On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:
> Hi!
>
> I just wanted to let everybody know that I'm about to apply a patch to
> our AUR setup that fixes some CSRF vulnerabilities. This will probably
> break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
> helpers, that only make use of the RPC interface, won't be affected.
>
> I recommend using the web interface until the affected programs are
> fixed.

burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.

Cheers,
dave

On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <d@falconindy.com> wrote:
> On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:
>> Hi!
>>
>> I just wanted to let everybody know that I'm about to apply a patch to
>> our AUR setup that fixes some CSRF vulnerabilities. This will probably
>> break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
>> helpers, that only make use of the RPC interface, won't be affected.
>>
>> I recommend using the web interface until the affected programs are
>> fixed.
>
> burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.
>
> Cheers,
> dave

*buuuurp*. Tasty!

On 06/25/2012 01:18 AM, Daenyth wrote:

On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <d@falconindy.com> wrote:

On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:

Hi!

I just wanted to let everybody know that I'm about to apply a patch to
our AUR setup that fixes some CSRF vulnerabilities. This will probably
break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
helpers, that only make use of the RPC interface, won't be affected.

I recommend using the web interface until the affected programs are
fixed.

burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.

Cheers,
dave

*buuuurp*. Tasty!
Does this break just AUR uploaders, or AUR install helpers too i.e.
cower, aurget etc.?

On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote:
> On 06/25/2012 01:18 AM, Daenyth wrote:
> >On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <d@falconindy.com> wrote:
> >>On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:
> >>>Hi!
> >>>
> >>>I just wanted to let everybody know that I'm about to apply a patch to
> >>>our AUR setup that fixes some CSRF vulnerabilities. This will probably
> >>>break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
> >>>helpers, that only make use of the RPC interface, won't be affected.
> >>>
> >>>I recommend using the web interface until the affected programs are
> >>>fixed.
> >>burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.
> >>
> >>Cheers,
> >>dave
> >*buuuurp*. Tasty!
> Does this break just AUR uploaders, or AUR install helpers too i.e.
> cower, aurget etc.?

It shouldn't break download helpers. More generally, everything that
only reads/downloads data from the AUR (especially using the RPC
interface) *should* not be affected.

Tools that include features to flag, vote, notify, write comments,
submit packages, edit accounts, etc. need to be patched.

On Mon, Jun 25, 2012 at 10:26 AM, Lukas Fleischer
<archlinux@cryptocrack.de> wrote:
> On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote:
>> On 06/25/2012 01:18 AM, Daenyth wrote:
>> >On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <d@falconindy.com> wrote:
>> >>On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:
>> >>>Hi!
>> >>>
>> >>>I just wanted to let everybody know that I'm about to apply a patch to
>> >>>our AUR setup that fixes some CSRF vulnerabilities. This will probably
>> >>>break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
>> >>>helpers, that only make use of the RPC interface, won't be affected.
>> >>>
>> >>>I recommend using the web interface until the affected programs are
>> >>>fixed.
>> >>burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.
>> >>
>> >>Cheers,
>> >>dave
>> >*buuuurp*. Tasty!
>> Does this break just AUR uploaders, or AUR install helpers too i.e.
>> cower, aurget etc.?
>
> It shouldn't break download helpers. More generally, everything that
> only reads/downloads data from the AUR (especially using the RPC
> interface) *should* not be affected.
>
> Tools that include features to flag, vote, notify, write comments,
> submit packages, edit accounts, etc. need to be patched.

Thus, I suggest creating an API for doing such things.

--
Kwpolska <http://kwpolska.tk>
stop html mail * * *| always bottom-post
www.asciiribbon.org | www.netmeister.org/news/learn2quote.html
GPG KEY: 5EAAEA16 * | Arch Linux x86_64, zsh, mutt, vim.
# vim:set textwidth=70:

On 25/06/12 22:51, Kwpolska wrote:
> On Mon, Jun 25, 2012 at 10:26 AM, Lukas Fleischer
> <archlinux@cryptocrack.de> wrote:
>> On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote:
>>> On 06/25/2012 01:18 AM, Daenyth wrote:
>>>> On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <d@falconindy.com> wrote:
>>>>> On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote:
>>>>>> Hi!
>>>>>>
>>>>>> I just wanted to let everybody know that I'm about to apply a patch to
>>>>>> our AUR setup that fixes some CSRF vulnerabilities. This will probably
>>>>>> break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
>>>>>> helpers, that only make use of the RPC interface, won't be affected.
>>>>>>
>>>>>> I recommend using the web interface until the affected programs are
>>>>>> fixed.
>>>>> burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you.
>>>>>
>>>>> Cheers,
>>>>> dave
>>>> *buuuurp*. Tasty!
>>> Does this break just AUR uploaders, or AUR install helpers too i.e.
>>> cower, aurget etc.?
>>
>> It shouldn't break download helpers. More generally, everything that
>> only reads/downloads data from the AUR (especially using the RPC
>> interface) *should* not be affected.
>>
>> Tools that include features to flag, vote, notify, write comments,
>> submit packages, edit accounts, etc. need to be patched.
>
> Thus, I suggest creating an API for doing such things.
>

I suggest providing patches.