1. 21 Mar, 2016 2 commits
  2. 18 Mar, 2016 2 commits
  3. 16 Mar, 2016 3 commits
  4. 14 Mar, 2016 2 commits
  5. 08 Mar, 2016 1 commit
  6. 03 Mar, 2016 3 commits
  7. 23 Feb, 2016 2 commits
  8. 10 Feb, 2016 5 commits
  9. 09 Feb, 2016 7 commits
  10. 05 Jan, 2016 1 commit
  11. 04 Jan, 2016 2 commits
  12. 14 Dec, 2015 2 commits
  13. 11 Dec, 2015 2 commits
  14. 01 Dec, 2015 1 commit
  15. 26 Nov, 2015 1 commit
  16. 25 Nov, 2015 4 commits
    • Dmitriy Zaporozhets's avatar
      Merge branch 'y/git-home' into 'master' · 216d7e15
      Dmitriy Zaporozhets authored
      Pass $HOME to git as well
      
      [ this patch has the same rationale and reasoning as
        https://gitlab.com/gitlab-org/gitlab-workhorse/commit/0d0bd209
      
        details follow ]
      
      Git has 3 places for configs:
      
          - system
          - global (per user), and
          - local  (per repository)
      
      System config location is hardcoded at git compile time (to usually
      $prefix/etc/gitconfig). Local configuration is usually picked because we
      pass full repo path to subcommand. But global configuration is currently not
      picked at all, because HOME env variable is not passed to git.
      
      Pass $HOME through and let git see it's "global" config.
      
      Currently GitLab omnibus stores gitlab user name/email  + "autocrlf =
      true" in global config, so missing it should not be a blocker for
      receive/send-pack operations. But having it is more correct and can be
      handy in the future if/when more git operations are done from-under
      gitlab-shell.
      
      Having $HOME properly set is also needed when one cannot change system
      git config and have to put site-wide configuration into global git
      config under $HOME.
      
      That was the case I've hit and the reason for this patch.
      
      /cc @dzaporozhets, @jacobvosmaer
      
      See merge request !32
      216d7e15
    • Jacob Vosmaer's avatar
      Add spec for stricter exec_cmd checks · ca66ab51
      Jacob Vosmaer authored
      ca66ab51
    • Jacob Vosmaer's avatar
      Limit availability of SSH_ORIGINAL_COMMAND · 712daa41
      Jacob Vosmaer authored
      Hoping this makes it more obvious when code touches the very
      unsafe contents of this variable.
      712daa41
    • Jacob Vosmaer's avatar
      Disallow execing strings · c4ea06e5
      Jacob Vosmaer authored
      Passing strings to Kernel::exec leads to remote code execution.
      c4ea06e5