[aur-general] [HEADS-UP] Breaking AUR helpers

Allan McRae allan at archlinux.org
Mon Jun 25 09:04:35 EDT 2012


On 25/06/12 22:51, Kwpolska wrote:
> On Mon, Jun 25, 2012 at 10:26 AM, Lukas Fleischer
> <archlinux at cryptocrack.de> wrote:
>> On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote:
>>> On 06/25/2012 01:18 AM, Daenyth wrote:
>>>> On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <d at falconindy.com> wrote:
>>>>> On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:
>>>>>> Hi!
>>>>>>
>>>>>> I just wanted to let everybody know that I'm about to apply a patch to
>>>>>> our AUR setup that fixes some CSRF vulnerabilities. This will probably
>>>>>> break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
>>>>>> helpers, that only make use of the RPC interface, won't be affected.
>>>>>>
>>>>>> I recommend using the web interface until the affected programs are
>>>>>> fixed.
>>>>> burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.
>>>>>
>>>>> Cheers,
>>>>> dave
>>>> *buuuurp*. Tasty!
>>> Does this break just AUR uploaders, or AUR install helpers too i.e.
>>> cower, aurget etc.?
>>
>> It shouldn't break download helpers. More generally, everything that
>> only reads/downloads data from the AUR (especially using the RPC
>> interface) *should* not be affected.
>>
>> Tools that include features to flag, vote, notify, write comments,
>> submit packages, edit accounts, etc. need to be patched.
> 
> Thus, I suggest creating an API for doing such things.
> 

I suggest providing patches.




More information about the aur-general mailing list