Comment 5 for bug 1453948
Revision history for this message
| John Dickinson (notmyname) wrote Re: all PUT tempurls leak existence via DLO manifest attack | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
513534c
demo site
(Get the code!)
I'm not sure if this is a class B1 or class A bug yet. I definitely think this needs to be fixed on master. If we do end up blocking DLOs with tempurls (or at least creating DLOs with tempurls), then we need to decide if it's better to leave old versions vulnerable or change their behavior with a security update. My default response is to fix the bug and backport it.