[aur-dev] [HEADS-UP] Breaking AUR helpers
Dave Reisner
d at falconindy.com
Sun Jun 24 12:53:07 EDT 2012
On Sun, Jun 24, 2012 at 06:47:09PM +0200, Stefan Husmann wrote:
> Am 24.06.2012 18:39, schrieb Dave Reisner:
> >On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
> >>Am 24.06.2012 16:55, schrieb Lukas Fleischer:
> >>>Hi!
> >>>
> >>>I just wanted to let everybody know that I'm about to apply a patch to
> >>>our AUR setup that fixes some CSRF vulnerabilities. This will probably
> >>>break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
> >>>helpers, that only make use of the RPC interface, won't be affected.
> >>>
> >>>I recommend using the web interface until the affected programs are
> >>>fixed.
> >>When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
> >>
> >>Regards Stefan
> >>
> >It's already happened. Uploaders who don't cope with this will see an
> >error:
> >
> > Invalid token for user action.
> >
> >Yes, it would have been nice to see a little more lead time on this but
> >honestly the change isn't really so severe.
> >
> >d
> So I guess, burp's new version already reflects this?
>
Yep. 1.6.9 sends the extra authentication token needed for this change.
More information about the aur-dev
mailing list