Skip to content

G
gitlab-ce
Switch branch/tag
  1. 07 Apr, 2016 1 commit
    • Rémy Coutable's avatar
      Merge branch 'fix/2fa-authentication-spoofing' into 'master' · 4a9f5ef9
      Rémy Coutable authored 
      Fix 2FA authentication spoofing

This is security fix for vulnerability described at
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

Current 2FA code is a bit tricky, so it probably needs some refactoring.
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      4a9f5ef9
  3. 05 Apr, 2016 2 commits
  5. 17 Mar, 2016 4 commits
  7. 15 Mar, 2016 5 commits
  9. 11 Mar, 2016 2 commits
  11. 10 Mar, 2016 5 commits
  13. 08 Mar, 2016 2 commits
    • Rémy Coutable's avatar
      Version 8.5.5-rc1 · 62fc5b6a
      Rémy Coutable authored
      62fc5b6a
    • Robert Speicher's avatar
      Merge branch 'add_show_role_boolean_to_group_member_view' into 'master' · f38f5797
      Robert Speicher authored 
      Only show group member roles if explicitly requested

This very simply fixes an EE problem, but I made the change here so it's less prone to errors from merges.

In EE, prior to this change, group member roles were shown in project member list when a project is shared with a group. This is bad because the project explicitly shares with the group and sets a 'max access' level. If the max access level is 'developer' the project owner doesn't want to see 'Owner' in the group roles because it will confuse them. I verified that permissions are really being honored here, it was just an error in the view. You can see in https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/views/projects/project_members/_shared_group_members.html.haml#L18 where this was how it was intended to be. Likely a CE-EE merge introduced this bug. That's why I made the boolean required in CE even though this is for EE.

![Screen_Shot_2016-03-01_at_8.59.02_AM](/uploads/704ab3149f60c363dd8374bd0c06a46a/Screen_Shot_2016-03-01_at_8.59.02_AM.png)

![Screen_Shot_2016-03-01_at_9.17.54_AM](/uploads/5fcabef352cbc41dade037767f90ace3/Screen_Shot_2016-03-01_at_9.17.54_AM.png)

See merge request !3044
      f38f5797
  15. 04 Mar, 2016 3 commits
  17. 03 Mar, 2016 2 commits
  19. 02 Mar, 2016 8 commits
  21. 01 Mar, 2016 6 commits
    • Douwe Maan's avatar
      Merge branch 'rel-url-fix' into 'master' · 58e247d8
      Douwe Maan authored 
      Fix relative URL

See https://github.com/gitlabhq/gitlabhq/issues/10053

 1. Same configuration way for relative URL like with Omnibus
 2. Loading the relative configuration from Rakefile as Rails do not load initializers for `asset:precompile`

First point has another positive side effect: no collisions (due to git controlled `application.rb`) any more during the upgrades of source based installations and relative url configuration

 - [x] tests on the source based installation
 - [x] tests on the centos&ubuntu omnibus packages

Fixes: gitlab-org/gitlab-ce#13730, gitlab-org/gitlab-ce#13727, gitlab-org/omnibus-gitlab#1143 and https://github.com/gitlabhq/gitlabhq/issues/10053

See merge request !2979
      58e247d8
    • Dmitriy Zaporozhets's avatar
      Merge branch 'sidebar-overlap-fix' into 'master' · c081928d
      Dmitriy Zaporozhets authored 
      Fix issue with overlap of sidebar links.

Thanks @iamphill for the help with this one. 

![Screen_Shot_2016-03-01_at_10.19.52_AM](/uploads/f203fde79ae397ad18f23c4108f1c306/Screen_Shot_2016-03-01_at_10.19.52_AM.png)

cc @iamphill @alfredo1 @dzaporozhets @rymai 

See merge request !3043
      c081928d
    • Douwe Maan's avatar
      Merge branch 'rs-improve-grace-period' into 'master' · c05bb007
      Douwe Maan authored 
      Don't show any "2FA required" message if it's not actually required

Prior, if the user had enabled and then disabled 2FA, they would be
shown a "You must enable Two-factor Authentication for your account."
message when going back to re-activate it, even if 2FA enforcement was
disabled.

See merge request !3014
      c05bb007
    • Dmitriy Zaporozhets's avatar
      Merge branch 'issue_13648' into 'master' · e11ab453
      Dmitriy Zaporozhets authored 
      Improve implementation to check read access to forks and add pagination.

Fixes #13648

The following optimizations where made:

- Pagination was added.
- Code to check for read permissions to forks was optimized, in the past we were doing too many queries for each project.

See merge request !2991
      e11ab453
    • Douwe Maan's avatar
      Merge branch 'issue_13621' into 'master' · 9052086d
      Douwe Maan authored 
      Don't repeat labels listed on Labels tab.

Fixes #13622

See merge request !2924
      9052086d
    • Rémy Coutable's avatar
      Merge branch 'issue_13851' into 'master' · 5c8f6ba3
      Rémy Coutable authored 
      Brings back missing "Gitlab" text on the logo

Closes #13851 

See merge request !2989
      5c8f6ba3
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7