Debian Bug report logs - #652464
RFP: aguilas -- A web-based LDAP user management system

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>

Date: Sat, 17 Dec 2011 13:51:01 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sat, 17 Dec 2011 13:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sat, 17 Dec 2011 13:51:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 17 Dec 2011 09:18:22 -0430
Package: wnpp
Severity: wishlist
Owner: "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>

* Package name    : aguilas
  Version         : 1.0.0
  Upstream Author : Luis Alejandro Martínez Faneyth
<martinez.faneyth@gmail.com>
* URL             : http://code.google.com/p/aguilas
* License         : GPL-3
  Programming Lang: PHP
  Description     : A web-based LDAP user management system

AGUILAS is an application written mostly in PHP, but it has bits of JavaScript,
SQL, style sheets and of course, HTML. It is a centralized registration system
that allows users to manage an LDAP authentication platform, using MYSQL
database support in cases where necessary (temporary records).

AGUILAS has the following features:

    Creates user accounts based on a customizable number of LDAP attributes.
    Resends confirmation email in case it gets lost on spam folders.
    Password reset.
    Password change.
    Username reminder.
    Deletion of account.
    Edit your user profile (ajax enabled).
    List all registered users.
    Find a Member.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sat, 17 Dec 2011 21:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sune Vuorela <sune@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sat, 17 Dec 2011 21:18:04 GMT) Full text and rfc822 format available.

Message #10 received at 652464@bugs.debian.org (full text, mbox):

From: Sune Vuorela <sune@debian.org>
To: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>, 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 17 Dec 2011 21:49:15 +0100
On Saturday 17 December 2011 14:48:22 Luis Alejandro Martínez Faneyth wrote:
> Package: wnpp
> Severity: wishlist
> Owner: "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>
> 
> * Package name    : aguilas
>   Version         : 1.0.0
>   Upstream Author : Luis Alejandro Martínez Faneyth
> <martinez.faneyth@gmail.com>
> * URL             : http://code.google.com/p/aguilas
> * License         : GPL-3
>   Programming Lang: PHP
>   Description     : A web-based LDAP user management system
> 
> AGUILAS is an application written mostly in PHP, but it has bits of
> JavaScript, SQL, style sheets and of course, HTML. It is a centralized

I was showing 'aguilas' to some people also looking for web based ldap user 
management systems, and then within not too much time, I got a message back 
saying 

"not sure I like the look of that sql query..."
"sql injection in 5 seconds flat"


    $sel_q = "SELECT * FROM NewUser"
                      . " WHERE mail='" . $mail . "'"
                      . " AND uid='" . $uid . "'"
                      . " AND token='" . $token . "'"
                      . " ORDER BY token DESC LIMIT 0,1";

I also got a bit scared by this. 

/Sune
-- 
Do you know how might I reset the SCSI window?

You should reset the head.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sat, 17 Dec 2011 22:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to martinez.faneyth@gmail.com:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sat, 17 Dec 2011 22:42:03 GMT) Full text and rfc822 format available.

Message #15 received at 652464@bugs.debian.org (full text, mbox):

From: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
To: Sune Vuorela <sune@debian.org>
Cc: 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 17 Dec 2011 18:08:35 -0430
On 17/12/11 16:19, Sune Vuorela wrote:
> On Saturday 17 December 2011 14:48:22 Luis Alejandro Martínez Faneyth wrote:
>> Package: wnpp
>> Severity: wishlist
>> Owner: "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>
>>
>> * Package name    : aguilas
>>   Version         : 1.0.0
>>   Upstream Author : Luis Alejandro Martínez Faneyth
>> <martinez.faneyth@gmail.com>
>> * URL             : http://code.google.com/p/aguilas
>> * License         : GPL-3
>>   Programming Lang: PHP
>>   Description     : A web-based LDAP user management system
>>
>> AGUILAS is an application written mostly in PHP, but it has bits of
>> JavaScript, SQL, style sheets and of course, HTML. It is a centralized
> 
> I was showing 'aguilas' to some people also looking for web based ldap user 
> management systems, and then within not too much time, I got a message back 
> saying 
> 
> "not sure I like the look of that sql query..."
> "sql injection in 5 seconds flat"
> 
> 
>     $sel_q = "SELECT * FROM NewUser"
>                       . " WHERE mail='" . $mail . "'"
>                       . " AND uid='" . $uid . "'"
>                       . " AND token='" . $token . "'"
>                       . " ORDER BY token DESC LIMIT 0,1";

Thanks for having a look :)

Well, i perform a very strict validation before that query is made.
Lines 20 - 54:

http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20
http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54

You are still scared?

