1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues


Issue #8713 closed

Anyone can probe for private repos (BB-200)

Christian Ullrich
created an issue

There are different responses to requests for a nonexistent repo (404) vs. an existing, private repo (login page, possible access denied for authenticated and nonauthorized users). This allows anyone to probe for the existence of a private repository.

Comments (3)

  1. Zachary Davis

    As you note, this is not so straightforward. This is a long-standing question in the Bitbucket team and for the time-being we have decided to err on the side of not confusing people (but leaking information). I'll leave this open as a reference for other users, but at this time I don't think we plan on changing anything.

  2. Log in to comment