488911 – unauthenticated users can view attachments of bugs reports

Bug 488911 - unauthenticated users can view attachments of bugs reports

Summary: unauthenticated users can view attachments of bugs reports

Status:	RESOLVED FIXED

Alias:	None

Product:	bugs.kde.org
Classification:	Websites
Component:	general (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	KDE sysadmins

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-06-21 17:41 UTC by Sheikh Ali Akbar
Modified:	2024-06-21 23:26 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Sheikh Ali Akbar 2024-06-21 17:41:11 UTC

***
If you're not sure this is actually a bug, instead post about it at https://discuss.kde.org

If you're reporting a crash, attach a backtrace with debug symbols; see https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***

SUMMARY
View attachment files endpoint doesn't required authentication. which leads to inforamtion disclosure about bug reports

STEPS TO REPRODUCE
1. go to this link without login: https://bugsfiles.kde.org/attachment.cgi?id=170764
2. now you can change the id parameter and notice that you are able to view/download all the attachments of other users without even login.

OBSERVED RESULT
doesn't check if user authenticated 

EXPECTED RESULT
check the user if authorized to view attachment



ADDITIONAL INFORMATION

Comment 1 Nate Graham 2024-06-21 18:57:20 UTC

Yeah, anything posted here should be considered public and viewable by every human on planet Earth.

Comment 2 Ben Cooksley 2024-06-21 23:26:03 UTC

This is intended behaviour, bugs.kde.org is a public bug tracker. Even if authentication was required, anyone is able to register an account, so authentication would protect nothing.