[aur-dev] [HEADS-UP] Breaking AUR helpers

Stefan Husmann stefan-husmann at t-online.de
Sun Jun 24 12:47:09 EDT 2012

Am 24.06.2012 18:39, schrieb Dave Reisner:
> On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
>> Am 24.06.2012 16:55, schrieb Lukas Fleischer:
>>> Hi!
>>> I just wanted to let everybody know that I'm about to apply a patch to
>>> our AUR setup that fixes some CSRF vulnerabilities. This will probably
>>> break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
>>> helpers, that only make use of the RPC interface, won't be affected.
>>> I recommend using the web interface until the affected programs are
>>> fixed.
>> When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
>> Regards Stefan
> It's already happened. Uploaders who don't cope with this will see an
> error:
>    Invalid token for user action.
> Yes, it would have been nice to see a little more lead time on this but
> honestly the change isn't really so severe.
> d
So I guess, burp's new version already reflects this?

More information about the aur-dev mailing list