Launchpad itself

source package names are leaked from private PPAs

Bug #1574807 reported by Chris J Arges
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Colin Watson

Bug Description

Source package names have no security attached such that publishing them into a private PPA exposes that name to be targeted via other bugs. A method to check publications in the package picker is needed to ensure it can't pick packages that are only published in private PPAs.

Test case:
1) Create private PPA
2) Publish new source package with unique name : 'privatepackage'
3) File a bug with a completely unrelated public project
4) Pick a package and search for 'privatepackage'
Here we expect 'privatepackage' will not be visible. but currently it is.

Tags: qa-ok

Related branches

lp://staging/~cjwatson/launchpad/fix-dsp-vocab-picker
William Grant (community): Approve (code)
Diff: 781 lines (+216/-173)
12 files modified
lib/lp/app/javascript/picker/picker_patcher.js (+4/-2)
lib/lp/app/javascript/picker/tests/test_picker_patcher.js (+35/-2)
lib/lp/app/widgets/popup.py (+14/-1)
lib/lp/app/widgets/templates/distributionsourcepackage-picker.pt (+29/-0)
lib/lp/app/widgets/templates/form-picker-macros.pt (+1/-1)
lib/lp/app/widgets/tests/test_launchpadtarget.py (+2/-12)
lib/lp/app/widgets/tests/test_popup.py (+33/-7)
lib/lp/bugs/browser/tests/test_bugalsoaffects.py (+1/-18)
lib/lp/bugs/browser/widgets/bugtask.py (+11/-2)
lib/lp/registry/tests/test_distributionsourcepackage_vocabulary.py (+45/-92)
lib/lp/registry/vocabularies.py (+29/-35)
lib/lp/services/webapp/configure.zcml (+12/-1)
lp://staging/~cjwatson/launchpad/bugtaskeditview-spn-dsp-vocab
William Grant (community): Approve (code)
Diff: 173 lines (+70/-16)
3 files modified
lib/lp/bugs/browser/bugtask.py (+27/-4)
lib/lp/bugs/browser/tests/test_bugtask.py (+42/-11)
lib/lp/bugs/browser/widgets/bugtask.py (+1/-1)
lp://staging/~cjwatson/launchpad/distribution-filebug-dsp-vocab
William Grant (community): Approve (code)
Diff: 750 lines (+363/-75)
9 files modified
database/sampledata/current-dev.sql (+1/-1)
database/sampledata/current.sql (+1/-1)
lib/lp/bugs/browser/bugtarget.py (+48/-20)
lib/lp/bugs/browser/tests/test_bugtarget_filebug.py (+22/-2)
lib/lp/bugs/browser/widgets/bugtask.py (+46/-5)
lib/lp/bugs/doc/bugtask-package-widget.txt (+128/-23)
lib/lp/bugs/tests/test_doc.py (+26/-1)
lib/lp/registry/tests/test_distributionsourcepackage_vocabulary.py (+52/-3)
lib/lp/registry/vocabularies.py (+39/-19)
lp://staging/~cjwatson/launchpad/git-repository-target-widget-dsp-vocab
William Grant (community): Approve (code)
Diff: 113 lines (+35/-4)
2 files modified
lib/lp/code/browser/widgets/gitrepositorytarget.py (+12/-2)
lib/lp/code/browser/widgets/tests/test_gitrepositorytargetwidget.py (+23/-2)
lp://staging/~cjwatson/launchpad/productseries-ubuntupkg-dsp-vocab
William Grant (community): Approve (code)
Diff: 526 lines (+164/-86)
7 files modified
lib/lp/app/widgets/popup.py (+85/-1)
lib/lp/bugs/browser/bugtracker.py (+2/-2)
lib/lp/bugs/browser/widgets/bugtask.py (+11/-74)
lib/lp/registry/browser/productseries.py (+33/-4)
lib/lp/registry/browser/tests/test_packaging.py (+20/-3)
lib/lp/registry/tests/test_distributionsourcepackage_vocabulary.py (+11/-0)
lib/lp/registry/vocabularies.py (+2/-2)
lp://staging/~cjwatson/launchpad/potemplate-dsp-vocab
William Grant (community): Approve (code)
Diff: 583 lines (+347/-28)
8 files modified
lib/lp/app/widgets/popup.py (+8/-0)
lib/lp/app/widgets/templates/distributionsourcepackage-picker.pt (+5/-0)
lib/lp/bugs/browser/widgets/bugtask.py (+1/-2)
lib/lp/bugs/doc/bugtask-package-widget.txt (+18/-21)
lib/lp/translations/browser/potemplate.py (+51/-2)
lib/lp/translations/browser/tests/test_potemplate_views.py (+68/-3)
lib/lp/translations/browser/widgets/potemplate.py (+62/-0)
lib/lp/translations/browser/widgets/tests/test_potemplate.py (+134/-0)
lp://staging/~cjwatson/launchpad/translation-import-queue-entry-dsp-vocab
William Grant (community): Approve (code)
Diff: 315 lines (+192/-5)
4 files modified
lib/lp/translations/browser/tests/test_translationimportqueueentry.py (+46/-2)
lib/lp/translations/browser/translationimportqueue.py (+34/-3)
lib/lp/translations/browser/widgets/tests/test_translationimportqueue.py (+78/-0)
lib/lp/translations/browser/widgets/translationimportqueue.py (+34/-0)
Colin Watson (cjwatson)
Changed in launchpad:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18104 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18104) is part of this bug's fix.

tags: added: qa-needstesting
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18111 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18111) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r18125 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18125>.

tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

My changes aren't quite working yet: the picker doesn't pick up the current value of the distribution drop-down, and Distribution:+filebug (at least) isn't using the new vocabulary yet. However, it's all behind a disabled feature flag, so this doesn't need to block deployments.

tags: added: qa-ok
removed: qa-needstesting
Changed in launchpad:
status: Fix Committed → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18164 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18164) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18166 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18166) is part of this bug's fix.

Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18185 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18185) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18194 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18194) is part of this bug's fix.

tags: added: qa-needstesting
removed: qa-ok
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18195 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18195) is part of this bug's fix.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

r18199 in stable (http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18199) is part of this bug's fix.

Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r18200 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/18200>.

Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
Colin Watson (cjwatson)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.