mirror of
https://gitlab.archlinux.org/archlinux/aurweb.git
synced 2025-02-03 10:43:03 +01:00
Hosting platform for the Arch User Repository (AUR), a collection of packaging scripts created by the Arch Linux community
87fe4701cd
Checks are in place to avoid users getting account editing forms they shouldn't have access to. The appropriate checks before editing the account in the backend are not in place. This vulnerability allows a user to craft malicious POST data to edit other user accounts, thereby allowing account hijacking. Add a new flexible function can_edit_account() to determine if a user has appropriate permissions. Run the permission check before processing any account information in the backend. Signed-off-by: canyonknight <canyonknight@gmail.com> Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> |
||
|---|---|---|
| .tx | ||
| po | ||
| scripts | ||
| support/schema | ||
| web | ||
| .gitignore | ||
| .mailmap | ||
| AUTHORS | ||
| COPYING | ||
| HACKING | ||
| INSTALL | ||
| README | ||
| TODO | ||
| TRANSLATING | ||
| UPGRADING | ||
=================== Arch User Repository (AUR) =================== About: ===== The Arch User Repository (AUR) is a framework for hosting a collection of packaging scripts that are created and submitted by the Arch community. The scripts contained in the repository (PKGBUILDS) can be built using the Arch building/packaging script (makepkg) and installed via the Arch pacman manager (pacman). The AUR project aims to provide the necessary web interface, database schema, and scripts for a multi-lingual community-driven repository. Functionality: ========= -Users may submit source packages that contain a PKGBUILD -User accounts with varying permission levels (User, Trusted User, Developer) -Ability to search for specific submitted packages (based on package name, package description, package submitter, package maintainer) -Display submitted package information by parsing PKGBUILD (description, license, package dependencies, etc) -Users can make comments on package information page -Mark packages as out-of-date -Vote for well-done and popular user submitted packages -Trusted User and Developer have ability to search for and modify accounts -Area for Trusted Users and Developers to post AUR-related proposals and vote on them File Hierarchy: ========== Directory Layout: ------------------- ./po - Translation files for strings in the AUR web interface. ./scripts - aurblup package blacklist tool. Scripts for AUR maintenance. ./support - Schema for SQL database. Script for dummy data generation. ./web - Web interface for the AUR. Files: ------ AUTHORS - List of maintainers, contributors, and translators for AUR project. COPYING - License information for AUR project (GPL version 2). HACKING - Guidelines for modifying source and submitting patches. INSTALL - Installation procedure for AUR. TODO - List of potential features and changes to be made to the AUR. TRANSLATING - Directions for creating and updating string translations. UPGRADING - Changes needed to upgrade older AUR version to newer version. Code: ===== Official repository hosted at git://projects.archlinux.org/aur.git See HACKING for information on submitting patches Bugs: ===== Discovered bugs can be submitted to the AUR bug tracker: https://bugs.archlinux.org/index.php?project=2 Contact: ======== Questions, comments, and patches related to the AUR can be sent to the AUR development mailing list: aur-dev@archlinux.org Mailing list archives: https://mailman.archlinux.org/mailman/listinfo/aur-dev