Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Won't Fix
-
Affects Version/s: 3.0.0-m4
-
Fix Version/s: None
-
Component/s: Security, Support Tools
-
Labels:None
-
Environment:Chrome, FF MacOSX
Description
I noticed that when logged out of Nexus and hitting a valid describe URL (default directory or an uploaded file), that there's no response section is displayed.
When hitting an invalid describe URL, the 404 response is displayed.
When logged in all proper responses are displayed.
Mentioned this to Michael Prescott and he seemed surprised by this. I can see why, from a security standpoint through not saying something, we're actually saying something (no results meaning there's valid data in this case).
I mentioned checking vs NX2 and he lead me to believe it's innards are different enough not to check, so I'm just filing for discussion at triage.
Examples:
Valid= http://localhost:8081/repository/nuget-hosted/?describe
Invalid= http://localhost:8081/repository/nuget-hosted/SONATYPE.TEST/1.0/giraffe/?describe