On Fri, 26 Jun 2015 at 23:40:26, Gordian Edenhofer wrote:
[...] I forgot that I used $_REQUEST, I though that it was $_POST. My bad! Though if I think of it, it just might be a good idea to switch to $_POST since then $_GET parameters like "?refer" would not be concidered and only $_SERVER['HTTP_REFERER'] or a POST "referer" would be accepted. Shell I submit another patch for that or is the gain in security negligible?
I would say it is negligible. Let's take advantage of this now to implement the redirection as I suggested. We need to fix the security issues properly in another patch series in any case.
[...] Flagging, voting, notifying and adopting a package is all done through POST requests AFAIK. Deleting or merging a package is not even available for unauthenticated users. Hence a malicious URL would not flag a package since the corresponding variable is not set.
Yeah, you're right. We also use a CSRF token in most places. It should be implemented properly at some point anyway.