You are viewing an historical archive of past issues. Please report new issues to the appropriate project issue tracker on GitHub.

Bug #1199: Private items' influence visible on "tags#show" page

Kind bug
Product wincent.dev
When
Status closed
Reporter Greg Hurrell
Tags security

Description

A minor information leak this one. Given a private issue with a tag "foo", if an anonymous visitor goes to /tags/foo then he/she will see results like this: 

3 items tagged with foo
2 wiki articles
  some article
  other article
0 issues

In other words, the existence of 3 items with the tag is leaked out. Not really a huge flaw from a security perspective, as no useful information is leaked, but it would be nice for the output to be consistent seeing as 2 + 0 does not equal 3.

For references, an administrator looking at the same page would see: 

3 items tagged with foo
2 wiki articles
  some article
  other article
1 issues
  the secret issue

Comments

  1. Greg Hurrell

    This is now fixed.

Add a comment

Comments are now closed for this issue.

Menu