Attachment to security issue is not security protected
Bug #282719 reported by
Sidnei da Silva
This bug report is a duplicate of:
Bug #39674: Attachments of private bugreports are public.
Edit
Remove
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
New
|
Undecided
|
Unassigned | ||
Bug Description
I've reported a security issue for a project and added an attachment to it. The security issue is properly protected from access by anyone that is not a member of the security response team. However, if the URL to the attachment is published somewhere any anonymous user will be able to access the attachment.
The URLs for attachments seem to contain the original filename + a sequentially increasing id, which could make it fairly easy to guess the URL and write a script to brute-force find security patches.
| visibility: | private → public |
To post a comment you must log in.