> 
> I also got a bit scared by this. 
> 
> /Sune

-- 
Sin más que agregar y siempre a la orden,


Luis Alejandro Martínez Faneyth
Ingeniero de Telecomunicaciones
Blog: http://www.huntingbears.com.ve/
Twitter: @LuisAlejandro
GPG Key = E78DAA2E


CODE IS POETRY




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sat, 17 Dec 2011 22:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roberto C. Sánchez <roberto@connexer.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sat, 17 Dec 2011 22:57:04 GMT) Full text and rfc822 format available.

Message #20 received at 652464@bugs.debian.org (full text, mbox):

From: Roberto C. Sánchez <roberto@connexer.com>
To: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
Cc: Sune Vuorela <sune@debian.org>, 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 17 Dec 2011 17:54:32 -0500
On Sat, Dec 17, 2011 at 06:08:35PM -0430, Luis Alejandro Martínez Faneyth wrote:
> On 17/12/11 16:19, Sune Vuorela wrote:
> > 
> >     $sel_q = "SELECT * FROM NewUser"
> >                       . " WHERE mail='" . $mail . "'"
> >                       . " AND uid='" . $uid . "'"
> >                       . " AND token='" . $token . "'"
> >                       . " ORDER BY token DESC LIMIT 0,1";
> 
> Thanks for having a look :)
> 
> Well, i perform a very strict validation before that query is made.
> Lines 20 - 54:
> 
> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20
> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54
> 
> You are still scared?
> 
I would be.  Bind variables exist for a reason.  Aside from that, your
validation of email addresses is wrong:

// Invalid e-mail
} elseif (preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $mail) == 0) {

First off, there is nothing in the RFC that says that the email address
must start with a letter, which your regex requires.  In addition to
that, you do not allow other allowed special characters:

 !#$%&'*/=?^_`{|}~"(),:;<>@[\]

You also don't properly check for consecutive dots, so I could pass the
email a...b@foo.com and it pass your check, and still be wrong.

What you have done is reinvent the wheel, and badly at that.

If it were up to me, I would reject this package based on that one line
of code alone.
> 
> CODE IS POETRY
> 
I find it terribly ironic that you have that satement in your email
signature.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sat, 17 Dec 2011 23:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to martinez.faneyth@gmail.com:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sat, 17 Dec 2011 23:36:04 GMT) Full text and rfc822 format available.

Message #25 received at 652464@bugs.debian.org (full text, mbox):

From: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
To: Sune Vuorela <sune@debian.org>, 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 17 Dec 2011 19:02:35 -0430
On 17/12/11 18:24, Roberto C. Sánchez wrote:
> On Sat, Dec 17, 2011 at 06:08:35PM -0430, Luis Alejandro Martínez Faneyth wrote:
>> On 17/12/11 16:19, Sune Vuorela wrote:
>>>
>>>     $sel_q = "SELECT * FROM NewUser"
>>>                       . " WHERE mail='" . $mail . "'"
>>>                       . " AND uid='" . $uid . "'"
>>>                       . " AND token='" . $token . "'"
>>>                       . " ORDER BY token DESC LIMIT 0,1";
>>
>> Thanks for having a look :)
>>
>> Well, i perform a very strict validation before that query is made.
>> Lines 20 - 54:
>>
>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20
>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54
>>
>> You are still scared?
>>
> I would be.  Bind variables exist for a reason.  Aside from that, your
> validation of email addresses is wrong:
> 
> // Invalid e-mail
> } elseif (preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $mail) == 0) {
> 
> First off, there is nothing in the RFC that says that the email address
> must start with a letter, which your regex requires.  In addition to
> that, you do not allow other allowed special characters:
> 
>  !#$%&'*/=?^_`{|}~"(),:;<>@[\]
> 
> You also don't properly check for consecutive dots, so I could pass the
> email a...b@foo.com and it pass your check, and still be wrong.

Thank you, i will correct that inmediately.

> 
> What you have done is reinvent the wheel, and badly at that.

I coudn't find any other user friendly interface to manage user accounts
from an LDAP.

> 
> If it were up to me, I would reject this package based on that one line
> of code alone.
>>
>> CODE IS POETRY
>>
> I find it terribly ironic that you have that satement in your email
> signature.

