[aur-general] Securing the AUR website
archlinux at cryptocrack.de
Mon Sep 5 11:21:09 EDT 2011
On Mon, Sep 05, 2011 at 03:01:03PM +0200, Thomas Bächler wrote:
> Am 05.09.2011 14:51, schrieb Lukas Fleischer:
> > On Mon, Sep 05, 2011 at 02:44:29PM +0200, Thomas Bächler wrote:
> >> Am 03.09.2011 17:49, schrieb Gordon JC Pearce:
> >>> The other is that switching to https has left AUR in a fundamentally broken state. If you search for a package on AUR with any of the significant search engines, they return an http link. You can't do anything with this, though, because *even if you're logged in* you get the "ZOMG OH NOES YOU AREN'T USING HTTPS AND HTTPS IS TEH AWSUM!!!!11!!11!" message.
> >>> Now, if clicking on that took you *to the same page but with https* that would be fine, but it doesn't. It unceremoniously dumps you on the index page for AUR, with no way to get back to the package that you googled.
> >> This is a detail you could have shared in your first post and this
> >> discussion would have been a lot shorter. This is a bug, it belongs to
> >> the bugtracker and it is (as far as I can see) trivial to fix.
> > Do not open another ticket, please. There's FS#25757  already and I
> > sent a patch addressing that bug to aur-dev . I will push that and
> > update our live setup as soon as I get round to it.
> >  https://bugs.archlinux.org/task/25757
> >  http://mailman.archlinux.org/pipermail/aur-dev/2011-August/001864.html
> No point to send the patch I just created then (there wasn't anything in
> aur.git). While looking at it, I noticed that in the action="..." in the
> login form, there should also be htmlentities or similar around
The patch  should be live now. Fixed the other issue you mentioned as
well  and pushed an updated message catalog to Transifex.
Any remaining bugs should be reported to our bug tracker .
More information about the aur-general