Details
-
Bug
-
Resolution: Won't Fix
-
Medium
Description
When not logged in, if I try to access the url of one of my private repos, I get a message stating that I do not have access to that repo. By stating that I do not have access to that repo, information about the private repo (its name and confirmation of its existence) is being implicitly divulged. It seems it would be more secure to simply throw a 404 when trying to access a private repo without permission to do so.
I'm not trying to be a condescending dick, I love your service, but it seems reasonable to deny access to //any// piece of information associated with a private repository. Thanks for reading and I look forward to enjoying your fine service for a long time to come!
Derek