- 26 Apr, 2016 5 commits
-
-
Grzegorz Bizon authored
Fix vulnerability that leaks private labels and milestones This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent XSS via custom issue tracker URL Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 See merge request !1955 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
-
- 25 Apr, 2016 2 commits
-
-
Robert Speicher authored
Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
-
Robert Speicher authored
Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
-
- 20 Apr, 2016 1 commit
-
-
Robert Speicher authored
-
- 19 Apr, 2016 2 commits
-
-
Robert Speicher authored
-
-
- 07 Apr, 2016 4 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
-
Robert Speicher authored
-
Rémy Coutable authored
Fix 2FA authentication spoofing Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 05 Apr, 2016 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
[ci skip]
-
Stan Hu authored
Closes #13957
-
- 17 Mar, 2016 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.4 (for 8.3) [ci skip] See merge request !3284
-
Douwe Maan authored
-
- 12 Jan, 2016 3 commits
-
-
Jacob Vosmaer authored
-
Jacob Vosmaer authored
-
Jacob Vosmaer authored
Fixes routing errors for /api/v3/projects/ [ci skip]
-
- 11 Jan, 2016 11 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
[ci skip]
-
Douwe Maan authored
Fix project destroy callback See gitlab-org/gitlab-ee!107. See merge request !2307
-
Robert Speicher authored
Use gitlab-workhorse 0.5.3 See merge request !2367
-
Robert Speicher authored
Generate builds when creating tag using web interface Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/4296 See merge request !2366
-
Robert Speicher authored
-
Douwe Maan authored
Optimize LDAP and add a search timeout Related to #4282 This merge request arranges some things in `access.rb` to facilitate some optimizations in EE (to come later). It also adds a 10 second timeout to all LDAP searches so the entire worker is not blocked if some query doesn't return in a reasonable amount of time. This timeout is configurable per LDAP server. See merge request !2267
-
Dmitriy Zaporozhets authored
Use WOFF versions of SourceSansPro See https://gitlab.com/gitlab-org/gitlab-ce/issues/6023 See merge request !2357
-
-
Stan Hu authored
Fix Error 500 when visiting build page of project with nil runners_token Properly ensure that the token exists and add defensively check for a non-nil value. Closes #4294 See merge request !2294
-
- 10 Jan, 2016 2 commits
-
-
Robert Speicher authored
Do not call API if there is no API URL Fixes #5878 CE users may not be interested in the new JIRA features. In this case, we should detect they haven't set an API URL and fallback to the behavior pre-8.3. This patch does that very easily. There are planned improvements to JIRA in future releases such as gitlab-org/gitlab-ce#5541 which will make this more configurable. See merge request !2341
-
Robert Speicher authored
Add CHANGELOG entry for reply-by-email fix [ci skip] See merge request !2359
-
- 08 Jan, 2016 1 commit
-
-
Stan Hu authored
Suppress e-mails on failed builds if allow_failure is set Every time I push to GitLab, I get > 2 emails saying a spec failed when I don't care about the benchmarks and others that have `allow_failure` set to `true`. @ayufan mentioned creating a summary e-mail to prevent getting one e-mail per build, but the latter might actually be desirable. For example, I do want to know if Rubocop errors fail right away. See merge request !2178
-
- 06 Jan, 2016 2 commits
-
-
Robert Speicher authored
Get "Merge when build succeeds" to work when commits were pushed to MR target branch while builds were running The Merge when build succeeds service only merges when the MR is mergeable (open, not WIP, no conflicts). When the target branch is updated, all affected MRs have their merge status set to `unchecked`, and the conflicts check will only happen when `check_if_can_be_merged` is called, which happens when the MR page is viewed. When someone enables the automatic merge, the target branch is updated, no-one views the MR page again, and the build succeeds, the mergeability check will fail and the MR will not in fact be merged. This MR makes sure `check_if_can_be_merged` is always called when MR mergeability is checked. See merge request !2304
-
Robert Speicher authored
This reverts commit 9c8ce4b6.
-
- 05 Jan, 2016 1 commit
-
-
Douwe Maan authored
Better support for referencing and closing issues in asana_service.rb (by @mikew1) See merge request !2302
-