GitLab

added changelog

Long-running migrations may take more than the timeout allowed by
the database. Disable the session's statement timeout to ensure
migrations don't get killed prematurely.

* There where path where +1 was stored as +1 not as thumbsup
  that was causing problems such as showing thumbsup icon 2 time.
  I fixed this to always normalize and store +1 as tumbsup

1. Only on supported Chrome versions

2. Mainly, this lets us simplify the javascript-based U2F check to
   `window.u2f`, where `window.u2f` can either be loaded from the GitLab
   server (for Chrome) or from the Firefox extension.

3. This is a better way to provide browser detection for U2F.

This reverts commit 9ca633eb, reversing
changes made to fb229bbf.

Primarily just bug fixes.

Changelog: https://github.com/rails/rails/compare/v4.2.6...v4.2.7

Possible workaround for #15392

- Cherry-picked from `mvestergaard:branch-protection-dev-merge`
- https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4220

[ci skip]

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/17877 .

This change adds 'defense in depth' against 'Host' HTTP header
injection. It affects normal users in the following way. Suppose your
GitLab server has IP address 1.2.3.4 and hostname gitlab.example.com.
Currently, if you enter 1.2.3.4 in your browser, you get redirected to
1.2.3.4/users/sign_in. After this change, you get redirected from
1.2.3.4 to gitlab.example.com/users/sign_in. This is because the
address you typed in the address bar of your browser ('1.2.3.4'),
which gets stored in the 'Host' header, is now being overwritten to
'gitlab.example.com' in NGINX.

In this change we also make NGINX clear the 'X-Forwarded-Host' header
because Ruby on Rails also uses that header the same wayas the 'Host'
header.

We think that for most GitLab servers this is the right behavior, and
if not then administrators can change this behavior themselves at the
NGINX level.

Due to a stale NFS cache, it's possible that a branch lookup fails
while `git gc` is running and causes missing branches in merge requests.

Possible workaround for #15392

have been fully redacted and contain cross-project references.

The previous implementation relied on Note#cross_reference_not_visible_for?,
which essentially tries to render all the Markdown references in a system note
and only displays the note if the user can see the referring project. But this
duplicated the work that Banzai::NotesRenderer was doing already. Instead, for
each note we render, we memoize the number of visible user references and
use it later if it is available.

Improves #19273