[arch-devops] Fwd: Access to aur.git via git-recieve-pack

Eli Schwartz eschwartz at archlinux.org
Mon Oct 28 03:10:33 UTC 2019

On 10/27/19 10:57 PM, Justin Capella via arch-devops wrote:
> I think maybe this isn't meant to be accessed directly, and possibly
> may allow for large data amplification and high server load,
> intentional or otherwise.
> https://aur.archlinux.org/cgit/aur.git/info/refs?service=git-recieve-pack&h=aur

Any cgit repository has the url
https://aur.archlinux.org/cgit/aur.git/refs, the important addition here
is ?h=aur

Our cgit instance is patched to not include the list of all refs ever in
the HTML output, because that results in positively huge page sizes for
users. I don't believe there was any security concern involved...

Anyway you can get the same list from https://aur.archlinux.org/pkgbase.gz

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20191027/7bc299fe/attachment.sig>

More information about the arch-devops mailing list