calculation and the last two lines of code, it's easy to see that the amount of self-information of a session ID generated by current new_sid() even is below MD5's digest size of 128 bit. How about just using something like this: ---- return md5($_SERVER['REMOTE_ADDR'] . uniqid(mt_rand(), true)); ---- This is (kind of) clear and results in all session IDs of our session ID universe being used (assuming that at least 256 different IP addresses are in use and without taking MD5 vulnerabilities into account, of course).
}
-- 1.7.5.4
Signed-off-by: Florian Pritz
Signed-off-by: Florian Pritz
On Wed, Jun 22, 2011 at 09:36:44PM +0200, Florian Pritz wrote:
Signed-off-by: Florian Pritz
--- web/lib/aur.inc.php | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 382578c..3d1688a 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -89,8 +89,16 @@ function new_sid() {
$rand_str = substr(md5(mt_rand()),2, 20);
- $id = $rand_str . strtolower(md5($ts.$pid)) . mt_rand(); - return strtoupper(md5($id)); + $id = strtoupper(md5($rand_str . strtolower(md5($ts.$pid)) . mt_rand())); + + $dbh = db_connect(); + $q = "SELECT SessionID FROM Sessions WHERE `SessionID` = '".mysql_real_escape_string($id)."'"; + $result = db_query($q, $dbh); + if (mysql_num_rows($result) == 0) { + return $id; + } else { + return new_sid(); + }
-1. new_sid() is (mis-)used at some other places as well, plus there's an additional check in try_login() which ensures we don't use the same session ID twice (even tough there's only a 8.27E-25 chance this will ever happen).
}
-- 1.7.5.4
participants (4)
-
Cédric Girard
-
Florian Pritz
-
Lukas Fleischer
-
Ángel Velásquez