Changing bug privacy to private doesn't remove bug from project overview page
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Deryck Hodge |
Bug Description
If you set a public bug to private, the bug # and description are still visible to unauthenticated
This is a potential information leak - if a user accidentally files a bug whose description should be private, the user can mark the bug private. Even if the user does this, the user has no way of hiding the description other than by changing it. This is not immediately obvious.
I suspect the issue might be that LP is caching the data on the project overview page; how often is the cached data refreshed? 20mins after marking a particular bug as private, I still see it on the overview page when using a browser session that is not logged into LP.
If the bugs on the overview page are artifacts of a stale cache, I suggest that marking a bug as a private bug or a security vulnerability be used as a trigger to flush the cache, ensuring that private things become completely private immediately.
To reproduce:
1) File a public bug on a project
2) Using a browser session not logged into LP, Navigate to the project's overview page, e.g. http://
3) Using a browser session logged into LP, make the bug private
4) Using a browser session not logged into LP, reload the project overview page. The description of the private bug is still visible. Clicking through to the bug from the over page shows a 'File not found" error page as expected.
Related branches
- Curtis Hovey (community): Approve (code)
-
Diff: 13 lines (+1/-2)1 file modifiedlib/lp/bugs/templates/bugtarget-portlet-latestbugs.pt (+1/-2)
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in launchpad: | |
assignee: | nobody → Deryck Hodge (deryck) |
status: | Triaged → In Progress |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in launchpad: | |
status: | Fix Committed → Fix Released |
Easiest solution would be to disable memcache : we still have timeouts
generating that view, and we should fix those separately.