- 24 Mar, 2015 13 commits
-
-
Dmitriy Zaporozhets authored
Reduce Rack Attack false positives causing 403 errors during HTTP authentication ### What does this MR do? This MR reduces false positives causing `403 Forbidden` messages after HTTP authentication. A Git client may attempt to access a repository without a password. If it receives a 401 error, the client often will try again, this time supplying a password. The problem is that `grack_auth.rb` considers a blank password an authentication failure and increases a Redis counter each time this happens. With enough requests, an IP can be banned temporarily even though previous attempts may have been successful. This leads users to see `403 Forbidden` errors until the ban times out (default: 1 hour). To reduce the chance of a false positive, this MR resets the counter upon a successful authentication from an IP. In addition, this MR logs when a user has been banned and introduces the ability to disable Rack Attack via a config variable. ### Are there points in the code the reviewer needs to double check? rack-attack v4.2.0 doesn't support the ability to clear counters out of the box, so `rack_attack_helpers.rb` includes a number of monkey patches to make it work. It looks like this functionality may be added in v4.3.0. I've also sent pull requests to rack-attack to add the functionality necessary to delete a key. Each time an authentication is successful, the Redis counter for that IP is cleared. I deemed it better to clear the counter than to allow for blank passwords, since the latter seems like a security risk. ### Why was this MR needed? It was quite difficult to figure out why users were seeing `403 Forbidden`, which is why the log message was added. Users were getting a lot of false positives when accessing repositories with HTTPS. Including the username in the HTTPS URL (e.g. `https://username@mydomain.com/account/repo.git`) caused authentication failures because while the git client provided the username, it left the password blank, leading to an authentication failure. ### What are the relevant issue numbers / [Feature requests](http://feedback.gitlab.com/)? See Issue #1171 https://github.com/kickstarter/rack-attack/issues/113 See merge request !392
-
Dmitriy Zaporozhets authored
Make sure issue assignee is properly reset. Previously, when the assignee was reset via the sidebar or bulk edit, `assignee_id` was set to `-1` rather than `null`, which caused the two issues shown below: ![Screen_Shot_2015-03-24_at_16.52.13](https://gitlab.com/gitlab-org/gitlab-ce/uploads/3c937795c45031c3c72c124ced866598/Screen_Shot_2015-03-24_at_16.52.13.png) - A "(deleted)" participant - An empty selectbox in the sidebar, instead of "Select assignee" See merge request !443
-
Robert Schilling authored
Remove duplicate CHANGELOG items for v7.8.0 [ci skip] See merge request !447
-
Dmitriy Zaporozhets authored
Fix nested task lists When nesting task list items, the parent item is wrapped in a `<p>` tag. Update the task list parser to handle these paragraph wrappers. cc @sytse See merge request !413
-
Aurelio Jargas authored
[ci skip]
-
Douwe Maan authored
-
Douwe Maan authored
-
Stan Hu authored
successful Git over HTTP authentication. Add logging when a ban goes into effect for debugging. Issue #1171
-
Dmitriy Zaporozhets authored
-
Dmitriy Zaporozhets authored
Don't mark merge request as updated when merge status relative to target branch changes. Addresses https://gitlab.com/gitlab-org/gitlab-ce/issues/1254 and private issue https://dev.gitlab.org/gitlab/gitlabhq/issues/2165. See merge request !431
-
Dmitriy Zaporozhets authored
-
Dmitriy Zaporozhets authored
Don't include system notes in issue/MR comment count. Addresses private issue https://dev.gitlab.org/gitlab/gitlabhq/issues/2163. See merge request !430
-
Dmitriy Zaporozhets authored
Fix file mode going to next line in diff header See merge request !432
-
- 23 Mar, 2015 27 commits
-
-
Douwe Maan authored
Don't use required keyword arguments to maintain support for Ruby 2.0. See merge request !433
-
Douwe Maan authored
This reverts commit af522ede.
-
Douwe Maan authored
-
Robert Schilling authored
Change comment in blue ui to match other scss
-
hebbet authored
Change comment in blue ui to match other scss files
-
Dmitriy Zaporozhets authored
Send EmailsOnPush email when branch or tag is created or deleted. Addresses #1951, #1957 and #1925. ![Screen_Shot_2015-03-17_at_13.58.15](https://dev.gitlab.org/gitlab/gitlabhq/uploads/16ff25adb4b4a7e1923612e0652442b4/Screen_Shot_2015-03-17_at_13.58.15.png) ![Screen_Shot_2015-03-17_at_13.58.22](https://dev.gitlab.org/gitlab/gitlabhq/uploads/e346c1d84aba3a093b722d0a4167e289/Screen_Shot_2015-03-17_at_13.58.22.png) ![Screen_Shot_2015-03-17_at_13.58.28](https://dev.gitlab.org/gitlab/gitlabhq/uploads/720437ecc13f317c6d20eff82ac60bd7/Screen_Shot_2015-03-17_at_13.58.28.png) ![Screen_Shot_2015-03-17_at_13.58.34](https://dev.gitlab.org/gitlab/gitlabhq/uploads/2b302bb6cdbe27c96a8dff1375236602/Screen_Shot_2015-03-17_at_13.58.34.png) See merge request !1709
-
Dmitriy Zaporozhets authored
Don't show commit comment button when user is not signed in. Address private issue https://dev.gitlab.org/gitlab/gitlabhq/issues/2167. See merge request !429
-
Dmitriy Zaporozhets authored
Conflicts: app/controllers/users_controller.rb
-
Dmitriy Zaporozhets authored
-
Dmitriy Zaporozhets authored
-
Dmitriy Zaporozhets authored
Replace commits calendar with contributions calendar * count opening of issues and merge requests * dont trigger git repository - use events from database * count pushes instead of commits for faster and easier counting * much-much faster since does not affected by repository size See merge request !420
-
Dmitriy Zaporozhets authored
-
Douwe Maan authored
Fix #8966 Remove Milestones/Labels from project navbar when Issues disabled
-
Douwe Maan authored
-
Dmitriy Zaporozhets authored
Update views to single form of address. Change "my" to "your" Part of user experience. Every software (twitter, facebook etc) talks to you like "change your password" but not "change my password". cc @sytse @job See merge request !1736
-
vichak authored
-
Douwe Maan authored
-
Douwe Maan authored
-
Douwe Maan authored
Include missing events and fix save functionality in admin service template settings form ### What does this MR do? This MR includes missing settings left out in the Admin -> Service Templates page and fixes the inability to save certain settings. ### Are there points in the code the reviewer needs to double check? No. ### Why was this MR needed? Because the service template form was broken and untested. ### What are the relevant issue numbers / [Feature requests](http://feedback.gitlab.com/)? #1275 Before: ![Screen_Shot_2015-03-23_at_5.53.19_AM](https://gitlab.com/stanhu/gitlab-ce/uploads/e1bff75f30a3b6ecb174d3e25c722b7e/Screen_Shot_2015-03-23_at_5.53.19_AM.png) After: ![Screen_Shot_2015-03-23_at_5.53.13_AM](https://gitlab.com/stanhu/gitlab-ce/uploads/8fada00128a3d0951b3230fefa64be92/Screen_Shot_2015-03-23_at_5.53.13_AM.png) See merge request !427
-
Douwe Maan authored
-
Stan Hu authored
Closes #1275
-
Robert Schilling authored
Bump Docker build to GitLab v7.9.0 See merge request !426
-
Stan Hu authored
-
vichak authored
-
Douwe Maan authored
Faulty LDAP DN name escaping removed
-
Vinnie Okada authored
-
Dmitriy Zaporozhets authored
-