- 14 Jun, 2016 3 commits
-
-
Robert Speicher authored
Forbid scripting for wiki files Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298. See merge request !1969
-
Tomasz Maczukin authored
-
Douwe Maan authored
Remove 'unscoped' from project builds selection This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188 /cc @kamil @grzegorz @stanhu See merge request !1968
-
- 27 Apr, 2016 1 commit
-
-
Robert Speicher authored
-
- 26 Apr, 2016 8 commits
-
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 See merge request !1964
-
Robert Speicher authored
-
Robert Speicher authored
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Grzegorz Bizon authored
Fix vulnerability that leaks private labels and milestones This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
-
- 25 Apr, 2016 2 commits
-
-
Robert Speicher authored
Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
-
Robert Speicher authored
Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
-
- 17 Mar, 2016 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.4 (for 8.2) [ci skip] See merge request !3285
-
Douwe Maan authored
-
- 15 Dec, 2015 1 commit
-
-
Douwe Maan authored
Fix note polling Closes #4032 See merge request !2084
-
- 10 Dec, 2015 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
Enable Devise paranoid mode and ensure the returned message is the same every time. This will prevent user enumeration (low impact). Prior to this change a user could type an email in the password reset field and if the email didn't exist it returned an error. If the email was valid it returned a message saying the forgot password link had been emailed. After this change the user will receive a message that if the email is in our database the reset link will be emailed. I also changed the throttle mechanism so it still works the same but now returns the exact same message as above. Previously it would say 'You've already sent a request. Wait a few minutes'. This also allows user enumeration, although it requires a double-check. Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624 See merge request !2044
-
- 09 Dec, 2015 1 commit
-
-
Robert Speicher authored
Use YAML.safe_load See merge request !1941
-
- 08 Dec, 2015 1 commit
-
-
Douwe Maan authored
Fix 500 error when creating a merge request that removes a submodule Fixes #3476 See merge request !1989
-
- 07 Dec, 2015 4 commits
-
-
Robert Speicher authored
[ci skip]
-
Grzegorz Bizon authored
Fix problems with award-emoji-only comment This fixes a conflict between note with only a single emoji in content and award-emojis mechanisms. Closes #3734 cc @vsizov See merge request !1936
-
Valery Sizov authored
Add added, modified and removed properties to commit object in webhook https://gitlab.com/gitlab-org/gitlab-ee/issues/20 See merge request !1988
-
Douwe Maan authored
Fix Error 500 when creating global milestones with Unicode characters Two issues: 1. The constraints in the resources were incorrect. Here's what it was before: ``` group_milestone GET /groups/:group_id/milestones/:id(.:format) groups/milestones#show {:id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/, :group_id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/} ``` In this case, id is actually the title of the milestone, which can be anything at the moment. After: ``` group_milestone GET /groups/:group_id/milestones/:id(.:format) groups/milestones#show {:id=>/[^\/]+/, :group_id=>/[a-zA-Z.0-9_\-]+(?<!\.atom)/} ``` 2. `parameterize` would strip all Unicode characters, leaving a blank string. Rails would report something like: ``` ActionView::Template::Error (No route matches {:action=>"show", :controller=>"groups/milestones", :group_id=>#<Group id: 48, name: "ops-dev", path: "ops-dev", owner_id: nil, created_at: "2015-11-15 08:55:30", updated_at: "2015-12-02 06:23:26", type: "Group", description: "", avatar: "sha1.c71e73d51af1865c1bbbf6208e10044d46c9bb93.png", public: false>, :id=>"", :title=>"肯定不是中文的问题"} missing required keys: [:id]): ``` This change uses the babosa library to create a better slug, which surprisingly isn't actually used by the global milestone controllers. Instead, they use the title passed as a query string for some reason. Closes https://github.com/gitlabhq/gitlabhq/issues/9881 See merge request !1983
-
- 05 Dec, 2015 1 commit
-
-
Job van der Voort authored
fixed the documentation of the Guest role in permission.md This MR fixes the documentation of the Guest role. closes gitlab-org/gitlab-ce#3777 [ci skip] See merge request !1952
-
- 04 Dec, 2015 1 commit
-
-
Dmitriy Zaporozhets authored
Fix application settings cache not expiring after changes cache_key is an instance method that relies on updated_at. When changes were made, the time-dependent key was being used instead of X.application_setting.last. Closes #3609 See merge request !1972
-
- 02 Dec, 2015 2 commits
-
-
Robert Speicher authored
-
Dmitriy Zaporozhets authored
Show Gmail actions links only on expected set of emails See merge request !1901
-
- 01 Dec, 2015 1 commit
-
-
Robert Speicher authored
Install gitlab-shell 2.6.8 in installations from source [ci skip] See merge request !1932
-
- 30 Nov, 2015 5 commits
-
-
Valery Sizov authored
Fire update hook from GitLab https://gitlab.com/gitlab-org/gitlab-ce/issues/3069 See merge request !1882
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
See merge request !1916
-
Dmitriy Zaporozhets authored
Fix Error 500 when viewing user's personal projects from admin page This is a regression introduced in 4d7f00fd. Closes #3680 Closes https://github.com/gitlabhq/gitlabhq/issues/9861 Closes gitlab-org/gitlab-ee#90 See merge request !1909
-
-
- 27 Nov, 2015 3 commits
-
-
Robert Speicher authored
-
Douwe Maan authored
-
Robert Speicher authored
Nginx workhorse upload limit See merge request !1919
-