[aur-dev] [PATCH v2] Fake pkgbase actions for unconfirmed users

Lukas Fleischer lfleischer at archlinux.org
Fri Jun 26 21:50:21 UTC 2015

On Fri, 26 Jun 2015 at 23:40:26, Gordian Edenhofer wrote:
> [...]
> I forgot that I used $_REQUEST, I though that it was $_POST. My bad!
> Though if I think of it, it just might be a good idea to switch to
> $_POST since then $_GET parameters like "?refer" would not be
> concidered and only $_SERVER['HTTP_REFERER'] or a POST "referer" would
> be accepted. Shell I submit another patch for that or is the gain in
> security negligible?

I would say it is negligible. Let's take advantage of this now to
implement the redirection as I suggested. We need to fix the security
issues properly in another patch series in any case.

> [...]
> Flagging, voting, notifying and adopting a package is all done through
> POST requests AFAIK. Deleting or merging a package is not even
> available for unauthenticated users.
> Hence a malicious URL would not flag a package since the corresponding
> variable is not set.

Yeah, you're right. We also use a CSRF token in most places. It should
be implemented properly at some point anyway.

More information about the aur-dev mailing list