Merge remote-tracking branch 'ce/master'

CHANGELOG.md

@@ -658,6 +658,21 @@ entry.
 - Drop feature to take ownership of trigger token.
 
 
+## 11.11.7
+
+### Security (9 changes)
+
+- Restrict slash commands to users who can log in.
+- Patch XSS issue in wiki links.
+- Filter merge request params on the new merge request page.
+- Fix Server Side Request Forgery mitigation bypass.
+- Show badges if pipelines are public otherwise default to project permissions.
+- Do not allow localhost url redirection in GitHub Integration.
+- Do not show moved issue id for users that cannot read issue.
+- Use source project as permissions reference for MergeRequestsController#pipelines.
+- Drop feature to take ownership of trigger token.
+
+
 ## 11.11.4 (2019-06-26)
 
 ### Fixed (3 changes)

changelogs/unreleased/security-60551-fix-upload-scope.yml

+---
+title: Queries for Upload should be scoped by model
+merge_request:
+author:
+type: security

lib/gitlab/url_blocker.rb

@@ -86,8 +86,11 @@ module Gitlab
       #
       # The original hostname is used to validate the SSL, given in that scenario
       # we'll be making the request to the IP address, instead of using the hostname.
-      def enforce_uri_hostname(ip_address, uri, hostname, dns_rebind_protection)
-        return [uri, nil] unless dns_rebind_protection && ip_address && ip_address != hostname
+      def enforce_uri_hostname(addrs_info, uri, hostname, dns_rebind_protection)
+        address = addrs_info.first
+        ip_address = address.ip_address
+
+        return [uri, nil] unless dns_rebind_protection && ip_address != hostname
 
         uri = uri.dup
         uri.hostname = ip_address