- 06 Jul, 2016 2 commits
-
-
Stan Hu authored
Update RedCloth to 4.3.2 for CVE-2012-6684 ## What does this MR do? To fix XSS (CVE-2012-6684), upgrade RedCloth to 4.3.2. ## Are there points in the code the reviewer needs to double check? No. ## Why was this MR needed? Security vulnerability in RedCloth (CVE-2012-6684) should be fixed to provide GitLab as a secure software. ## What are the relevant issue numbers? Closes #19169 cf. !2037, !2071 ## Does this MR meet the acceptance criteria? - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - [n/a] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - [n/a] API support added - Tests - [n/a] Added for this feature/bug - [x] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !4929 (cherry picked from commit 95336861)
-
Rémy Coutable authored
Improve the request / withdraw access button It implements the design proposed in #18310. No. To close #18310. Closes #18310. | Medium | Large | | ----------- | ------- | |  |  | | Medium | Large | | ----------- | ------- | |  |  | | Medium | Large | | ----------- | ------- | |  |  | | Medium | Large | | ----------- | ------- | |  |  | - [x] [CHANGELOG](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG) entry added - [x] [Documentation created/updated](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/development/doc_styleguide.md) - Tests - [x] All builds are passing - [x] Conform by the [style guides](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CONTRIBUTING.md#style-guides) - [x] Branch has no merge conflicts with `master` (if you do - rebase it please) - [x] [Squashed related commits together](https://git-scm.com/book/en/Git-Tools-Rewriting-History#Squashing-Commits) See merge request !4860 (cherry picked from commit c578fb06)
-
- 05 Jul, 2016 2 commits
-
-
Rémy Coutable authored
Merge branch 'doc-mysql-priv' into 'master' ## What does this MR do? Update missing mysql user permissions. ## Why was this MR needed? This should also be in the `8-9-stable` branch. See merge request !5086
-
Achilleas Pipinellis authored
Add missing privileges to MySQL database Closes gitlab-org/gitlab-ce#19321 See merge request !5079
-
- 30 Jun, 2016 13 commits
-
-
Robert Speicher authored
-
Jacob Schatz authored
Updated breakpoint for sidebar pinning Updates the breakpoint for sidebar pinning to 1024px. Think we will have the same issue as before when picking into stable with `$window` not being defined. See merge request !5019 (cherry picked from commit c5d164d1)
-
Jacob Schatz authored
Expiry date on pinned nav cookie Adds an expiry date far into the future for the pinned nav cookie so that it survives logout & browser closing. See merge request !5009 (cherry picked from commit 73196fbd)
-
Robert Speicher authored
Handle external issues in IssueReferenceFilter Rendering issue references such as `#1` was broken for projects using an external issues tracker. See gitlab-org/gitlab-ce#19036 See merge request !4988 (cherry picked from commit 6e82c0e0)
-
Rémy Coutable authored
Fix restore warning message ## What does this MR do? Fix the restore Rake task so it properly outputs the database warning. This is a pretty important warning and it was not even being output. After this fix, the output looks like the screenshot below.  See merge request !4980 (cherry picked from commit 0144dce7)
-
Robert Speicher authored
Do not show build retry link when build is active Closes #19244 See merge request !4967 (cherry picked from commit dc2d0051)
-
Fatih Acet authored
Fixed comit avatar alignment ## What does this MR do? Fixes the alignment of the avatar on https://gitlab.com/gitlab-org/gitlab-ce/blob/master/CHANGELOG Also fixes potential issues in other places. ## Screenshots (if relevant)  See merge request !4933 (cherry picked from commit 8cada02d)
-
Jacob Schatz authored
Fixed URL on label button when filtering ## What does this MR do? Gives the filtered labels the correct URL. Previously they tried to link to `labels#show` whereas now it links to the correct filter path. ## What are the relevant issue numbers? Closes #19005 See merge request !4897 (cherry picked from commit d3d9df5a)
-
Fatih Acet authored
File Browser navigation fixes Fixes a double request being made when clicking the file name when navigating through file browser and also fixes opening a file in a new tab or when doing ctrl + click. Closes #19050 **Before**  **After**  See merge request !4891 (cherry picked from commit b32a6add)
-
Dmitriy Zaporozhets authored
Resolve "Sub nav isn't showing on file view" ## What does this MR do? Adds subnav to `Repository` > `File` view ## What are the relevant issue numbers? Closes #19003 Part of #18844 ## Screenshots (if relevant)  cc @dzaporozhets See merge request !4890 (cherry picked from commit 2efee5f6)
-
Jacob Schatz authored
Fixed search field blur not removing focus ## What does this MR do? Adds a blur event to remove focus styling from the search input. Any particular reason we were looking for clicks on the document? I can't see why we would be. ## What are the relevant issue numbers? Closes #18670 ## Screenshots (if relevant)  See merge request !4704 (cherry picked from commit c051630a)
-
Douwe Maan authored
Ensure logged-out users can't see private refs https://gitlab.com/gitlab-org/gitlab-ce/issues/18033 I'm still not sure what to do about the CHANGELOG on security issues - should I add to a patch release? This issue was assigned to 8.10. See merge request !1974 (cherry picked from commit 3a6ebb1f)
-
Douwe Maan authored