Don't. It does not states that i'm a poetrician :)

> 
> Regards,
> 
> -Roberto
> 

-- 
Sin más que agregar y siempre a la orden,


Luis Alejandro Martínez Faneyth
Ingeniero de Telecomunicaciones
Blog: http://www.huntingbears.com.ve/
Twitter: @LuisAlejandro
GPG Key = E78DAA2E


CODE IS POETRY




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sat, 17 Dec 2011 23:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Josselin Mouette <joss@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sat, 17 Dec 2011 23:39:03 GMT) Full text and rfc822 format available.

Message #30 received at 652464@bugs.debian.org (full text, mbox):

From: Josselin Mouette <joss@debian.org>
To: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
Cc: 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sun, 18 Dec 2011 00:36:52 +0100
Le samedi 17 décembre 2011 à 18:08 -0430, Luis Alejandro Martínez
Faneyth a écrit :
> >     $sel_q = "SELECT * FROM NewUser"
> >                       . " WHERE mail='" . $mail . "'"
> >                       . " AND uid='" . $uid . "'"
> >                       . " AND token='" . $token . "'"
> >                       . " ORDER BY token DESC LIMIT 0,1";

> You are still scared?

Yes. No such things in the Debian archive please.

-- 
 .''`.      Josselin Mouette
: :' :
`. `'  “If you behave this way because you are blackmailed by someone,
  `-    […] I will see what I can do for you.”  -- Jörg Schilling





Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sun, 18 Dec 2011 00:00:33 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roberto C. Sánchez <roberto@connexer.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sun, 18 Dec 2011 00:00:33 GMT) Full text and rfc822 format available.

Message #35 received at 652464@bugs.debian.org (full text, mbox):

From: Roberto C. Sánchez <roberto@connexer.com>
To: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
Cc: 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 17 Dec 2011 18:56:56 -0500
[Message part 1 (text/plain, inline)]
On Sat, Dec 17, 2011 at 07:02:35PM -0430, Luis Alejandro Martínez Faneyth wrote:
> On 17/12/11 18:24, Roberto C. Sánchez wrote:
> > 
> > What you have done is reinvent the wheel, and badly at that.
> 
> I coudn't find any other user friendly interface to manage user accounts
> from an LDAP.
> 
I should have been more clear.  I was referring to the fact that there
are lots of proven ways to validate email addresses in PHP.  In fact,
you don't even need any external library, you can just use filter_var():

http://php.net/manual/en/filter.examples.validation.php

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Tue, 03 Jan 2012 16:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to luis@huntingbears.com.ve:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Tue, 03 Jan 2012 16:33:05 GMT) Full text and rfc822 format available.

Message #40 received at 652464@bugs.debian.org (full text, mbox):

From: Luis Alejandro Martínez Faneyth <luis@huntingbears.com.ve>
To: 652464@bugs.debian.org
Subject: Question
Date: Tue, 03 Jan 2012 11:41:30 -0430
[Message part 1 (text/plain, inline)]
So, after i correct all this issues, should i fill in another ITP?

-- 
Luis Alejandro Martínez Faneyth
Blog: http://www.huntingbears.com.ve/
Twitter/Identi.ca: @LuisAlejandro
ED51 8FE7 4107 715D 0464  8366 F614 5A95 E78D AA2E


CODE IS POETRY

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Thu, 05 Jan 2012 23:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to martinez.faneyth@gmail.com:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Thu, 05 Jan 2012 23:45:03 GMT) Full text and rfc822 format available.

Message #45 received at 652464@bugs.debian.org (full text, mbox):

From: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
To: Sune Vuorela <sune@debian.org>, 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Thu, 05 Jan 2012 19:10:39 -0430
[Message part 1 (text/plain, inline)]
After i correct all this issues, should i fill in another ITP?

