[aur-general] Securing the AUR website

Thomas Bächler thomas at archlinux.org
Mon Sep 5 09:01:03 EDT 2011


Am 05.09.2011 14:51, schrieb Lukas Fleischer:
> On Mon, Sep 05, 2011 at 02:44:29PM +0200, Thomas Bächler wrote:
>> Am 03.09.2011 17:49, schrieb Gordon JC Pearce:
>>> The other is that switching to https has left AUR in a fundamentally broken state.  If you search for a package on AUR with any of the significant search engines, they return an http link.  You can't do anything with this, though, because *even if you're logged in* you get the "ZOMG OH NOES YOU AREN'T USING HTTPS AND HTTPS IS TEH AWSUM!!!!11!!11!" message.
>>> Now, if clicking on that took you *to the same page but with https* that would be fine, but it doesn't.  It unceremoniously dumps you on the index page for AUR, with no way to get back to the package that you googled.
>>
>> This is a detail you could have shared in your first post and this
>> discussion would have been a lot shorter. This is a bug, it belongs to
>> the bugtracker and it is (as far as I can see) trivial to fix.
>>
> 
> Do not open another ticket, please. There's FS#25757 [1] already and I
> sent a patch addressing that bug to aur-dev [2]. I will push that and
> update our live setup as soon as I get round to it.
> 
> [1] https://bugs.archlinux.org/task/25757
> [2] http://mailman.archlinux.org/pipermail/aur-dev/2011-August/001864.html

No point to send the patch I just created then (there wasn't anything in
aur.git). While looking at it, I noticed that in the action="..." in the
login form, there should also be htmlentities or similar around
$_SERVER['REQUEST_URI'].

Thanks anyway.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20110905/1ac51024/attachment.asc>


More information about the aur-general mailing list