Commit b0885ed9 authored by Robert Speicher's avatar Robert Speicher

Merge remote-tracking branch 'ce/master'

parents e1f29991 fe22704a
...@@ -658,6 +658,21 @@ entry. ...@@ -658,6 +658,21 @@ entry.
- Drop feature to take ownership of trigger token. - Drop feature to take ownership of trigger token.
## 11.11.7
### Security (9 changes)
- Restrict slash commands to users who can log in.
- Patch XSS issue in wiki links.
- Filter merge request params on the new merge request page.
- Fix Server Side Request Forgery mitigation bypass.
- Show badges if pipelines are public otherwise default to project permissions.
- Do not allow localhost url redirection in GitHub Integration.
- Do not show moved issue id for users that cannot read issue.
- Use source project as permissions reference for MergeRequestsController#pipelines.
- Drop feature to take ownership of trigger token.
## 11.11.4 (2019-06-26) ## 11.11.4 (2019-06-26)
### Fixed (3 changes) ### Fixed (3 changes)
......
---
title: Queries for Upload should be scoped by model
merge_request:
author:
type: security
...@@ -86,8 +86,11 @@ module Gitlab ...@@ -86,8 +86,11 @@ module Gitlab
# #
# The original hostname is used to validate the SSL, given in that scenario # The original hostname is used to validate the SSL, given in that scenario
# we'll be making the request to the IP address, instead of using the hostname. # we'll be making the request to the IP address, instead of using the hostname.
def enforce_uri_hostname(ip_address, uri, hostname, dns_rebind_protection) def enforce_uri_hostname(addrs_info, uri, hostname, dns_rebind_protection)
return [uri, nil] unless dns_rebind_protection && ip_address && ip_address != hostname address = addrs_info.first
ip_address = address.ip_address
return [uri, nil] unless dns_rebind_protection && ip_address != hostname
uri = uri.dup uri = uri.dup
uri.hostname = ip_address uri.hostname = ip_address
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment