On Sun, Jun 24, 2012 at 12:39:41PM -0400, Dave Reisner wrote: > On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote: > > Am 24.06.2012 16:55, schrieb Lukas Fleischer: > > >Hi! > > > > > >I just wanted to let everybody know that I'm about to apply a patch to > > >our AUR setup that fixes some CSRF vulnerabilities. This will probably > > >break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR > > >helpers, that only make use of the RPC interface, won't be affected. > > > > > >I recommend using the web interface until the affected programs are > > >fixed. > > When will this happen? Shouldn't it be announced on archlinux.org or > > language specific counterparts? > > > > Regards Stefan > > > > It's already happened. Uploaders who don't cope with this will see an > error: > > Invalid token for user action. > > Yes, it would have been nice to see a little more lead time on this but > honestly the change isn't really so severe.
Explaining the situation and the exact changes would have disclosed the vulnerability and we would have had a unpatched and publicly announced security flaw for some days. Given that AUR helpers are completely unsupported (especially the helpers that use the HTML interface) and given my lack of time, I didn't look for all popular helpers and inform the particular maintainers. I'll try to do better next time. > > d
