[arch-devops] Fwd: Access to aur.git via git-recieve-pack
I think maybe this isn't meant to be accessed directly, and possibly may allow for large data amplification and high server load, intentional or otherwise. https://aur.archlinux.org/cgit/aur.git/info/refs?service=git-recieve-pack&h=aur
On 10/27/19 10:57 PM, Justin Capella via arch-devops wrote:
I think maybe this isn't meant to be accessed directly, and possibly may allow for large data amplification and high server load, intentional or otherwise.
https://aur.archlinux.org/cgit/aur.git/info/refs?service=git-recieve-pack&h=aur
Any cgit repository has the url https://aur.archlinux.org/cgit/aur.git/refs, the important addition here is ?h=aur Our cgit instance is patched to not include the list of all refs ever in the HTML output, because that results in positively huge page sizes for users. I don't believe there was any security concern involved... Anyway you can get the same list from https://aur.archlinux.org/pkgbase.gz -- Eli Schwartz Bug Wrangler and Trusted User
On 10/27/19 11:10 PM, Eli Schwartz wrote:
Any cgit repository has the url https://aur.archlinux.org/cgit/aur.git/refs, the important addition here is ?h=aur
Also note that any valid pkgname would work to get you into the unlisted /refs page -- which is part of the documented cgit interface on every other cgit -- and that "aur" just happens to be the name of a package, although said package was just a pretty sad try at an AUR helper and not something interesting like a package to deploy the aur website. -- Eli Schwartz Bug Wrangler and Trusted User
participants (2)
-
Eli Schwartz
-
Justin Capella