- 26 Apr, 2016 9 commits
-
-
Robert Speicher authored
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 See merge request !1964
-
Douwe Maan authored
-
Douwe Maan authored
-
Douwe Maan authored
-
Douwe Maan authored
This reverts commit 550f9a74.
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent XSS via custom issue tracker URL Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 See merge request !1955 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent information disclosure via milestone API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579 See merge request !1961
-
- 25 Apr, 2016 6 commits
-
-
Robert Speicher authored
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963
-
Robert Speicher authored
Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
-
Robert Speicher authored
Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958
-
Grzegorz Bizon authored
Fix vulnerability that leaks private labels and milestones This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954
-
Jacob Schatz authored
Fixes XSS injection REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434 **Without the fix** ![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif) **With the fix** ![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif) See merge request !1952
-
Robert Speicher authored
Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
-
- 20 Apr, 2016 1 commit
-
-
Rémy Coutable authored
-
- 19 Apr, 2016 2 commits
-
-
Douwe Maan authored
Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 07 Apr, 2016 2 commits
-
-
Robert Speicher authored
-
Rémy Coutable authored
Fix 2FA authentication spoofing This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. Current 2FA code is a bit tricky, so it probably needs some refactoring. Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 05 Apr, 2016 2 commits
-
-
Rémy Coutable authored
-
Douwe Maan authored
Don't fetch any tags from a forked repo Closes #13957 See merge request !3504 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 17 Mar, 2016 4 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.4 (for 8.5) [ci skip] See merge request !3286
-
Douwe Maan authored
-
Jacob Vosmaer authored
Install Git 2.7.3, not 2.4.3 See merge request !3248
-
- 15 Mar, 2016 5 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.3 [ci skip] See merge request !3240
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
Rémy Coutable authored
Use leases for LDAP checks in 8.5 Back-port of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3143 See merge request !3181
-
- 11 Mar, 2016 2 commits
-
-
Jacob Vosmaer authored
-
Jacob Vosmaer authored
-
- 10 Mar, 2016 5 commits
-
-
Rémy Coutable authored
-
Douwe Maan authored
Allow filtered explore results to be paged. Fixes #14104 See merge request !3149
-
Jacob Schatz authored
Fix "Show all" link behavior The "Show all" link was broken by recent refactors from @joshfng. I have fixed it very simply (I believe). **Please note that this fix will be in 8.5.x only** (since the whole "Show all" stuff was moved to pagination recently (8.6). Fixes #14168 /cc @joshfng @dzaporozhets @razer6 See merge request !3159
-
Rémy Coutable authored
Fixes #14168
-
Douglas Barbosa Alexandre authored
Fix error 500 in Todos Closes #14095 Closes #14075 Closes #14109 Closes #14151 See merge request !3141
-
- 08 Mar, 2016 2 commits
-
-
Rémy Coutable authored
-
Robert Speicher authored
Only show group member roles if explicitly requested This very simply fixes an EE problem, but I made the change here so it's less prone to errors from merges. In EE, prior to this change, group member roles were shown in project member list when a project is shared with a group. This is bad because the project explicitly shares with the group and sets a 'max access' level. If the max access level is 'developer' the project owner doesn't want to see 'Owner' in the group roles because it will confuse them. I verified that permissions are really being honored here, it was just an error in the view. You can see in https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/views/projects/project_members/_shared_group_members.html.haml#L18 where this was how it was intended to be. Likely a CE-EE merge introduced this bug. That's why I made the boolean required in CE even though this is for EE. ![Screen_Shot_2016-03-01_at_8.59.02_AM](/uploads/704ab3149f60c363dd8374bd0c06a46a/Screen_Shot_2016-03-01_at_8.59.02_AM.png) ![Screen_Shot_2016-03-01_at_9.17.54_AM](/uploads/5fcabef352cbc41dade037767f90ace3/Screen_Shot_2016-03-01_at_9.17.54_AM.png) See merge request !3044
-