Fix privilege escalation issue with OAuth external users Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/19312 This MR fixes a privilege escalation issue, where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list. /cc @douwe See merge request !1975 (cherry picked from commit 5e6342b7)
-
- 29 Jun, 2016 6 commits
-
-
Robert Speicher authored
-
Yorick Peterse authored
Use update_columns to by_pass all the dirty code on active_record See merge request !4985 (cherry picked from commit ad09fcb5)
-
Yorick Peterse authored
Reduce overhead and optimize ProjectTeam#max_member_access performance See merge request !4973 (cherry picked from commit d33991f8)
-
Jacob Schatz authored
Fixes missing avatar on system notes Closes #17295  See merge request !4954 (cherry picked from commit 9e8fdead)
-
Jacob Schatz authored
Removed fade when filtering results ## What does this MR do? Removes the `opacity` change when filtering results seeing as we now do `Turbolinks.visit` it isn't required. Best way to see issue - filter issues & then go back. Will still have opacity styling. See merge request !4932 (cherry picked from commit bef4294c)
-
Jacob Schatz authored
Fixed avatar alignment in new MR view ## What does this MR do? Fixes the alignment of the avatar in new MR view. Closes #19076 ## Screenshots (if relevant)  See merge request !4901 (cherry picked from commit 3611ee56)
-
- 28 Jun, 2016 11 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
-
Yorick Peterse authored
Use memorized tags array when searching tags by name See merge request !4859 (cherry picked from commit 9d0ef60d)
-
Rémy Coutable authored
Fix encrypted data backwards compatibility after upgrading attr_encrypted gem Adds missing attribute to attr_encrypted so it is fully backwards-compatible. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19073 See merge request !4963 (cherry picked from commit 2c3f3cb3)
-
Robert Speicher authored
Fix rendering of commit notes See merge request !4953 (cherry picked from commit 9c9b0eef)
-
Dmitriy Zaporozhets authored
Resolve "Pin should show up at 1280px min" Decreased window min width for pinned sidebar Closes #19171 Part of #19200  See merge request !4947 (cherry picked from commit bbbd0e6c)
-
Dmitriy Zaporozhets authored
Switched mobile button icons to ellipsis and angle ## What does this MR do? Switches the mobile button icons ## What are the relevant issue numbers? Closes #19170 Part of #19200 ## Screenshots (if relevant)  See merge request !4944 (cherry picked from commit abc6004f)
-
Robert Speicher authored
Correctly return todo ID after creating todo See merge request !4941 (cherry picked from commit 21842cf9)
-
Rémy Coutable authored
Better debugging for memory killer middleware This adds more info to the warning messages output by `MemoryKiller`. Previously only the PID was showed, making it difficult to debug issues like https://gitlab.com/gitlab-org/gitlab-ce/issues/19124 This adds the worker class and job ID to the log messages. See merge request !4936 (cherry picked from commit 3659992c)
-
Fatih Acet authored
Remove duplicate new page btn from edit wiki ## What does this MR do? Removes duplicate button on wiki page ## What are the relevant issue numbers? Closes #19075 ## Screenshots (if relevant)   See merge request !4904 (cherry picked from commit 121c5c83)
-
Robert Speicher authored
Use clock_gettime for all performance timestamps This MR adjusts the performance monitoring code to use `Process.clock_gettime` (thus `clock_gettime(3)`) instead of `Time.now`. Using `Time.now` / `Time.new` adds more overhead than `Process.clock_gettime`, it also doesn't provide a way of getting timestamps in nanoseconds (which `Process.clock_gettime` does allow). See merge request !4899 (cherry picked from commit 53ad9522)
-
- 27 Jun, 2016 6 commits
-
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
-
Stan Hu authored
Update omniauth-saml to 1.6.0 to address a security vulnerability in ruby-saml ## What does this MR do? Updates `omniauth-saml` to bring in the new `ruby-saml` dependency that addresses [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697) Fixes #19206 See merge request !4951
-
Robert Speicher authored
Fix visibility of snippets when searching Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18997 See merge request !1972
-
Robert Speicher authored
Fix an information disclosure when requesting access to a group containing private projects Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/19102. The commit speaks for itself: Fix an information disclosure when requesting access to a group containing private projects The issue was with the `User#groups` and `User#projects` associations which goes through the `User#group_members` and `User#project_members`. Initially I chose to use a secure approach by storing the requester's user ID in `Member#created_by_id` instead of `Member#user_id` because I was aware that there was a security risk since I didn't know the codebase well enough. Then during the review, we decided to change that and directly store the requester's user ID into `Member#user_id` (for the sake of simplifying the code I believe), meaning that every `group_members` / `project_members` association would include the requesters by default... My bad for not checking that all the `group_members` / `project_members` associations and the ones that go through them (e.g. `Group#users` and `Project#users`) were made safe with the `where(requested_at: nil)` / `where(members: { requested_at: nil })` scopes. Now they are all secure. See merge request !1973
-
Rémy Coutable authored
Remove duplicate changelog entry ## What does this MR do? Removes a changelog entry from 8.9.1, which is only present in 8.10 See merge request !4937
-
