Hidden search results – answer

Michael Lefevre and mpt gave correct, but incomplete, answers to the question in my previous blog entry in their comments. Part of Michael's answer:

You'd have to work out which bits of closed bugs should be queryable (if you give any indication of a result based on, say, summary or comment queries, you could be disclosing important bits of the closed bug).

Indicating hidden results for a summary query would indeed disclose an important bit of the bug: its summary. First, the attacker would query for bugs with summaries starting with "a", "b", etc. Discovering that at least one hidden bug's summary begins with "b", the attacker would query for bugs whose summaries start with "ba", "bb", etc. After a few hundred more queries, the attacker would have the entire summary.

2 Responses to “Hidden search results – answer”

  1. Jeff Walden Says:

    Hmm, true.

    Now, if I’d read the previous entry closely enough to see that you weren’t just asking a rhetorical question, I *might* have been able to give it a try.

  2. Anonymous Says:

    If the search would assume that various bugzilla entries (like the summary) are blank, than this problem wouldn’t arise.