Issue #2133 wontfix
created an issue

When not logged in, if I try to access the url of one of my private repos, I get a message stating that I do not have access to that repo. By stating that I do not have access to that repo, information about the private repo (its name and confirmation of its existence) is being implicitly divulged. It seems it would be more secure to simply throw a 404 when trying to access a private repo without permission to do so.

I'm not trying to be a condescending dick, I love your service, but it seems reasonable to deny access to //any// piece of information associated with a private repository. Thanks for reading and I look forward to enjoying your fine service for a long time to come!


Comments (5)

  1. Martin Geisler

    It is standard practice to hide things like usernames completely when you login -- that is why you are told "incorrect username or password". Truly hiding private repositories would match that and I think it's a good idea.

  2. Log in to comment