AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

- Please report bugs related to Arch Linux official packages here: http://bugs.archlinux.org/index.php?project=1
- Please report bugs for [community] packages here: http://bugs.archlinux.org/index.php?project=5
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:
https://projects.archlinux.org/aurweb.git/
Tasklist

FS#31745 - pkg_flag function sends email even if no status change

Attached to Project: AUR web interface
Opened by Dave Reisner (falconindy) - Sunday, 30 September 2012, 19:15 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 04 November 2012, 11:44 GMT
Task Type Bug Report
Category Backend
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Architecture All
Severity High
Priority High
Reported Version 1.9.1
Due in Version 2.0.0
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Relevant ML thread here: http://mailman.archlinux.org/pipermail/aur-general/2012-September/020410.html

It seems that the pkg_flag() function doesn't check to see if a package is already flagged out of date, meaning that a malicious user can merely submit a form with the do_Flag action and generate a ton of phony email to an unsuspecting user. Glancing at the code in master, it seems that this is still the case. This really needs to be patched on 1.9.1 and fixed in master.
This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Sunday, 04 November 2012, 11:44 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 2.0.0.

Loading...