- 15 Jun, 2016 1 commit
-
-
Tomasz Maczukin authored
-
- 14 Jun, 2016 4 commits
-
-
Tomasz Maczukin authored
-
Robert Speicher authored
Forbid scripting for wiki files Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298. See merge request !1969
-
Tomasz Maczukin authored
-
Douwe Maan authored
Remove 'unscoped' from project builds selection This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188 /cc @kamil @grzegorz @stanhu See merge request !1968
-
- 27 Apr, 2016 1 commit
-
-
Robert Speicher authored
-
- 26 Apr, 2016 8 commits
-
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 See merge request !1964
-
Robert Speicher authored
Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Grzegorz Bizon authored
Fix vulnerability that leaks private labels and milestones This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Rémy Coutable authored
Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
Prevent XSS via custom issue tracker URL Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 See merge request !1955 Signed-off-by: Rémy Coutable <remy@rymai.me>
-
Robert Speicher authored
-
- 25 Apr, 2016 2 commits
-
-
Robert Speicher authored
Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
-
Robert Speicher authored
Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
-
- 20 Apr, 2016 1 commit
-
-
Robert Speicher authored
-
- 19 Apr, 2016 2 commits
-
-
Robert Speicher authored
-
-
- 07 Apr, 2016 4 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
-
Robert Speicher authored
-
Rémy Coutable authored
Fix 2FA authentication spoofing Signed-off-by: Rémy Coutable <remy@rymai.me>
-
- 05 Apr, 2016 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
[ci skip]
-
Stan Hu authored
Closes #13957
-
- 17 Mar, 2016 3 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
Bump Git version requirement to 2.7.4 (for 8.3) [ci skip] See merge request !3284
-
Douwe Maan authored
-
- 12 Jan, 2016 3 commits
-
-
Jacob Vosmaer authored
-
Jacob Vosmaer authored
-
Jacob Vosmaer authored
Fixes routing errors for /api/v3/projects/ [ci skip]
-
- 11 Jan, 2016 8 commits
-
-
Robert Speicher authored
-
Robert Speicher authored
[ci skip]
-
Robert Speicher authored
[ci skip]
-
Douwe Maan authored
Fix project destroy callback See gitlab-org/gitlab-ee!107. See merge request !2307
-
Robert Speicher authored
Use gitlab-workhorse 0.5.3 See merge request !2367
-
Robert Speicher authored
Generate builds when creating tag using web interface Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/4296 See merge request !2366
-
Robert Speicher authored
-
Douwe Maan authored
Optimize LDAP and add a search timeout Related to #4282 This merge request arranges some things in `access.rb` to facilitate some optimizations in EE (to come later). It also adds a 10 second timeout to all LDAP searches so the entire worker is not blocked if some query doesn't return in a reasonable amount of time. This timeout is configurable per LDAP server. See merge request !2267
-