external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
aurweb/web/html
History
canyonknight 2c93f0a98f Implement token system to fix CSRF vulnerabilities 
Specially crafted pages can force authenticated users to unknowingly perform
actions on the AUR website despite being on an attacker's website. This
cross-site request forgery (CSRF) vulnerability applies to all POST data on
the AUR.

Implement a token system using a double submit cookie. Have a hidden form
value on every page containing POST forms. Use the newly added check_token() to
verify the token sent via POST matches the "AURSID" cookie value. Random
nature of the token limits potential for CSRF.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
2012-06-24 10:59:23 +02:00
..
css Fix broken XHTML. 2011-03-11 19:00:50 +01:00
images titlelogo.png: Update again 2010-03-12 16:52:07 -05:00
account.php Implement token system to fix CSRF vulnerabilities 2012-06-24 10:59:23 +02:00
addvote.php Implement token system to fix CSRF vulnerabilities 2012-06-24 10:59:23 +02:00
index.php rename *.inc files to *.inc.php and adjust imports and references 2011-06-22 15:15:04 +02:00
logout.php Wrap mysql_real_escape_string() in a function 2011-10-25 09:25:30 +02:00
packages.php Implement token system to fix CSRF vulnerabilities 2012-06-24 10:59:23 +02:00
passreset.php Wrap mysql_real_escape_string() in a function 2011-10-25 09:25:30 +02:00
pkgsubmit.php Implement token system to fix CSRF vulnerabilities 2012-06-24 10:59:23 +02:00
rpc.php Cleanup RPC usage output a bit 2011-05-29 16:06:28 +02:00
rss.php rename *.inc files to *.inc.php and adjust imports and references 2011-06-22 15:15:04 +02:00
tu.php Implement token system to fix CSRF vulnerabilities 2012-06-24 10:59:23 +02:00
voters.php Wrap mysql_real_escape_string() in a function 2011-10-25 09:25:30 +02:00