[aur-general] Upgraded AUR to 1.8.0

Lukas Fleischer archlinux at cryptocrack.de
Mon Feb 21 06:19:08 EST 2011 

On Mon, Feb 21, 2011 at 11:55:59AM +0100, Dieter Plaetinck wrote:
> On Mon, 21 Feb 2011 11:37:18 +0100
> Lukas Fleischer <archlinux at cryptocrack.de> wrote:
> 
> > On Mon, Feb 21, 2011 at 11:08:05AM +0100, Dieter Plaetinck wrote:
> > > what's the reasoning behind no longer showing all files in the
> > > "source package"? I found this feature quite useful.
> > 
> > There were several vulnerabilities with the automatic tarball
> > extraction. Think of "tarballs bombs" (as in "ZIP bombs"). Think of
> > what happens when a source tarball that contains a symlink to
> > "/etc/passwd" is uploaded (and the web server isn't chrooted). Just
> > to give two simple samples.
> 
> Hmm.. would it be that much work to make the AUR code/installation
> more secure, rather then just dropping the functionality? just asking...

We'd have to:

* Ensure that there are no CGI handlers in the incoming package dir
  (that was already the case).

* Maintain a patched branch of Archive::Tar that disables the extraction
  of symlinks (optionally: make upstream include such a feature in
  mainline).

* Add some code that calculates the total size of extracted files before
  accepting it.

* Do all that in a way that can't be used to DoS the server.

> > Moreover, I've heard of some encoding issues with users just
> > copy-pasting files from the AUR frontend.
> 
> this is kindof vague. "encoding issues"... issues at AUR side or client
> side? if the former, that would be a bug that could get fixed.

I'm not sure. Probably both. It's obvious that if you copy and paste
something from your browser, it won't be exactly the same as in the
original tarball.

> > Generally, everyone should download and use the tarballs to build packages.
> 
> Yes, but I'm not talking about building packages, I'm talking about
> getting a quick idea of what the package contains and how it gets
> built/installed. for that, the "files" previous was very useful.

How often do you do that? Why don't you just download the tarball and
check its contents? I also can't imagine a lot of cases where the
PKGBUILD preview doesn't give you an idea of what a package does.

If there really is need for such a thing, I'd also say this is something
to do on the client side. AUR helpers might want to implement this. Or
you can just check the cgit interface of the unofficial Git clone of the
AUR [1].

[1] http://pkgbuild.com/git/aur.git/

More information about the aur-general mailing list