Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Answered
Priority: Medium
Fix Version/s: N/A
Affects Version/s: 2.4.0, 2.7.12
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

There are some resources exposed in FeCru where depending on their existence user may get 403 or 404 http response code depending on the existence of the resource. Because the permission check is done earlier than existence check, server may leak the existence of particular resource to the requestor, even when the requestor doesn't have permission to access that resource.
Current behaviour seems more in line with definitions of the HTTP 403 and 404 status codes (see RFC 2616), but allows information leak.

Attachments

Issue Links

details

CRUC-7478 CRUC-4625 Stop returning stack traces from REST API

Closed

is related to

CRUC-1207 Crucible remote API exposes stack traces even for "access denied" requests

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...

Activity

People

Assignee:: Kamil Cichy

Reporter:: Anna Lyons [Atlassian]

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 19/Oct/2010 12:33 AM

Updated:: 11/Sep/2019 7:45 AM

Resolved:: 12/Nov/2015 5:15 PM