Verify that confidential bug aliases do not leak to non-confidential bugs

RESOLVED WORKSFORME

Status

()

bugzilla.mozilla.org
General
RESOLVED WORKSFORME
3 years ago
3 years ago

People

(Reporter: nalexander, Unassigned)

Tracking

Production

Details

(Reporter)

Description

3 years ago
I just had the following concern: suppose I create an alias for an existing confidential ticket, and the alias contains confidential information (say, an identifying name).  I then add blocks, depends, or see also to a non-confidential bug.  Is it possible that the alias will leak to the non-confidential bug?

It appears the answer is no: I did a (non-controlled!) test and, when not logged in, I don't see the confidential alias from a linked non-confidential ticket.  I'd like to verify that this is the case.

I'm marking this Mozilla confidential so that, if this is possible, an interested party cannot check my Bugzilla activity and determine a confidential alias.  I'll unmark it if possible.
in order to determine a bug's alias, the user must be able to view the bug, so there's no information leak here.

from the bug/link template:

> [% IF user.can_see_bug(bug) %]
>   [% link_title = link_title _ ' - ' _ bug.short_desc %]
>   [% IF use_alias && bug.alias %]
>     [% link_text = bug.alias %]
>   [% END %]
> [% END %]
Group: mozilla-employee-confidential
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 2

3 years ago
Thanks glob!
You need to log in before you can comment on or make changes to this bug.