← Back to team overview

launchpad-dev team mailing list archive

Re: Disclosure bugs fixed in the last two weeks.


On 07/25/2012 07:17 PM, Diogo Matsubara wrote:
> Hi Curtis,
> here are my findings for this round of exploratory testing:
> https://bugs.launchpad.net/launchpad/+bug/1021129
> #1021129 URL auto-linking linkifies data: URLs
> • I understand there's a sec vulnerability but from bug's 276726 point
> of view, this fix is a regression. Is the plan to not linkify data:
> urls anymore?

We will never linkify data:

> https://bugs.launchpad.net/launchpad/+bug/839436
> #839436 Bug privacy controls get confused after error
> • I was unable to reproduce the issue described in the bug report but
> I ran into an interesting issue. if the bug has been converted to a
> question and you try to change the privacy of it, you get an error
> message stating that you don't have permission to do so, even though
> I'm a member of the security group.
> • Not exactly sure if the problem is related to a question or not, but
> it looks like I can't really change information type for bug 2112 on
> qastaging or production and on production this bug wasn't turned into
> a question.
> • After talking to Curtis, I filed
> https://bugs.launchpad.net/launchpad/+bug/1029093

This issue was caused because the page was on the main host, not the
bugs host. The browser failed the action because it was a cross-site
post. There was probably a change made several weeks ago that forced the
script to post to the bugs domain instead of relative from root.

> • I created a new project on qastaging
> https://qastaging.launchpad.net/private-branches
>   went to the +sharing page and added ~launchpad and shared everything
> with the team
>   I wanted to remove all the sharing for the team but when I select
> Nothing, nothing and nothing the select link is greyed out and if I
> click it nothing happens.

Use the (-) remove action to stop sharing private and private-security,
which will also remove the row from the table. You can set any one kind
of information to share to nothing, but if nothing is shared there is no
action to take. This is the same choice widget that governs bug status
and importance...you can choose what is already chosen.

> https://bugs.launchpad.net/launchpad/+bug/1012448
> #1012448 Revoking access to a branch doesn't remove subscriptions
> • Created a private branch on qastaging.
>   subscribed a test user to the branch
>   went to the project's +sharing page and remove that user's access
>   the user can't access the branch anymore (LP returns the not allowed
> here page). Good.
>   the user is still listed as a subscriber in the branch

I believe the job to sync subscriptions to the sharing is not running on
qastaging :( The subscription does not work, the UI is lying and
ultimately creating anxiety. The job must be enabled on qastaging and
staging to ensure users see the truth.

> https://bugs.launchpad.net/launchpad/+bug/1020790
> #1020790 Information type widget on +filebug confuses users
> • in a project with public bugs by default, if an error occurs filing
> a bug (e.g. user forgot to add a description to the bug report), and
> the security checkbox is checked, the banner at the top of the page
> saying the bug is a security vulnerability disappears

The view is not setting .private = true when the post back errors to
mirror the security checkbox. I reported

> https://bugs.launchpad.net/launchpad/+bug/1024235
> #1024235 bug listings are not sortable by information type
> • the text inside the information type square looks unaligned. it's
> too close to the bottom border, while status and importance looks
> centralized

I reported

Curtis Hovey

Attachment: signature.asc
Description: OpenPGP digital signature