user controlled data will be exposed in the launchpad.net domains at the next release
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
Critical
|
Abel Deuring |
Bug Description
Hi, this is a new bug related to the exciting work going on to make private bug attachments well, private.
Sadly, that work is building on an incomplete foundation - the restricted librarian has only been used for system controlled content so far - that is, content where we are (reasonably) sure that it is harmless. The StreamOrRedirect view doesn't set content-
This is a critical issue to fix before our upcoming release, so I'm marking it as critical.
Related branches
- Māris Fogels (community): Approve (code)
-
Diff: 157 lines (+57/-9)4 files modifiedlib/canonical/launchpad/browser/librarian.py (+6/-5)
lib/lp/bugs/browser/bugattachment.py (+20/-1)
lib/lp/bugs/browser/configure.zcml (+5/-0)
lib/lp/bugs/browser/tests/test_bugattachment_file_access.py (+26/-3)
Changed in malone: | |
status: | Triaged → In Progress |
assignee: | nobody → Abel Deuring (adeuring) |
milestone: | none → 10.08 |
Changed in malone: | |
status: | In Progress → Fix Committed |
tags: |
added: qa-ok removed: qa-needstesting |
Changed in malone: | |
status: | Fix Committed → Fix Released |
As far as fixing it goes, the simplest way would be to set cd:attachment on all StreamOrRedirect responses, but that will cause things like build logs which are system controlled and extremely hard to attack, to be downloaded rather than viewed in the browser.
A better approach might be to have two StreamOrRedirect views, and choose the right one based on the type of file - whether its a bug attachment (unsafe), a merge proposal diff(safe), log file from our buildds (safe) etc etc.