FS#31745 : pkg_flag function sends email even if no status change

FS#31745 - pkg_flag function sends email even if no status change

Attached to Project: AUR web interface
Opened by Dave Reisner (falconindy) - Sunday, 30 September 2012, 19:15 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 04 November 2012, 11:44 GMT

Task Type	Bug Report
Category	Backend
Status	Closed
Assigned To	Lukas Fleischer (lfleischer)
Architecture	All
Severity	High
Priority	High
Reported Version	1.9.1
Due in Version	2.0.0
Due Date	Undecided
Percent Complete
Votes	2 Xu Guan (xuguan) (2012-10-12) Lara Maia (mrk3004) (2012-09-30)
Private	No

Details

Relevant ML thread here: http://mailman.archlinux.org/pipermail/aur-general/2012-September/020410.html

It seems that the pkg_flag() function doesn't check to see if a package is already flagged out of date, meaning that a malicious user can merely submit a form with the do_Flag action and generate a ton of phony email to an unsuspecting user. Glancing at the code in master, it seems that this is still the case. This really needs to be patched on 1.9.1 and fixed in master.

This task depends upon

Closed by Lukas Fleischer (lfleischer)
Sunday, 04 November 2012, 11:44 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 2.0.0.

Comment by canyonknight (canyonknight) - Tuesday, 02 October 2012, 23:33 GMT

Fixed in master [1].

[1] https://projects.archlinux.org/aur.git/commit/?id=e9ed60566ee24134d79e7935fcdaf25e97fb3f6b

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#31745 - pkg_flag function sends email even if no status change

Details

Loading...