AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/
Tasklist

FS#28515 - XSS seemingly possible through the AUR, with package names.

Attached to Project: AUR web interface
Opened by Samuel Dionne-Riel (samueldr) - Sunday, 19 February 2012, 02:12 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 19 February 2012, 16:19 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Architecture All
Severity Critical
Priority Normal
Reported Version 1.9.0
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

XSS seemingly possible through the AUR.

Here is URL of the previously submitted package.
http://aur.archlinux.org/packages.php?ID=56790

The used vector was the package name.
This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Sunday, 19 February 2012, 16:19 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in master. Cherry-picked that patch on sigurd.
Comment by Samuel Dionne-Riel (samueldr) - Sunday, 19 February 2012, 02:14 GMT
More details:

I accidentally pressed enter in another field.

It loaded an external script through a <script> tag.

I do not have the wget -O- dump anymore, inadvertently closed the terminal while a moderator deleted the offending package.

The script used was only a location.href though, but it could have been much much worse.
Comment by Dave Reisner (falconindy) - Sunday, 19 February 2012, 02:15 GMT
Moved to the appropriate project.
Comment by Samuel Dionne-Riel (samueldr) - Sunday, 19 February 2012, 02:20 GMT
packages.php?ID=56790
packages.php?ID=56793

They are too affected.

Now the main page is affected.
Comment by Pierre Schmitz (Pierre) - Sunday, 19 February 2012, 02:50 GMT
  • Field changed: Category (Web Sites → Backend)
  • Field changed: Reported Version ( → 1.9.0)
  • Field changed: Architecture (All → All)
  • Task assigned to Lukas Fleischer (lfleischer)
I have disabled the AUR web page until this can be fixed.

@Lukas: I only modified the lighttpd.conf; you'll find a backup in the same dir.
Comment by Lukas Fleischer (lfleischer) - Sunday, 19 February 2012, 04:14 GMT Comment by Gordy Campbell (bakerboy) - Sunday, 19 February 2012, 06:08 GMT
Yaourt fails now receiving PKGBUILD from AUR. Can't find PKGBUILD for any package but I can manually download the PKGBUILD from AUR site.
Comment by Steve Vialle (steve_v) - Sunday, 19 February 2012, 06:25 GMT
Ditto here.
Comment by Dmytro Bagrii (dimich) - Sunday, 19 February 2012, 07:21 GMT
Yaourt tryes now to receive PKGBUILD by invalid URL. Following patch solves the issue, but i'm not sure that it's robust solution.
/usr/lib/yaourt/aur.sh:

#local pkgurl=$(pkgquery -Aif "%u" "$pkg")
- local pkgurl="$AURURL/packages/$pkg/$pkg.tar.gz"
+ local pkgurl="$AURURL/packages/${pkg:0:2}/$pkg/$pkg.tar.gz"
if [[ ! "$pkgurl" ]] || ! curl_fetch -fs "$pkgurl" -o "$pkg.tar.gz"; then
Comment by Pierre Schmitz (Pierre) - Sunday, 19 February 2012, 10:32 GMT
I doubt these issues are related.
Comment by Lukas Fleischer (lfleischer) - Sunday, 19 February 2012, 12:01 GMT
Should be fixed now, backwards compatibility links should work again.

Loading...