anonymous api access to a private bugtask gives a partially redacted form not an error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
William Grant |
Bug Description
bug 390745 is private
curl -v https:/
gives a strange form of the bugtask with many (but not all) fields marked 'redacted'. I would expect it to instead give a 401 Unauthorized telling the client they must authenticate. Also, exposing the date fields for a bug the user is not allowed to see is a security problem. (Not necessarily severe, but possibly important in some cases, and there might be other object classes where more interesting fields are exposed.) For instance, you can tell whether a security bug has been closed yet.
By contrast, access to the bug itself does give '401 Unauthorized' with a plain text error.
{"date_closed": null, "date_assigned": null, "title": "tag:launchpad.
Changed in launchpad: | |
assignee: | nobody → William Grant (wgrant) |
status: | Triaged → Fix Committed |
milestone: | none → 11.04 |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
tags: | added: hardeing |
tags: |
added: hardening removed: hardeing |
Making public now as its fixed.