On 17/12/11 18:24, Roberto C. Sánchez wrote:
> On Sat, Dec 17, 2011 at 06:08:35PM -0430, Luis Alejandro Martínez Faneyth wrote:
>> On 17/12/11 16:19, Sune Vuorela wrote:
>>>
>>>     $sel_q = "SELECT * FROM NewUser"
>>>                       . " WHERE mail='" . $mail . "'"
>>>                       . " AND uid='" . $uid . "'"
>>>                       . " AND token='" . $token . "'"
>>>                       . " ORDER BY token DESC LIMIT 0,1";
>>
>> Thanks for having a look :)
>>
>> Well, i perform a very strict validation before that query is made.
>> Lines 20 - 54:
>>
>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20
>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54
>>
>> You are still scared?
>>
> I would be.  Bind variables exist for a reason.  Aside from that, your
> validation of email addresses is wrong:
> 
> // Invalid e-mail
> } elseif (preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $mail) == 0) {
> 
> First off, there is nothing in the RFC that says that the email address
> must start with a letter, which your regex requires.  In addition to
> that, you do not allow other allowed special characters:
> 
>  !#$%&'*/=?^_`{|}~"(),:;<>@[\]
> 
> You also don't properly check for consecutive dots, so I could pass the
> email a...b@foo.com and it pass your check, and still be wrong.
> 
> What you have done is reinvent the wheel, and badly at that.
> 
> If it were up to me, I would reject this package based on that one line
> of code alone.
>>
>> CODE IS POETRY
>>
> I find it terribly ironic that you have that satement in your email
> signature.
> 
> Regards,
> 
> -Roberto
> 

-- 
Luis Alejandro Martínez Faneyth
Blog: http://www.huntingbears.com.ve/
Twitter/Identi.ca: @LuisAlejandro
ED51 8FE7 4107 715D 0464  8366 F614 5A95 E78D AA2E


CODE IS POETRY

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Fri, 06 Jan 2012 02:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Bagge / brother <brother@bsnet.se>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Fri, 06 Jan 2012 02:27:03 GMT) Full text and rfc822 format available.

Message #50 received at 652464@bugs.debian.org (full text, mbox):

From: Martin Bagge / brother <brother@bsnet.se>
To: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>
Cc: 652464@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Fri, 6 Jan 2012 03:18:46 +0100 (CET)
On Thu, 5 Jan 2012, Luis Alejandro Martínez Faneyth wrote:

> After i correct all this issues, should i fill in another ITP?

No. Update the current one.

-- 
/brother
http://martin.bagge.nu
Bruce Schneier doesn't keep secrets -- they keep themselves out of fear.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>:
Bug#652464; Package wnpp. (Sat, 11 Feb 2012 17:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to luis@huntingbears.com.ve:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com>. (Sat, 11 Feb 2012 17:21:03 GMT) Full text and rfc822 format available.

Message #55 received at 652464@bugs.debian.org (full text, mbox):

From: Luis Alejandro Martínez Faneyth <luis@huntingbears.com.ve>
Cc: Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com>, 652464@bugs.debian.org, debian-devel@lists.debian.org, debian-mentors@lists.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 11 Feb 2012 12:29:23 -0430
[Message part 1 (text/plain, inline)]
Hi,

I would like to update this ITP:

 * I'm no longer using martinez.faneyth [at] gmail.com. From now on i
will use luis [at] huntingbears.com.ve for all my Debian contributions.
(is there an easy way of changing this bug's owner?).

 * The application has received the following improvements:
	- Fixed SQL Injection vulnerability.
	- Prevented direct loading of libraries.
	- Included documentation.
	- Automated maintainer tasks through Makefile.

 * The Debian packaging has the following properties:
	- Automatic configuration of database through dbconfig-common.
	- Automatic configuration of webservers (apache, lighttpd).
	- Debconf interface for filling in Aguilas configuration.
	- English and Spanish l10n for debconf templates (for now).

 * I already packaged aguilas and is waiting for a sponsor [1].

 * Since upstream changed, the version that i filled in for the ITP
(1.0.0) is no longer the same i packaged (1.0.1-1), so (i guess) this
ticket won't close with this upload .

Greetings!

--
[1]http://mentors.debian.net/package/aguilas
--

On 05/01/12 21:48, Martin Bagge / brother wrote:
> On Thu, 5 Jan 2012, Luis Alejandro Martínez Faneyth wrote:
> 
>> After i correct all this issues, should i fill in another ITP?
> 
> No. Update the current one.
> 

-- 
Luis Alejandro Martínez Faneyth
Blog: http://www.huntingbears.com.ve/
Twitter/Identi.ca: @LuisAlejandro
ED51 8FE7 4107 715D 0464  8366 F614 5A95 E78D AA2E


CODE IS POETRY

[signature.asc (application/pgp-signature, attachment)]

Owner changed from "Luis Alejandro Martínez Faneyth" <martinez.faneyth@gmail.com> to luis@huntingbears.com.ve. Request was from Luis Alejandro Martínez Faneyth <martinez.faneyth@gmail.com> to control@bugs.debian.org. (Sat, 11 Feb 2012 17:33:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#652464; Package wnpp. (Sat, 11 Feb 2012 17:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to luis@huntingbears.com.ve:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Sat, 11 Feb 2012 17:45:03 GMT) Full text and rfc822 format available.

