Leaks summary of private bug when another bug marked as a duplicate
Bug #373683 reported by
William Grant
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Graham Binns |
Bug Description
When bug #372597 (which is public) was marked as a duplicate of bug #185388 (which was private when change was made, and also when the notification was sent, but isn't any more) by somebody with access to the private bug, the notification email for the dupe marking contained the summary of the private bug. That's really not good.
Related branches
lp:~gmb/launchpad/dont-leak-privacy-in-notifications-bug-373683
- Leonard Richardson (community): Approve (code)
-
Diff: 188 lines (+148/-7)2 files modifiedlib/lp/bugs/adapters/bugchange.py (+34/-6)
lib/lp/bugs/tests/test_bugchanges.py (+114/-1)
Changed in malone: | |
assignee: | Tom Berger (intellectronica) → nobody |
milestone: | 2.2.6 → 2.2.7 |
Changed in malone: | |
milestone: | 2.2.7 → 2.2.8 |
Changed in malone: | |
milestone: | 2.2.8 → 3.0 |
Changed in malone: | |
milestone: | 3.0 → 3.1.10 |
Changed in malone: | |
milestone: | 3.1.10 → none |
tags: | added: dhrb |
tags: | added: story-better-bug-notification |
Changed in malone: | |
importance: | Medium → High |
Changed in malone: | |
status: | Triaged → In Progress |
assignee: | nobody → Graham Binns (gmb) |
milestone: | none → 10.06 |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in malone: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
To post a comment you must log in.
This happens quite rarely, but can potentially be a serious security leak.
The fix I propose is to check, when the bug notification is being created, whether the bug is private, and hiding its title if it is.