1. 17 Apr, 2014 1 commit
  2. 05 Apr, 2014 7 commits
  3. 17 Jan, 2014 6 commits
  4. 11 Jan, 2014 1 commit
  5. 08 Mar, 2013 1 commit
    • Lukas Fleischer's avatar
      pkgsubmit.php: Parse .AURINFO metadata · 5a113736
      Lukas Fleischer authored
      
      
      This allows for adding a metadata file called ".AURINFO" to source
      tarballs to overwrite specific PKGBUILD fields. .AURINFO files are
      parsed line by line. The syntax for each line is "key = value", where
      key is any of the following field names:
      
      * pkgname
      * pkgver
      * pkgdesc
      * url
      * license
      * depend
      
      Multiple "depend" lines can be specified to add multiple dependencies.
      
      This format closely matches the .PKGINFO format that is used for binary
      packages in pacman/libalpm. It can be extended by field name prefixes or
      sections to support split packages later.
      
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      5a113736
  6. 05 Mar, 2013 2 commits
  7. 10 Feb, 2013 3 commits
  8. 04 Nov, 2012 1 commit
  9. 29 Oct, 2012 1 commit
  10. 11 Oct, 2012 1 commit
  11. 02 Oct, 2012 1 commit
  12. 24 Sep, 2012 2 commits
  13. 23 Aug, 2012 2 commits
  14. 15 Jul, 2012 3 commits
  15. 14 Jul, 2012 1 commit
  16. 11 Jul, 2012 1 commit
  17. 06 Jul, 2012 4 commits
  18. 24 Jun, 2012 1 commit
    • canyonknight's avatar
      Implement token system to fix CSRF vulnerabilities · 2c93f0a9
      canyonknight authored
      
      
      Specially crafted pages can force authenticated users to unknowingly perform
      actions on the AUR website despite being on an attacker's website. This
      cross-site request forgery (CSRF) vulnerability applies to all POST data on
      the AUR.
      
      Implement a token system using a double submit cookie. Have a hidden form
      value on every page containing POST forms. Use the newly added check_token() to
      verify the token sent via POST matches the "AURSID" cookie value. Random
      nature of the token limits potential for CSRF.
      
      Signed-off-by: default avatarcanyonknight <canyonknight@gmail.com>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      2c93f0a9
  19. 19 Mar, 2012 1 commit
    • Lukas Fleischer's avatar
      web/html/pkgsubmit.php: Revamp tarball validation · 1f36664e
      Lukas Fleischer authored
      
      
      * Reorder checks.
      * Use simple string functions instead of regular expressions.
      * Check for type flags before validating paths.
      
      The latter ensures we don't treat tarball keywords/flags as directories.
      This avoids problems with bsdtar inserting PaxHeader attributes into the
      archive which look something like the following to Archive_Tar:
      
          PaxHeader/xcursor-protozoa
          xcursor-protozoa/
          xcursor-protozoa/PaxHeader/PKGBUILD
          xcursor-protozoa/PKGBUILD
      
      This only occurs on certain filesystems (e.g. jfs), but the tarball is
      by no means invalid. When extracted, it will only contain the PKGBUILD
      within a single subdirectory.
      
      Addresses FS#28802.
      
      Thanks-to: Dave Reisner <dreisner@archlinux.org>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      1f36664e