Message #62 received at 652464@bugs.debian.org (full text, mbox):

From: Luis Alejandro Martínez Faneyth <luis@huntingbears.com.ve>
To: 652464@bugs.debian.org
Subject: Re: Bug#652464: ITP: aguilas -- A web-based LDAP user management system
Date: Sat, 11 Feb 2012 13:08:58 -0430
[Message part 1 (text/plain, inline)]
Done, changed owner.

On 05/01/12 19:10, Luis Alejandro Martínez Faneyth wrote:
> After i correct all this issues, should i fill in another ITP?
> 
> On 17/12/11 18:24, Roberto C. Sánchez wrote:
>> On Sat, Dec 17, 2011 at 06:08:35PM -0430, Luis Alejandro Martínez Faneyth wrote:
>>> On 17/12/11 16:19, Sune Vuorela wrote:
>>>>
>>>>     $sel_q = "SELECT * FROM NewUser"
>>>>                       . " WHERE mail='" . $mail . "'"
>>>>                       . " AND uid='" . $uid . "'"
>>>>                       . " AND token='" . $token . "'"
>>>>                       . " ORDER BY token DESC LIMIT 0,1";
>>>
>>> Thanks for having a look :)
>>>
>>> Well, i perform a very strict validation before that query is made.
>>> Lines 20 - 54:
>>>
>>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#20
>>> http://code.google.com/p/aguilas/source/browse/NewUserDo.php#54
>>>
>>> You are still scared?
>>>
>> I would be.  Bind variables exist for a reason.  Aside from that, your
>> validation of email addresses is wrong:
>>
>> // Invalid e-mail
>> } elseif (preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $mail) == 0) {
>>
>> First off, there is nothing in the RFC that says that the email address
>> must start with a letter, which your regex requires.  In addition to
>> that, you do not allow other allowed special characters:
>>
>>  !#$%&'*/=?^_`{|}~"(),:;<>@[\]
>>
>> You also don't properly check for consecutive dots, so I could pass the
>> email a...b@foo.com and it pass your check, and still be wrong.
>>
>> What you have done is reinvent the wheel, and badly at that.
>>
>> If it were up to me, I would reject this package based on that one line
>> of code alone.
>>>
>>> CODE IS POETRY
>>>
>> I find it terribly ironic that you have that satement in your email
>> signature.
>>
>> Regards,
>>
>> -Roberto
>>
> 

-- 
Luis Alejandro Martínez Faneyth
Blog: http://www.huntingbears.com.ve/
Twitter/Identi.ca: @LuisAlejandro
ED51 8FE7 4107 715D 0464  8366 F614 5A95 E78D AA2E


CODE IS POETRY

[signature.asc (application/pgp-signature, attachment)]

Added blocking bug(s) of 652464: 659805 Request was from Benoît Knecht <benoit.knecht@fsfe.org> to control@bugs.debian.org. (Mon, 20 Feb 2012 20:00:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, luis@huntingbears.com.ve:
Bug#652464; Package wnpp. (Mon, 27 May 2013 14:18:56 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, luis@huntingbears.com.ve. (Mon, 27 May 2013 14:18:56 GMT) Full text and rfc822 format available.

Message #69 received at 652464@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 652464@bugs.debian.org
Cc: control@bugs.debian.org
Subject: aguilas: changing back from ITP to RFP
Date: Mon, 27 May 2013 15:24:17 +0200
retitle 652464 RFP: aguilas -- A web-based LDAP user management system
noowner 652464
tag 652464 - pending
thanks

Hi,

This is an automatic email to change the status of aguilas back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 12 months.

If you are still interested in adopting aguilas, please send a mail to
<control@bugs.debian.org> with:

 retitle 652464 ITP: aguilas -- A web-based LDAP user management system
 owner 652464 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <652464@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>



Changed Bug title to 'RFP: aguilas -- A web-based LDAP user management system' from 'ITP: aguilas -- A web-based LDAP user management system' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 14:38:53 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by luis@huntingbears.com.ve. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 14:38:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:01:33 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.