Launchpad itself

Existence of private bugs revealed when linked to blueprint

Bug #304627 reported by William Grant
268
Affects Status Importance Assigned to Milestone
Launchpad itself
Invalid
High
Brad Crittenden
Launchpad itself 2.2.6

Bug Description

Private bugs are shown to be linked to blueprints. Everywhere else they are hidden. This is particularly troublesome at the moment given that the preferred bug deletion technique is to mark them private, and the current major spammer likes to link bugs to blueprints.

Revision history for this message
Curtis Hovey (sinzui) wrote :

Hi Brad.

Can you investigate this issue. I think we need to know the scope to fix this. We might want to ask the bugs team to handle this.

Changed in blueprint:
importance: Undecided → High
milestone: none → 2.2.6
status: New → Triaged
Revision history for this message
Brad Taylor (brad) wrote :

Seems you've got the wrong Brad. I do not work on Launchpad or work for Canonical.

Curtis Hovey (sinzui)
Changed in blueprint:
assignee: nobody → Brad Crittenden (bac)
security vulnerability: no → yes
visibility: public → private
tags: added: privacy
Revision history for this message
Brad Crittenden (bac) wrote :

wgrant can you provide an example where you see this bug leakage? I've reviewed the code and it looks correct. I cannot reproduce what you're seeing in LP.

Changed in blueprint:
status: Triaged → Incomplete
Revision history for this message
William Grant (wgrant) wrote :

In the bugs portlet on a blueprint, private bugs are listed as something like “<private bug>”. There's not much information leakage there, but it can be a lot of clutter when a spammer targets one blueprint in particular. Since bugs can't be deleted, the LOSAs unsubscribe everybody and mark them private - but the dozens of “<private bug>”s remain in the blueprint's portlet forever.

Revision history for this message
Brad Crittenden (bac) wrote :

The functionality for the blueprints page changed a while back. The problem is no longer present.

Changed in blueprint:
status: Incomplete → Invalid
Curtis Hovey (sinzui)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.