On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote: > On 06/25/2012 01:18 AM, Daenyth wrote: > >On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <[email protected]> wrote: > >>On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote: > >>>Hi! > >>> > >>>I just wanted to let everybody know that I'm about to apply a patch to > >>>our AUR setup that fixes some CSRF vulnerabilities. This will probably > >>>break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR > >>>helpers, that only make use of the RPC interface, won't be affected. > >>> > >>>I recommend using the web interface until the affected programs are > >>>fixed. > >>burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you. > >> > >>Cheers, > >>dave > >*buuuurp*. Tasty! > Does this break just AUR uploaders, or AUR install helpers too i.e. > cower, aurget etc.?
It shouldn't break download helpers. More generally, everything that only reads/downloads data from the AUR (especially using the RPC interface) *should* not be affected. Tools that include features to flag, vote, notify, write comments, submit packages, edit accounts, etc. need to be patched.
