[aur-dev] [PATCH] aurjson: Do not interpret hexadecimal strings as IDs

[Lukas Fleischer]

When performing info or multiinfo queries, one can either pass package
names or package IDs are parameters. Currently, strings like "0xdbe" are
parsed as package IDs which is not what we want. Change the parser such
that only strings matching [0-9]+ are treated as IDs.

Fixes FS#47324.

Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
 web/lib/aurjson.class.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index 9097035..09368df 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -346,7 +346,7 @@ class AurJSON {
 			if (!$arg) {
 				continue;
 			}
-			if (is_numeric($arg)) {
+			if (ctype_digit($arg)) {
 				$id_args[] = intval($arg);
 			} else {
 				$name_args[] = $this->dbh->quote($arg);
@@ -405,7 +405,7 @@ class AurJSON {
 	 */
 	private function info($http_data) {
 		$pqdata = $http_data['arg'];
-		if (is_numeric($pqdata)) {
+		if (ctype_digit($pqdata)) {
 			$where_condition = "Packages.ID = $pqdata";
 		} else {
 			$where_condition = "Packages.Name = " . $this->dbh->quote($pqdata);
-- 
2.6.4