Launchpad itself

private branch pages (and sub pages) 403 rather than 404ing for users that cannot see them.

Bug #728059 reported by Diogo Matsubara on 2011-03-02

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Triaged	Low	Unassigned

Bug Description

As a new user open https://code.launchpad.net/~launchpad-qa/qa-tagger/devel/+new-recipe. A 403 is returned. This discloses the existence of the branch and that may concern some folk as it could be used to probe for branch names.

See original description

Tags:

Diogo Matsubara (matsubara) on 2011-03-02

Changed in launchpad:
status:	New → Triaged

Revision history for this message

Curtis Hovey (sinzui) wrote on 2011-03-02:

#1

Launchpad does not have private projects. Do you mean the user does not access the branch?

Revision history for this message

Diogo Matsubara (matsubara) wrote on 2011-03-02: Re: Manually editing the URL for a private branch allows user to access +new-recipe form

#2

Yep! Corrected. Thanks.

summary:

- Manually editing the URL for a private project allows user to access
+ Manually editing the URL for a private branch allows user to access
+new-recipe form

Revision history for this message

Robert Collins (lifeless) wrote on 2011-04-13:

#3

Diogo, please set an importance if you mark it triaged... its not triaged without that :) - See the two canned searches on https://dev.launchpad.net/BugTriage#How to triage

Changed in launchpad:
importance:	Undecided → Critical

Revision history for this message

Robert Collins (lifeless) wrote on 2011-04-13:

#4

Critical because its disclosing the branches existence.

Revision history for this message

William Grant (wgrant) wrote on 2011-05-16:

#5

The page 403s for unprivileged users. If you want private branches to 404 to users who cannot see them, that is not this bug.

Changed in launchpad:
importance:	Critical → Low

Revision history for this message

Robert Collins (lifeless) wrote on 2011-05-16:

#6

wgrant skipped over some IRC discussion - 403ing on these pages is consistent with all other private branch pages today. So its a behaving-as-previously-created situation. We can escalate this if we want to alter/improve this.

summary:	- Manually editing the URL for a private branch allows user to access - +new-recipe form + private branch pages (and sub pages) 403 rather than 404ing for users + that cannot see them.
description:	updated
tags:	added: privacy removed: exploratory-testing

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.