Launchpad itself

Attachments of private bugreports are public

Bug #39674 reported by Dennis Kaarsemaker on 2006-04-15

328

This bug affects 7 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	High	Abel Deuring	Launchpad itself 10.08

Bug Description

Bug 39298 is a private bug. As such I cannot view it (it's publicly archived on lists.ubuntu.com, but that's beside the point). However, the attachment added to that bug is still publicly visible. That should at least be indicated when a person uploads, but preferably the attachment is private too.

Related branches

lp://staging/~adeuring/launchpad/bug-39674-change-remaining-lfa-http_url

Merged into lp://staging/launchpad/db-devel at revision 9619

Deryck Hodge (community): Approve (code) on 2010-08-04

Diogo Matsubara (matsubara) on 2006-05-08

Changed in malone:
status:	Unconfirmed → Confirmed

Revision history for this message

Christian Reis (kiko) wrote on 2008-04-03:

The problem is that currently all and any librarian content is publically available if you can figure out the filename. For 1.2.4 we will have a private librarian instance, but it will only be usable internally. The next step is allowing access-controlled downloads to that private librarian; this will eventually allow us to fix this bug.

Revision history for this message

Stuart Bishop (stub) wrote on 2008-11-18:

I'm flagging this as a security bug. Bug attachment filenames no longer appear to be obfuscated, and are thus guessable.

Brian Murray (brian-murray) on 2009-05-06

tags:

added: ubuntu-qa

Revision history for this message

Martin Pool (mbp) wrote on 2009-05-07:

Could the bug mail perhaps include URLs that redirect through the bug to the librarian and do the check at that point? Maybe it's simpler just to do the check in the librarian.

Matthew Paul Thomas (mpt) on 2010-03-29

description:

updated

Revision history for this message

Stuart Bishop (stub) wrote on 2010-03-29:

Bug attachments need to be stored as private Librarian files and proxied via Launchpad so it can perform the security checks.

Ideally, this would only happen for attachments of private bugs to keep most existing bug attachment URLs working file and to keep serving most bug attachments over HTTP. This isn't a requirement though.

Deryck Hodge (deryck) on 2010-04-30

Changed in malone:
importance:	Medium → High

papukaija (papukaija) on 2010-05-22

tags:

added: privacy

Revision history for this message

Abel Deuring (adeuring) wrote on 2010-06-22:

I think we should store all files in the restricted librarian. Otherwise, we would have to move files between the public librarian and the restricted librarian very quickly, when the "private" flag of a bug is flipped. I doubt that this is reasonable.

Revision history for this message

Stuart Bishop (stub) wrote on 2010-06-23: Re: [Bug 39674] Re: Attachments of private bugreports are public

On Tue, Jun 22, 2010 at 10:27 PM, Abel Deuring
<email address hidden> wrote:
> I think we should store all files in the restricted librarian.
> Otherwise, we would have to move files between the public librarian and
> the restricted librarian very quickly, when the "private" flag of a bug
> is flipped. I doubt that this is reasonable.

There is actually just one Librarian, so this just involves flipping
the boolean value on all the attached LibraryFileAliases. This
controls if the file can be retrieved via the public port (public
Librarian) or not.

--
Stuart Bishop <email address hidden>
http://www.stuartbishop.net/

Revision history for this message

Francis J. Lacoste (flacoste) wrote on 2010-06-23:

Stuart suggestion sounds good.

There is no API to flip this yet though (the field is marked as read-only). So we'll need to add one.

Deryck Hodge (deryck) on 2010-07-09

Changed in malone:
status:	Triaged → In Progress
assignee:	nobody → Abel Deuring (adeuring)

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2010-07-28: Bug fixed by a commit

Fixed in stable r11233 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/11233>.

Changed in malone:
milestone:	none → 10.08
tags:	added: qa-needstesting
Changed in malone:
status:	In Progress → Fix Committed

Revision history for this message

Abel Deuring (adeuring) wrote on 2010-07-28:

#11

the bug is not yet ready

Changed in malone:
status:	Fix Committed → In Progress
tags:	removed: qa-needstesting

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2010-08-04:

#12

Fixed in db-stable r9607 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/db-stable/revision/9607>.

tags:	added: qa-needstesting
Changed in malone:
status:	In Progress → Fix Committed

Revision history for this message

Abel Deuring (adeuring) wrote on 2010-08-04:

#13

still in progress... lp:~adeuring/launchpad/bug-39674-change-remaining-lfa-http_url must be merged before we can consider this bug "fix committed"

Changed in malone:
status:	Fix Committed → In Progress

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2010-08-04:

#14

Fixed in db-stable r9616 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/db-stable/revision/9616>.

Changed in malone:
status:	In Progress → Fix Committed

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2010-08-04:

#15

Fixed in db-stable r9617 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/db-stable/revision/9617>.

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2010-08-05:

#16

Fixed in db-stable r9619 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/db-stable/revision/9619>.

Abel Deuring (adeuring) on 2010-08-06

tags:

added: qa-ok
removed: qa-needstesting

Julian Edwards (julian-edwards) on 2010-08-14

Changed in malone:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.