[aur-general] [HEADS-UP] Breaking AUR helpers

Kwpolska kwpolska at gmail.com
Mon Jun 25 08:51:27 EDT 2012

On Mon, Jun 25, 2012 at 10:26 AM, Lukas Fleischer
<archlinux at cryptocrack.de> wrote:
> On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote:
>> On 06/25/2012 01:18 AM, Daenyth wrote:
>> >On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <d at falconindy.com> wrote:
>> >>On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:
>> >>>Hi!
>> >>>
>> >>>I just wanted to let everybody know that I'm about to apply a patch to
>> >>>our AUR setup that fixes some CSRF vulnerabilities. This will probably
>> >>>break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
>> >>>helpers, that only make use of the RPC interface, won't be affected.
>> >>>
>> >>>I recommend using the web interface until the affected programs are
>> >>>fixed.
>> >>burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.
>> >>
>> >>Cheers,
>> >>dave
>> >*buuuurp*. Tasty!
>> Does this break just AUR uploaders, or AUR install helpers too i.e.
>> cower, aurget etc.?
> It shouldn't break download helpers. More generally, everything that
> only reads/downloads data from the AUR (especially using the RPC
> interface) *should* not be affected.
> Tools that include features to flag, vote, notify, write comments,
> submit packages, edit accounts, etc. need to be patched.

Thus, I suggest creating an API for doing such things.

Kwpolska <http://kwpolska.tk>
stop html mail      | always bottom-post
www.asciiribbon.org | www.netmeister.org/news/learn2quote.html
GPG KEY: 5EAAEA16   | Arch Linux x86_64, zsh, mutt, vim.
# vim:set textwidth=70:

More information about the aur-general mailing list