Issue #4064 wontfix

Private repositories tell you about their existance

Conrad Rolack
created an issue

You can find out what private repositories exist by brute-forcing the urls while not being logged in.

If a private repository exists you are redirectet to a login-page, e.g.:

https://bitbucket.org/account/signin/?next=/conro/test

If a private repository does not exist, you get a 404, eg:

https://bitbucket.org/conro/doesNorExist

This is a problem if the public should not know about the existance of private repository, e.g: /apple/ios7 or /valve/hl3

Comments (1)

  1. Marcus Bertrand staff

    This behavior is by design. Part of the idea is that as a user on the site, you would want to know that you've arrived at the correct location for your repo, but you aren't logged in. Also, the more technical reason is that you arrived at a valid resource, but you don't have permission to view it.

    We review this and other features of the site regularly though and make changes as needed.

  2. Log in to comment