Fixes XSS injection

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434

**Without the fix**

![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif)


**With the fix**

![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif)


See merge request !1952

Fixes window.opener bug

Adds `noreferrer` value to rel attribute for external links

REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331

See merge request !1953

Remove persistent XSS vulnerability in `commit_person_link` helper

Because we were incorrectly supplying the tooltip title as
`data-original-title` (which Bootstrap's Tooltip JS automatically
applies based on the `title` attribute; we should never be setting it
directly), the value was being passed through as-is.

Instead, we should be supplying the normal `title` attribute and letting
Rails escape the value, which also negates the need for us to call
`sanitize` on it.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126

See merge request !1948
Signed-off-by: Rémy Coutable <remy@rymai.me>

[ci skip]
Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix 2FA authentication spoofing

This is security fix for vulnerability described at
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

Current 2FA code is a bit tricky, so it probably needs some refactoring.
Signed-off-by: Rémy Coutable <remy@rymai.me>

Don't fetch any tags from a forked repo

Closes #13957

See merge request !3504
Signed-off-by: Rémy Coutable <remy@rymai.me>

Bump Git version requirement to 2.7.4 (for 8.5)

[ci skip]

See merge request !3286

Install Git 2.7.3, not 2.4.3



See merge request !3248

Bump Git version requirement to 2.7.3

[ci skip]

See merge request !3240

[ci skip]

Use leases for LDAP checks in 8.5

Back-port of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3143

See merge request !3181

Allow filtered explore results to be paged. Fixes #14104

See merge request !3149

Fix "Show all" link behavior

The "Show all" link was broken by recent refactors from @joshfng. I have fixed it very simply (I believe).

**Please note that this fix will be in 8.5.x only** (since the whole "Show all" stuff was moved to pagination recently (8.6).

Fixes #14168 

/cc @joshfng @dzaporozhets @razer6 

See merge request !3159

Fixes #14168

Fix error 500 in Todos

Closes #14095

Closes #14075

Closes #14109

Closes #14151

See merge request !3141

Only show group member roles if explicitly requested

This very simply fixes an EE problem, but I made the change here so it's less prone to errors from merges.

In EE, prior to this change, group member roles were shown in project member list when a project is shared with a group. This is bad because the project explicitly shares with the group and sets a 'max access' level. If the max access level is 'developer' the project owner doesn't want to see 'Owner' in the group roles because it will confuse them. I verified that permissions are really being honored here, it was just an error in the view. You can see in https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/views/projects/project_members/_shared_group_members.html.haml#L18 where this was how it was intended to be. Likely a CE-EE merge introduced this bug. That's why I made the boolean required in CE even though this is for EE.

![Screen_Shot_2016-03-01_at_8.59.02_AM](/uploads/704ab3149f60c363dd8374bd0c06a46a/Screen_Shot_2016-03-01_at_8.59.02_AM.png)

![Screen_Shot_2016-03-01_at_9.17.54_AM](/uploads/5fcabef352cbc41dade037767f90ace3/Screen_Shot_2016-03-01_at_9.17.54_AM.png)

See merge request !3044

[ci skip]

Invalidate cache for builds badge

This fixes cache issue with badges (we should not cache badge images).

Closes #13982

See merge request !3086

Flush repository caches before renaming projects

This should hopefully solve gitlab-org/gitlab-ce#13790. Once I know the exact steps to reproduce the problem I should be able to confirm this.

cc @dblessing @inem

See merge request !2974

Add Todos documentation

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/13884

See merge request !3064

Don't show "Welcome to GitLab" when the search didn't return any projects

Fixes #13785. /cc @pixdrift

### Before

![Screen_Shot_2016-03-02_at_10.55.02](/uploads/b6b6ead2143d01e374ad296e72182d79/Screen_Shot_2016-03-02_at_10.55.02.png)

### After

![Screen_Shot_2016-03-02_at_12.12.33](/uploads/6e16c44e69039c534ea0fc3373c6060b/Screen_Shot_2016-03-02_at_12.12.33.png)

See merge request !3059

Tag deletion doesn't use AJAX anymore

See merge request !2986

Fix permissions for deprecated CI build status badge

This fixes permissions for deprecated status badge, being unavailable even if project is public.

Closes #13324

See merge request !3030

Show days remaining instead of elapsed time for Milestone.

Closes #13623

See merge request !2978

Fix import from gitlab.com fails

_Originally opened at !2896 by @kazsw._

- - -

Fixes #12652

CGI.escape encodes '/' by default.
Second argument can be removed.

See merge request !2988

Fix help keyboard shortcut for relative URL setups

Fixes gitlab-org/gitlab-ce#12751

See merge request !3016