- 19 Apr, 2016 2 commits
-
-
Douwe Maan authored
Remove persistent XSS vulnerability in `commit_person_link` helper Because we were incorrectly supplying the tooltip title as `data-original-title` (which Bootstrap's Tooltip JS automatically applies based on the `title` attribute; we should never be setting it directly), the value was being passed through as-is. Instead, we should be supplying the normal `title` attribute and letting Rails escape the value, which also negates the need for us to call `sanitize` on it. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126 See merge request !1948 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
[ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 07 Apr, 2016 2 commits
-
-
Robert Speicher authored
-
Rémy Coutable authored
Fix 2FA authentication spoofing This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. Current 2FA code is a bit tricky, so it probably needs some refactoring. Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 05 Apr, 2016 2 commits
-
-
Rémy Coutable authored
-
Douwe Maan authored
Don't fetch any tags from a forked repo Closes #13957 See merge request !3504 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 17 Mar, 2016 4 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.4 (for 8.5) [ci skip] See merge request !3286
-
Douwe Maan authored
-
Jacob Vosmaer authored
Install Git 2.7.3, not 2.4.3 See merge request !3248
-
- 15 Mar, 2016 5 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.3 [ci skip] See merge request !3240
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
Rémy Coutable authored
Use leases for LDAP checks in 8.5 Back-port of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3143 See merge request !3181
-
- 11 Mar, 2016 2 commits
-
-
Jacob Vosmaer authored
-
Jacob Vosmaer authored
-
- 10 Mar, 2016 5 commits
-
-
Rémy Coutable authored
-
Douwe Maan authored
Allow filtered explore results to be paged. Fixes #14104 See merge request !3149
-
Jacob Schatz authored
Fix "Show all" link behavior The "Show all" link was broken by recent refactors from @joshfng. I have fixed it very simply (I believe). **Please note that this fix will be in 8.5.x only** (since the whole "Show all" stuff was moved to pagination recently (8.6). Fixes #14168 /cc @joshfng @dzaporozhets @razer6 See merge request !3159
-
Rémy Coutable authored
Fixes #14168
-
Douglas Barbosa Alexandre authored
Fix error 500 in Todos Closes #14095 Closes #14075 Closes #14109 Closes #14151 See merge request !3141
-
- 08 Mar, 2016 2 commits
-
-
Rémy Coutable authored
-
Robert Speicher authored
Only show group member roles if explicitly requested This very simply fixes an EE problem, but I made the change here so it's less prone to errors from merges. In EE, prior to this change, group member roles were shown in project member list when a project is shared with a group. This is bad because the project explicitly shares with the group and sets a 'max access' level. If the max access level is 'developer' the project owner doesn't want to see 'Owner' in the group roles because it will confuse them. I verified that permissions are really being honored here, it was just an error in the view. You can see in https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/views/projects/project_members/_shared_group_members.html.haml#L18 where this was how it was intended to be. Likely a CE-EE merge introduced this bug. That's why I made the boolean required in CE even though this is for EE. ![Screen_Shot_2016-03-01_at_8.59.02_AM](/uploads/704ab3149f60c363dd8374bd0c06a46a/Screen_Shot_2016-03-01_at_8.59.02_AM.png) ![Screen_Shot_2016-03-01_at_9.17.54_AM](/uploads/5fcabef352cbc41dade037767f90ace3/Screen_Shot_2016-03-01_at_9.17.54_AM.png) See merge request !3044
-
- 04 Mar, 2016 3 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
[ci skip]
-
Rémy Coutable authored
Invalidate cache for builds badge This fixes cache issue with badges (we should not cache badge images). Closes #13982 See merge request !3086
-
- 03 Mar, 2016 2 commits
-
-
Rémy Coutable authored
-
Rémy Coutable authored
Flush repository caches before renaming projects This should hopefully solve gitlab-org/gitlab-ce#13790. Once I know the exact steps to reproduce the problem I should be able to confirm this. cc @dblessing @inem See merge request !2974
-
- 02 Mar, 2016 8 commits
-
-
Rémy Coutable authored
-
Achilleas Pipinellis authored
Add Todos documentation Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/13884 See merge request !3064
-
Douwe Maan authored
Don't show "Welcome to GitLab" when the search didn't return any projects Fixes #13785. /cc @pixdrift ### Before ![Screen_Shot_2016-03-02_at_10.55.02](/uploads/b6b6ead2143d01e374ad296e72182d79/Screen_Shot_2016-03-02_at_10.55.02.png) ### After ![Screen_Shot_2016-03-02_at_12.12.33](/uploads/6e16c44e69039c534ea0fc3373c6060b/Screen_Shot_2016-03-02_at_12.12.33.png) See merge request !3059
-
Rémy Coutable authored
Tag deletion doesn't use AJAX anymore See merge request !2986
-
Douwe Maan authored
Fix permissions for deprecated CI build status badge This fixes permissions for deprecated status badge, being unavailable even if project is public. Closes #13324 See merge request !3030
-
Douwe Maan authored
Show days remaining instead of elapsed time for Milestone. Closes #13623 See merge request !2978
-
Rémy Coutable authored
Fix import from gitlab.com fails _Originally opened at !2896 by @kazsw._ - - - Fixes #12652 CGI.escape encodes '/' by default. Second argument can be removed. See merge request !2988
-
Rémy Coutable authored
Fix help keyboard shortcut for relative URL setups Fixes gitlab-org/gitlab-ce#12751 See merge request !3016
-
- 01 Mar, 2016 3 commits
-
-
Douwe Maan authored
Fix relative URL See https://github.com/gitlabhq/gitlabhq/issues/10053 1. Same configuration way for relative URL like with Omnibus 2. Loading the relative configuration from Rakefile as Rails do not load initializers for `asset:precompile` First point has another positive side effect: no collisions (due to git controlled `application.rb`) any more during the upgrades of source based installations and relative url configuration - [x] tests on the source based installation - [x] tests on the centos&ubuntu omnibus packages Fixes: gitlab-org/gitlab-ce#13730, gitlab-org/gitlab-ce#13727, gitlab-org/omnibus-gitlab#1143 and https://github.com/gitlabhq/gitlabhq/issues/10053 See merge request !2979
-
Dmitriy Zaporozhets authored
Fix issue with overlap of sidebar links. Thanks @iamphill for the help with this one. ![Screen_Shot_2016-03-01_at_10.19.52_AM](/uploads/f203fde79ae397ad18f23c4108f1c306/Screen_Shot_2016-03-01_at_10.19.52_AM.png) cc @iamphill @alfredo1 @dzaporozhets @rymai See merge request !3043
-
Douwe Maan authored
Don't show any "2FA required" message if it's not actually required Prior, if the user had enabled and then disabled 2FA, they would be shown a "You must enable Two-factor Authentication for your account." message when going back to re-activate it, even if 2FA enforcement was disabled. See merge request !3014
-