Details
-
Bug
-
Resolution: Fixed
-
Medium
Description
When you strip a changeset, the backup bundle can be downloaded from
{{{
https://bitbucket.org/<user>/<repo>/admin/strip/<hash>-backup.hg
}}}
This URL is public – everybody can download the bundle, even if the repository is marked as private. The fact that only people with access to the repository can see the strip event in the log and hence see the hash for the URL makes this slightly less dangerous.
However, it is still surprising that everybody can download the bundle and I suggest that the URL is limited to the repository administrators, or perhaps just the one who made the strip.
It would be nice to have a way to manage these backups – list them, permanently delete them, etc, but that is for another issue.