1. 17 Jan, 2018 10 commits
    • James Lopez's avatar
      Merge branch 'fix/import-rce-10-3' into 'security-10-3' · 532a0b60
      James Lopez authored
      [10.3] Fix RCE via project import mechanism
      
      See merge request gitlab/gitlabhq!2294
      
      (cherry picked from commit dcfec507d6f9ee119d65a832393e7c593af1d3b2)
      
      86d75812 Fix RCE via project import mechanism
      532a0b60
    • Robert Speicher's avatar
      Merge branch... · 791ca43f
      Robert Speicher authored
      Merge branch '41293-fix-command-injection-vulnerability-on-system_hook_push-queue-through-web-hook' into 'security-10-3'
      
      Don't allow line breaks on HTTP headers
      
      See merge request gitlab/gitlabhq!2277
      
      (cherry picked from commit 7fc0a6fc096768a5604d6dd24d7d952e53300c82)
      
      073b8f9c Don't allow line breaks on HTTP headers
      791ca43f
    • Douwe Maan's avatar
      Merge branch 'sh-migrate-can-push-to-deploy-keys-projects-10-3' into 'security-10-3' · 536a47b4
      Douwe Maan authored
      [10.3] Migrate `can_push` column from `keys` to `deploy_keys_project`
      
      See merge request gitlab/gitlabhq!2276
      
      (cherry picked from commit f6ca52d31bac350a23938e0aebf717c767b4710c)
      
      1f2bd3c0 Backport to 10.3
      536a47b4
    • Sean McGivern's avatar
      Merge branch '41567-projectfix' into 'security-10-3' · 3fc0564a
      Sean McGivern authored
      check project access on MR create
      
      See merge request gitlab/gitlabhq!2273
      
      (cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834)
      
      43e85f49 check project access on MR create
      3fc0564a
    • Robert Speicher's avatar
      Merge branch 'ac/fix-path-traversal' into 'security-10-3' · 954a4457
      Robert Speicher authored
      [10.3] Fix path traversal in gitlab-ci.yml cache:key
      
      See merge request gitlab/gitlabhq!2270
      
      (cherry picked from commit c32d0c6807dfd41d7838a35742e6d0986871b389)
      
      df29094a Fix path traversal in gitlab-ci.yml cache:key
      954a4457
    • Stan Hu's avatar
      Merge branch 'sh-validate-path-project-import-10-3' into 'security-10-3' · 1f96512b
      Stan Hu authored
      Validate project path in Gitlab import - 10.3 port
      
      See merge request gitlab/gitlabhq!2268
      
      (cherry picked from commit 94c82376d66fc80d46dd2d5eeb5bade408ec6a7e)
      
      2b94a7c2 Validate project path in Gitlab import
      1f96512b
    • Robert Speicher's avatar
      Merge branch 'milestones-finder-order-fix' into 'security-10-3' · 8f4b0613
      Robert Speicher authored
      Remove order param from the MilestoneFinder
      
      See merge request gitlab/gitlabhq!2259
      
      (cherry picked from commit 14408042e78f2ebc2644f956621b461dbfa3d36d)
      
      155881e7 Remove order param from the MilestoneFinder
      8f4b0613
    • Jacob Schatz's avatar
      Merge branch 'label-xss-10-3' into 'security-10-3' · 6846b70d
      Jacob Schatz authored
      [10.3] Fix XSS in issue label dropdown
      
      See merge request gitlab/gitlabhq!2253
      
      (cherry picked from commit 363ffabcebd7bb0d1a2d59ca1a75e4eadb4a4360)
      
      ea1fb0ea Fix XSS in issue label dropdown
      6846b70d
    • Robert Speicher's avatar
      Merge branch 'ac/41346-xss-ci-job-output' into 'security-10-3' · 72a57525
      Robert Speicher authored
      [10.3] Fix XSS vulnerability in Pipeline job trace
      
      See merge request gitlab/gitlabhq!2258
      
      (cherry picked from commit 44caa80ed9a2514a74a5eeab10ff51849d64851b)
      
      5f86f3ff Fix XSS vulnerability in Pipeline job trace
      72a57525
    • Stan Hu's avatar
      Merge branch... · 0424801e
      Stan Hu authored
      Merge branch 'security-10-3-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-3'
      
      Filter out sensitive fields from the project services API
      
      See merge request gitlab/gitlabhq!2281
      
      (cherry picked from commit 476f2576444632f2a9a61b4cead9c1077f2c81d7)
      
      2bcbbda0 Filter out sensitive fields from the project services API
      0424801e
  2. 16 Jan, 2018 30 commits