Details
-
Bug
-
Resolution: Fixed
-
Medium
Description
I would say this is a security issue.
This is not standard situation as your commit is used in private repository where you don't have access.
A way to reproduce this is to use Symfony2 Standard as a base of your private application. Importing commit history of Symfony2 to your repo will show your newly created repo for every contributor to Symfony2 Standard repository who has account in BitBucket (and probably other open source projects).
For example right now I can see in "Recent activity" that I have
"committed to symfony-mlk
e7b7b0f36646 replaced app/bootstrap wildcard with explicit entry this could be done as app/bootstrap_cache.php.cache is no longer created and used (see 8a7be4fdcac34685757439f86fbd64bee6643cc8) 3 days ago
"
"symfony-mlk" is a private repo which is not mine and I am not allowed to view it - so I shouldn't even see the name of this repo in my activity stream and know when this repository was updated to my commit from Symfony2 repo. This may be security risk for currently deployed projects with readable repo name (e.g. host name = repo name).