Launchpad itself

anonymous api access to a private bugtask gives a partially redacted form not an error

Bug #735202 reported by Martin Pool on 2011-03-15

260

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Critical	William Grant	Launchpad itself 11.04

Bug Description

bug 390745 is private

curl -v https://api.launchpad.net/1.0/bzr/+bug/390745

gives a strange form of the bugtask with many (but not all) fields marked 'redacted'. I would expect it to instead give a 401 Unauthorized telling the client they must authenticate. Also, exposing the date fields for a bug the user is not allowed to see is a security problem. (Not necessarily severe, but possibly important in some cases, and there might be other object classes where more interesting fields are exposed.) For instance, you can tell whether a security bug has been closed yet.

By contrast, access to the bug itself does give '401 Unauthorized' with a plain text error.

{"date_closed": null, "date_assigned": null, "title": "tag:launchpad.net:2008:redacted", "bug_link": "https://api.launchpad.net/1.0/bugs/390745", "bug_watch_link": "tag:launchpad.net:2008:redacted", "milestone_link": "tag:launchpad.net:2008:redacted", "http_etag": "\"7e06226ad14b54e31f082425d55deca1ffe2f55e-1459cb9a36ec298ad92038b463bf4c9f81ec69fa\"", "date_left_closed": "2010-02-11T10:47:06.055570+00:00", "date_fix_committed": null, "date_fix_released": null, "date_in_progress": null, "resource_type_link": "https://api.launchpad.net/1.0/#bug_task", "status": "tag:launchpad.net:2008:redacted", "bug_target_name": "tag:launchpad.net:2008:redacted", "importance": "tag:launchpad.net:2008:redacted", "assignee_link": "tag:launchpad.net:2008:redacted", "date_triaged": null, "self_link": "https://api.launchpad.net/1.0/bzr/+bug/390745", "target_link": "https://api.launchpad.net/1.0/bzr", "bug_target_display_name": "tag:launchpad.net:2008:redacted", "related_tasks_collection_link": "https://api.launchpad.net/1.0/bzr/+bug/390745/related_tasks", "date_confirmed": null, "date_left_new": "2009-06-22T23:44:02.473433+00:00", "web_link": "https://bugs.launchpad.net/bzr/+bug/390745", "owner_link": "tag:launchpad.net:2008:redacted", "date_created": "2009-06-22T16:21:23.631947+00:00", "date_incomplete": "2010-02-11T10:47:06.055570+00:00", "is_complete": false}

Tags:

William Grant (wgrant) on 2011-03-16

Changed in launchpad:
assignee:	nobody → William Grant (wgrant)
status:	Triaged → Fix Committed
milestone:	none → 11.04

William Grant (wgrant) on 2011-03-17

Changed in launchpad:
status:	Fix Committed → Fix Released

Revision history for this message

Robert Collins (lifeless) wrote on 2011-03-17:

Making public now as its fixed.

visibility:

private → public

Curtis Hovey (sinzui) on 2012-06-26

tags:	added: hardeing
tags:	added: hardening removed: hardeing

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.