AUR web interface

**This is the bug tracker for the AUR web interface.**

Use this tracker to report bugs or make feature requests regarding the behaviour or implementation of the AUR software.
Please read the Reporting Bug Guidelines before filing a new task.

- Please report bugs related to Arch Linux official packages here:
- Please report bugs for [community] packages here:
- For any packages in the AUR contact the maintainer or leave a comment on the package's detail page.

Source Code:

FS#65639 - Password Field In Account Update Page Allows For DOM Injection

Attached to Project: AUR web interface
Opened by isomarcte (isomarcte) - Thursday, 27 February 2020, 15:21 GMT
Last edited by Lukas Fleischer (lfleischer) - Tuesday, 21 April 2020, 16:00 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity High
Priority Normal
Reported Version 4.7.0
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


AUR Version: 4.8.0 (I can't change the drop down, but it's not 4.7.0)

On the AUR account management page,<account>/update/, attempts to use a password with a double quote character in it fail and allow a user to inject into the html DOM.

For example, entering the following text in the `Password` field yields modifications to the DOM returned to user (see attached screenshot).

Input: `"><p>Test</p><input value="`

The consequences of this are,

* Users with double quotes in their passwords will be unable to use that page.
* It _may_ be possible for an attacker to use this trick a user into loading an attacker controlled DOM. It does look like AUR uses CSRF tokens, so I don't think this would be easy to exploit, but I've not looked into it too deeply.

This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Tuesday, 21 April 2020, 16:00 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 5.0.0.
Comment by Lukas Fleischer (lfleischer) - Thursday, 27 February 2020, 15:50 GMT
Thanks for reporting! A patch is on the pu branch. I also hotpatched our live setup at