Code review comment for lp:~adeuring/launchpad/bug-39674-update-retricted-flag-of-private-bugattachments

On 03.08.2010 00:36, Robert Collins wrote:
> Review: Needs Fixing
> So, we have a problem here - making user content visible in the launchpad.net domain is a huge security hole - we can't do it at all safely - we need to either:
> - set content-disposition: attachment
> - serve the content from a different domain (I have a proof of concept branch working on this).

Could you elaborate a bit what the security hole is?

(and, BTW, I'm using the standard pattern for proxied LFAs, so, if they
have a security problem, this problem exists too in other places where
restricted LFAs are used. And while these other uses cases may not be as
problematic as a core dump file visible to the wrong person, the current
situation is worse for bug attachments: All of them are public.)

>
> So, while this is slightly the wrong venue, we need to ensure that one of the two above things happens *before* any private bug attachments are served.

As I wrote above -- we serve them since years completely unrestricted...