- 26 Apr, 2016 5 commits
-
-
Douwe Maan authored
This reverts commit 550f9a74.
-
Grzegorz Bizon authored
Fix vulnerability that leaks private labels and milestones This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent XSS via custom issue tracker URL Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 See merge request !1955 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent information disclosure via milestone API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579 See merge request !1961
-
- 25 Apr, 2016 5 commits
-
-
Robert Speicher authored
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963
-
Robert Speicher authored
Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
-
Robert Speicher authored
Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958
-
Jacob Schatz authored
Fixes XSS injection REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434 **Without the fix** ![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif) **With the fix** ![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif) See merge request !1952
-
Robert Speicher authored
Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
-
- 20 Apr, 2016 1 commit
-
-
Rémy Coutable authored
-
- 19 Apr, 2016 2 commits
-
-
Robert Speicher authored
-
-
- 07 Apr, 2016 2 commits
-
-
Robert Speicher authored
-
Rémy Coutable authored
Fix 2FA authentication spoofing Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 05 Apr, 2016 3 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Stan Hu authored
Closes #13957
-
- 17 Mar, 2016 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.4 (for 8.4) [ci skip] See merge request !3283
-
Douwe Maan authored
-
- 25 Feb, 2016 2 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
[ci skip]
-
- 15 Feb, 2016 1 commit
-
-
Robert Speicher authored
Fix missing gitlab_git version bump Closes #13430 See merge request !2811
-
- 14 Feb, 2016 1 commit
-
-
Stan Hu authored
Closes #13430
-
- 10 Feb, 2016 2 commits
-
-
Robert Speicher authored
Bump gitlab_git to ~> 7.2.24 bump gitlab_git to ~> 7.2.24 (closes: #13245) See merge request !2772
-
Robert Speicher authored
-
- 09 Feb, 2016 4 commits
-
-
Robert Speicher authored
Add notice about variables in build log Related to: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1942 [ci skip] See merge request !2761
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
Fix timeout issue for rake task gitlab:backup:create This is a fix for a database timeout which can occur when the backup create task is taking very long (1-2 hours). It seems that ActiveRecord is loosing the connection after a hour idleness and need to be reconnected before use. See merge request !2757
-
Pirate Praveen authored
-
- 08 Feb, 2016 3 commits
-
-
Robert Speicher authored
Limit guest access builds This is https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1942 for ce-stable See merge request !1943
-
Kamil Trzcinski authored
-
Kamil Trzcinski authored
This solves https://dev.gitlab.org/gitlab/gitlabhq/issues/2646 1. This MR simplifies CI permission model: - read_build: allows to read a list of builds, artifacts and trace - update_build: allows to cancel and retry builds - admin_build: allows to manage triggers, runners and variables - read_commit_status: allows to read a list of commit statuses (including the status of a build, but doesn't allow to see a build details) - create_commit_status: allows to create a new commit status using API 2. I do make sure that the proper permissions are used in all places where the CI can be shown. 3. Add the `read_build` ability if user is anonymous or guest and allow_guest_to_access_builds is enabled. 4. Add CI setting: public_builds. 5. The artifacts specific permission are removed, since they are covered by `*_build`.
-
- 03 Feb, 2016 1 commit
-
-
Robert Speicher authored
Updated omniuath-saml to the latest version. See merge request !2684
-
- 02 Feb, 2016 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Allow manual resize of js-autosize textareas First, the autosize library was being too controlling and removed the `resize` property from any elements to which it was attached, removing the drag handle. We've disabled this behavior in the vendored library and added a spec to prevent a regression during an upgrade. Second, we detect (as best we can) when the user manually resizes an autosize textarea, and then remove the autosize behavior from it and increase its max-height. This should allow for the best of both worlds. Closes #12832 See merge request !2653
-
Yorick Peterse authored
Expand Git instrumentation This instruments some extra `Gitlab::Git` code as well as a collection of `Rugged` constants. See merge request !2664
-
- 01 Feb, 2016 2 commits
-
-
Drew Blessing authored
Increase LFS objects size column Fixes #12745 Increases the `size` column integer limit to an 8-byte integer. This allows for a max value of `9223372036854775807` which is 9,223,372,036 GB. That should do it
😃 I tested this by first reproducing the error (push a file larger than 2.1 GB). The error was: ``` RangeError (3145728000 is out of range for ActiveRecord::ConnectionAdapters::PostgreSQL::OID::Integer with limit 4): lib/gitlab/lfs/response.rb:232:in `store_file' lib/gitlab/lfs/response.rb:170:in `render_lfs_upload_ok' lib/gitlab/lfs/response.rb:51:in `block in render_storage_upload_store_response' lib/gitlab/lfs/response.rb:204:in `render_response_to_push' lib/gitlab/lfs/response.rb:50:in `render_storage_upload_store_response' lib/gitlab/lfs/router.rb:76:in `put_response' lib/gitlab/lfs/router.rb:20:in `try_call' lib/gitlab/backend/grack_auth.rb:41:in `call' lib/gitlab/backend/grack_auth.rb:18:in `call_with_kerberos_support' lib/gitlab/backend/grack_auth.rb:8:in `call' ``` Then I ran this migration and pushed the file again. It uploaded successfully. See merge request !2644 -
Robert Speicher authored
Backport LDAP user assignment changes from EE See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/146 See merge request !2641
-