On Mon, Jun 25, 2012 at 10:26 AM, Lukas Fleischer <[email protected]> wrote: > On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote: >> On 06/25/2012 01:18 AM, Daenyth wrote: >> >On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <[email protected]> wrote: >> >>On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote: >> >>>Hi! >> >>> >> >>>I just wanted to let everybody know that I'm about to apply a patch to >> >>>our AUR setup that fixes some CSRF vulnerabilities. This will probably >> >>>break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR >> >>>helpers, that only make use of the RPC interface, won't be affected. >> >>> >> >>>I recommend using the web interface until the affected programs are >> >>>fixed. >> >>burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you. >> >> >> >>Cheers, >> >>dave >> >*buuuurp*. Tasty! >> Does this break just AUR uploaders, or AUR install helpers too i.e. >> cower, aurget etc.? > > It shouldn't break download helpers. More generally, everything that > only reads/downloads data from the AUR (especially using the RPC > interface) *should* not be affected. > > Tools that include features to flag, vote, notify, write comments, > submit packages, edit accounts, etc. need to be patched.
Thus, I suggest creating an API for doing such things. -- Kwpolska <http://kwpolska.tk> stop html mail | always bottom-post www.asciiribbon.org | www.netmeister.org/news/learn2quote.html GPG KEY: 5EAAEA16 | Arch Linux x86_64, zsh, mutt, vim. # vim:set textwidth=70:
