28 Oct
2019
28 Oct
'19
5:10 a.m.
On 10/27/19 10:57 PM, Justin Capella via arch-devops wrote:
I think maybe this isn't meant to be accessed directly, and possibly may allow for large data amplification and high server load, intentional or otherwise.
https://aur.archlinux.org/cgit/aur.git/info/refs?service=git-recieve-pack&h=aur
Any cgit repository has the url https://aur.archlinux.org/cgit/aur.git/refs, the important addition here is ?h=aur Our cgit instance is patched to not include the list of all refs ever in the HTML output, because that results in positively huge page sizes for users. I don't believe there was any security concern involved... Anyway you can get the same list from https://aur.archlinux.org/pkgbase.gz -- Eli Schwartz Bug Wrangler and Trusted User