On 25/06/12 22:51, Kwpolska wrote: > On Mon, Jun 25, 2012 at 10:26 AM, Lukas Fleischer > <[email protected]> wrote: >> On Mon, Jun 25, 2012 at 01:56:55PM +0930, Gosha Tugai wrote: >>> On 06/25/2012 01:18 AM, Daenyth wrote: >>>> On Sun, Jun 24, 2012 at 11:45 AM, Dave Reisner <[email protected]> wrote: >>>>> On Sun, Jun 24, 2012 at 04:55:39PM +0200, Lukas Fleischer wrote: >>>>>> Hi! >>>>>> >>>>>> I just wanted to let everybody know that I'm about to apply a patch to >>>>>> our AUR setup that fixes some CSRF vulnerabilities. This will probably >>>>>> break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR >>>>>> helpers, that only make use of the RPC interface, won't be affected. >>>>>> >>>>>> I recommend using the web interface until the affected programs are >>>>>> fixed. >>>>> burp 1.6.9 deals with this. Coming soon to an [extra] mirror near you. >>>>> >>>>> Cheers, >>>>> dave >>>> *buuuurp*. Tasty! >>> Does this break just AUR uploaders, or AUR install helpers too i.e. >>> cower, aurget etc.? >> >> It shouldn't break download helpers. More generally, everything that >> only reads/downloads data from the AUR (especially using the RPC >> interface) *should* not be affected. >> >> Tools that include features to flag, vote, notify, write comments, >> submit packages, edit accounts, etc. need to be patched. > > Thus, I suggest creating an API for doing such things. >
I suggest providing patches.
