Commits · 952bd59d4f7330e1c460876d7a2ed8dad773be3d · nexedi / gitlab-ce

08 Aug, 2017 2 commits
- Merge branch 'import-symlinks-8-17' into 'security-8-17' · 952bd59d
  Mike Greiling authored Aug 08, 2017
```
Fix file disclosure via hidden symlinks using the project import (8.17)

See merge request !2160
```
  952bd59d
- Merge branch 'rs-alphanumeric-ssh-params-8-17' into 'security-8-17' · c0ab38a3
  Mike Greiling authored Aug 08, 2017
```
Ensure user and hostnames begin with an alnum character in UrlBlocker

See merge request !2153
```
  c0ab38a3
19 Jul, 2017 5 commits
- Update VERSION to 8.17.7 · 756f8537
  James Edwards-Jones authored Jul 19, 2017
  
  756f8537
- Update CHANGELOG.md for 8.17.7 · efdcf164
  James Edwards-Jones authored Jul 19, 2017
```
[ci skip]
```
  efdcf164
- Merge branch '33303-8-17-security-fix' into 'security-8-17' · 2788383b
  Sean McGivern authored Jul 19, 2017
```
[8-17 security fix] Renders 404 if given project is not readable by the user on Todos dashboard

See merge request !2136
```
  2788383b
- Merge branch 'fix-changelog-entry' into 'security-9-2' · 632aa1d4
  Sean McGivern authored Jul 19, 2017
```
Fix filename used for CHANGELOG entry

See merge request !2140
```
  632aa1d4
- Merge branch... · cced6ab6
  Sean McGivern authored Jul 19, 2017
```
Merge branch 'security-8-17-backport-33323-fix-incorrect-project-authorizations' into 'security-8-17'

Escape the underscore char inside the LIKE operator

See merge request !2134
```
  cced6ab6
05 May, 2017 4 commits
- Update VERSION to 8.17.6 · 7dd5ec18
  Lin Jen-Shin authored May 05, 2017
  
  7dd5ec18
- Update CHANGELOG.md for 8.17.6 · 5900680f
  Lin Jen-Shin authored May 05, 2017
```
[ci skip]
```
  5900680f
- Backport rake downtime_check otherwise it's not passing · ae5d4cfe
  Lin Jen-Shin authored May 05, 2017
  
  ae5d4cfe
- Don't need to check this old migration · 82a18ad9
  Lin Jen-Shin authored May 05, 2017
```
https://dev.gitlab.org/gitlab/gitlabhq/builds/1072446
```
  82a18ad9
04 May, 2017 10 commits
- Escape single quotes from gl dropdown · e6b872ea
  Felipe Artur authored May 04, 2017
  
  e6b872ea
- Fix specs · 6b8d61d1
  Felipe Artur authored May 04, 2017
  
  6b8d61d1
- Merge branch 'fix-hamlit-xss' into 'security-9-1' · 4c72a03c
  Robert Speicher authored May 02, 2017
```
New Hamlit XSS fix, does not include extraneous changes

See merge request !2095
```
  4c72a03c
- Merge branch 'snippets-finder-visibility' into 'security' · bd35f223
  Douwe Maan authored Apr 28, 2017
```
Refactor snippets finder & dont return internal snippets for external users

See merge request !2094
```
  bd35f223
- Merge branch 'branch-name-escape' into 'security' · b74683ee
  Robert Speicher authored May 03, 2017
```
Fix XSS in branches dropdown

See merge request !2093
```
  b74683ee
- Merge branch '31157-respect-project-features-in-wiki-search' into 'security' · 28b4d18f
  Douwe Maan authored Apr 24, 2017
```
Respect project features in wiki and blob search

See merge request !2089
```
  28b4d18f
- Merge branch 'snippets_visibility' into 'security' · 4621fa2b
  Sean McGivern authored Apr 25, 2017
```
Fix snippets visibility for show action - external users can not see internal snippets

See merge request !2087
```
  4621fa2b
- Merge branch 'rs-sanitize-submodule-urls' into 'security' · ecbd9da8
  Douwe Maan authored Apr 10, 2017
```
Sanitize submodule URLs before linking to them in the file tree view

See merge request !2084
```
  ecbd9da8
- Merge branch 'bvl-markup-pipeline' into 'security' · bfab73b0
  Robert Speicher authored May 02, 2017
```
Render asciidoc & other markup using banzai in a pipeline

See merge request !2088
```
  bfab73b0
- Merge branch 'bvl-validate-urls-in-markdown-using-uri' into 'security' · 401ab708
  Robert Speicher authored May 02, 2017
```
Add correct `rel` attributes to external links when rendering markdown

See merge request !2086
```
  401ab708
06 Apr, 2017 2 commits
- Update VERSION to 8.17.5 · 2e93947c
  DJ Mountney authored Apr 05, 2017
  
