Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
b0885ed9
Commit
b0885ed9
authored
Jul 29, 2019
by
Robert Speicher
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'ce/master'
parents
e1f29991
fe22704a
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
25 additions
and
2 deletions
+25
-2
CHANGELOG.md
CHANGELOG.md
+15
-0
changelogs/unreleased/security-60551-fix-upload-scope.yml
changelogs/unreleased/security-60551-fix-upload-scope.yml
+5
-0
lib/gitlab/url_blocker.rb
lib/gitlab/url_blocker.rb
+5
-2
No files found.
CHANGELOG.md
View file @
b0885ed9
...
@@ -658,6 +658,21 @@ entry.
...
@@ -658,6 +658,21 @@ entry.
-
Drop feature to take ownership of trigger token.
-
Drop feature to take ownership of trigger token.
## 11.11.7
### Security (9 changes)
-
Restrict slash commands to users who can log in.
-
Patch XSS issue in wiki links.
-
Filter merge request params on the new merge request page.
-
Fix Server Side Request Forgery mitigation bypass.
-
Show badges if pipelines are public otherwise default to project permissions.
-
Do not allow localhost url redirection in GitHub Integration.
-
Do not show moved issue id for users that cannot read issue.
-
Use source project as permissions reference for MergeRequestsController#pipelines.
-
Drop feature to take ownership of trigger token.
## 11.11.4 (2019-06-26)
## 11.11.4 (2019-06-26)
### Fixed (3 changes)
### Fixed (3 changes)
...
...
changelogs/unreleased/security-60551-fix-upload-scope.yml
0 → 100644
View file @
b0885ed9
---
title
:
Queries for Upload should be scoped by model
merge_request
:
author
:
type
:
security
lib/gitlab/url_blocker.rb
View file @
b0885ed9
...
@@ -86,8 +86,11 @@ module Gitlab
...
@@ -86,8 +86,11 @@ module Gitlab
#
#
# The original hostname is used to validate the SSL, given in that scenario
# The original hostname is used to validate the SSL, given in that scenario
# we'll be making the request to the IP address, instead of using the hostname.
# we'll be making the request to the IP address, instead of using the hostname.
def
enforce_uri_hostname
(
ip_address
,
uri
,
hostname
,
dns_rebind_protection
)
def
enforce_uri_hostname
(
addrs_info
,
uri
,
hostname
,
dns_rebind_protection
)
return
[
uri
,
nil
]
unless
dns_rebind_protection
&&
ip_address
&&
ip_address
!=
hostname
address
=
addrs_info
.
first
ip_address
=
address
.
ip_address
return
[
uri
,
nil
]
unless
dns_rebind_protection
&&
ip_address
!=
hostname
uri
=
uri
.
dup
uri
=
uri
.
dup
uri
.
hostname
=
ip_address
uri
.
hostname
=
ip_address
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment