Bug 488911

Summary: unauthenticated users can view attachments of bugs reports
Product: [Websites] bugs.kde.org Reporter: Sheikh Ali Akbar <akberbadsha05>
Component: generalAssignee: KDE sysadmins <sysadmin>
Status: RESOLVED FIXED    
Severity: normal CC: nate, sheedy
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Sheikh Ali Akbar 2024-06-21 17:41:11 UTC 
***
If you're not sure this is actually a bug, instead post about it at https://discuss.kde.org

If you're reporting a crash, attach a backtrace with debug symbols; see https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***

SUMMARY
View attachment files endpoint doesn't required authentication. which leads to inforamtion disclosure about bug reports

STEPS TO REPRODUCE
1. go to this link without login: https://bugsfiles.kde.org/attachment.cgi?id=170764
2. now you can change the id parameter and notice that you are able to view/download all the attachments of other users without even login.

OBSERVED RESULT
doesn't check if user authenticated 

EXPECTED RESULT
check the user if authorized to view attachment



ADDITIONAL INFORMATION
Comment 1 Nate Graham 2024-06-21 18:57:20 UTC 
Yeah, anything posted here should be considered public and viewable by every human on planet Earth.
Comment 2 Ben Cooksley 2024-06-21 23:26:03 UTC 
This is intended behaviour, bugs.kde.org is a public bug tracker. Even if authentication was required, anyone is able to register an account, so authentication would protect nothing.