Issue #8713 new

Anyone can probe for private repos (BB-200)

Christian Ullrich
created an issue

There are different responses to requests for a nonexistent repo (404) vs. an existing, private repo (login page, possible access denied for authenticated and nonauthorized users). This allows anyone to probe for the existence of a private repository.

Comments (2)

  1. Zach Davis staff

    As you note, this is not so straightforward. This is a long-standing question in the Bitbucket team and for the time-being we have decided to err on the side of not confusing people (but leaking information). I'll leave this open as a reference for other users, but at this time I don't think we plan on changing anything.

  2. Log in to comment