Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-2618

Backup bundle after strip is public (BB-1474)

    XMLWordPrintable

Details

    Description

      When you strip a changeset, the backup bundle can be downloaded from
      {{{
      https://bitbucket.org/<user>/<repo>/admin/strip/<hash>-backup.hg
      }}}
      This URL is public – everybody can download the bundle, even if the repository is marked as private. The fact that only people with access to the repository can see the strip event in the log and hence see the hash for the URL makes this slightly less dangerous.

      However, it is still surprising that everybody can download the bundle and I suggest that the URL is limited to the repository administrators, or perhaps just the one who made the strip.

      It would be nice to have a way to manage these backups – list them, permanently delete them, etc, but that is for another issue.

      Attachments

        Activity

          People

            93e1e5ba154a aiiie
            e07804f3a382 mg
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: