1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues

Issues

Issue #2618 resolved

Backup bundle after strip is public (BB-1474)

Martin Geisler
created an issue

When you strip a changeset, the backup bundle can be downloaded from {{{ https://bitbucket.org/<user>/<repo>/admin/strip/<hash>-backup.hg }}} This URL is public -- everybody can download the bundle, even if the repository is marked as private. The fact that only people with access to the repository can see the strip event in the log and hence see the hash for the URL makes this slightly less dangerous.

However, it is still surprising that everybody can download the bundle and I suggest that the URL is limited to the repository administrators, or perhaps just the one who made the strip.

It would be nice to have a way to manage these backups -- list them, permanently delete them, etc, but that is for another issue.

Comments (3)

  1. Brodie Rao

    Can you provide an example where this happens? I'm unable to reproduce it:

    $ curl -i https://bitbucket.org/brodie/test/admin/strip/c1f55477b9a7-backup.hg
    HTTP/1.1 302 FOUND
    Server: nginx/0.7.67
    Date: Tue, 29 Mar 2011 18:52:08 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Cookie
    Location: https://bitbucket.org/account/signin/?next=/brodie/test/admin/strip/c1f55477b9a7-backup.hg
    

    Note that it's asking me to sign in before I can download it.

  2. Martin Geisler reporter

    How perculiar... I tested it with

     wget https://bitbucket.org/mg/tag-strip-test/admin/strip/5e1c344d1b44-backup.hg
    

    and I was able to download the bundle a couple of days ago on the 26th. Now I'm also redirected to the login page.

  3. Log in to comment