FS#31745 - pkg_flag function sends email even if no status change

Attached to Project: AUR web interface
Opened by Dave Reisner (falconindy) - Sunday, 30 September 2012, 19:15 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 04 November 2012, 11:44 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Architecture All
Severity High
Priority High
Reported Version 1.9.1
Due in Version 2.0.0
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Relevant ML thread here: http://mailman.archlinux.org/pipermail/aur-general/2012-September/020410.html

It seems that the pkg_flag() function doesn't check to see if a package is already flagged out of date, meaning that a malicious user can merely submit a form with the do_Flag action and generate a ton of phony email to an unsuspecting user. Glancing at the code in master, it seems that this is still the case. This really needs to be patched on 1.9.1 and fixed in master.
This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Sunday, 04 November 2012, 11:44 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 2.0.0.

Loading...