| 2011-03-02 21:30:02 |
Diogo Matsubara |
bug |
|
|
added bug |
| 2011-03-02 21:58:09 |
Diogo Matsubara |
launchpad: status |
New |
Triaged |
|
| 2011-03-02 22:09:40 |
Diogo Matsubara |
summary |
Manually editing the URL for a private project allows user to access +new-recipe form |
Manually editing the URL for a private branch allows user to access +new-recipe form |
|
| 2011-04-13 22:19:00 |
Robert Collins |
launchpad: importance |
Undecided |
Critical |
|
| 2011-05-16 04:16:56 |
William Grant |
launchpad: importance |
Critical |
Low |
|
| 2011-05-16 07:58:21 |
Robert Collins |
summary |
Manually editing the URL for a private branch allows user to access +new-recipe form |
private branch pages (and sub pages) 403 rather than 404ing for users that cannot see them. |
|
| 2011-05-16 08:01:24 |
Robert Collins |
description |
Open https://code.launchpad.net/~launchpad-qa/qa-tagger/devel/+new-recipe
You should get a Permission denied error rather than the form to create a new recipe. |
As a new user open https://code.launchpad.net/~launchpad-qa/qa-tagger/devel/+new-recipe. A 403 is returned. This discloses the existence of the branch and that may concern some folk as it could be used to probe for branch names. |
|
| 2011-05-16 08:02:20 |
Robert Collins |
tags |
exploratory-testing recipe |
privacy recipe |
|
