[aur-general] Securing the AUR website
Seblu
seblu at seblu.net
Sat Aug 6 07:46:31 EDT 2011
On Sat, Aug 6, 2011 at 1:13 PM, Lukas Fleischer
<archlinux at cryptocrack.de> wrote:
> On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote:
>> Am 05.08.2011 23:54, schrieb Lukas Fleischer:
>> > [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
>> > [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
>> > [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85
>> > [4] http://projects.archlinux.org/aur.git/commit/?id=89721137
>>
>> Those commits are nothing but a charade. The very least you must do is this:
>>
>> 1) ALWAYS force a redirect to https on the AUR login page, never allow
>> the login to be submitted unencrypted.
>
> Thought about that. The problem is that there currently isn't a separate
> login page. Maybe removing the overall login form and creating a
> separate page for that will make things easier.
you can also use the https context exported from your web server.
if https => redirect 302 to https
else login form.
if($_SERVER['HTTPS'] != 'on'){
$url = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
redirect($url);
}
--
Sébastien Luttringer
www.seblu.net
More information about the aur-general
mailing list