1. 08 Aug, 2015 3 commits
  2. 25 Jul, 2014 1 commit
  3. 23 Jul, 2014 2 commits
  4. 15 Jul, 2014 1 commit
  5. 05 Apr, 2014 4 commits
  6. 04 Feb, 2014 1 commit
  7. 11 Oct, 2012 1 commit
  8. 24 Sep, 2012 1 commit
  9. 18 Sep, 2012 1 commit
  10. 17 Sep, 2012 1 commit
  11. 18 Jul, 2012 2 commits
  12. 17 Jul, 2012 1 commit
  13. 15 Jul, 2012 3 commits
  14. 06 Jul, 2012 2 commits
  15. 24 Jun, 2012 1 commit
    • canyonknight's avatar
      Implement token system to fix CSRF vulnerabilities · 2c93f0a9
      canyonknight authored
      
      
      Specially crafted pages can force authenticated users to unknowingly perform
      actions on the AUR website despite being on an attacker's website. This
      cross-site request forgery (CSRF) vulnerability applies to all POST data on
      the AUR.
      
      Implement a token system using a double submit cookie. Have a hidden form
      value on every page containing POST forms. Use the newly added check_token() to
      verify the token sent via POST matches the "AURSID" cookie value. Random
      nature of the token limits potential for CSRF.
      Signed-off-by: default avatarcanyonknight <canyonknight@gmail.com>
      Signed-off-by: default avatarLukas Fleischer <archlinux@cryptocrack.de>
      2c93f0a9
  16. 31 May, 2012 1 commit
  17. 24 Mar, 2012 1 commit
  18. 30 Mar, 2011 1 commit
  19. 11 Mar, 2011 1 commit
  20. 19 Jan, 2011 1 commit
  21. 21 Nov, 2010 1 commit
  22. 15 Apr, 2010 1 commit
  23. 13 Apr, 2009 1 commit
    • Dan McGee's avatar
      Don't hit the database twice per comment on package · 55da4d4e
      Dan McGee authored
      
      
      It's performance improvement day today. For non-superusers, we were hitting
      the database twice per comment on a package- once to get the UID, and once
      to check the owner of the comment. The best part is we already knew the
      owner of the comment, and we only need to get our own UID once.
      
      For viewing a package like yaourt, this cuts a single pageview from over 700
      queries to around 18, which is still not great but a pretty big improvement.
      Signed-off-by: default avatarDan McGee <dan@archlinux.org>
      Signed-off-by: default avatarLoui Chang <louipc.ist@gmail.com>
      55da4d4e
  24. 19 Feb, 2009 1 commit
  25. 23 Jan, 2009 2 commits
  26. 05 Jan, 2009 1 commit