  2e93947c
- Update CHANGELOG.md for 8.17.5 · 9df1f13e
  DJ Mountney authored Apr 05, 2017
```
[ci skip]
```
  9df1f13e
05 Apr, 2017 6 commits
- Merge branch 'open-redirect-host-fix' into 'security' · 1c500992
  Sean McGivern authored Apr 05, 2017
```
Fix for three open redirect vulns using redirect_to url_for(params.merge)))

See merge request !2082
```
  1c500992
- Merge branch 'path-disclosure-proj-import-export' into 'security' · c4b71fc4
  DJ Mountney authored Apr 05, 2017
```
Fix for path disclosure in project import/export

See merge request !2080
```
  c4b71fc4
- Fix bug with conflict resolution for security release for the events_helper spec · aa21d8cc
  DJ Mountney authored Apr 05, 2017
```
Previously accidently added a test for a feature that does not exist in this release
: preserved styles in labels
```
  aa21d8cc
- Merge branch 'open-redirect-fix-continue-to' into 'security' · 8fae6a3d
  Sean McGivern authored Apr 05, 2017
```
Fix for open redirect vuln involving continue[to] params

See merge request !2083
```
  8fae6a3d
- Merge branch '29364-private-projects-mr-fix' into 'security' · 191e748c
  Sean McGivern authored Apr 03, 2017
```
Don’t show source project name when user does not have access

See merge request !2081
```
  191e748c
- Merge branch '30125-markdown-security' into 'security' · 806b4ad5
  Robert Speicher authored Apr 02, 2017
```
Remove class from SanitizationFilter whitelist

See merge request !2079
```
  806b4ad5
19 Mar, 2017 2 commits
- Update VERSION to 8.17.4 · 3d2890c8
  James Lopez authored Mar 19, 2017
  
  3d2890c8
- Update CHANGELOG.md for 8.17.4 · 1f4af97f
  James Lopez authored Mar 19, 2017
```
[ci skip]
```
  1f4af97f
18 Mar, 2017 5 commits

Merge branch 'ssrf' into 'security' · 78d47070
Rubén Dávila authored Mar 18, 2017
```
nil check for url_blocker?

See merge request !2076
```
78d47070

Merge branch 'render-json-leak' into 'security' · a70346fc

DJ Mountney authored Mar 18, 2017

fix for render json include leaks

See merge request !2074
Conflicts:
	app/controllers/projects/merge_requests_controller.rb
	spec/controllers/projects/issues_controller_spec.rb

a70346fc

Merge branch 'fix-links-target-blank' into 'security' · f71103df

Jacob Schatz authored Mar 15, 2017

Adds rel="noopener noreferrer" to all links with target="_blank"

See merge request !2071
Conflicts:
	app/assets/javascripts/environments/components/environment_external_url.js

f71103df

Merge branch 'ssrf' into 'security' · 026fc91c
Douwe Maan authored Mar 15, 2017
```
Protect server against SSRF in project import URLs

See merge request !2068
```
026fc91c
Merge branch '28058-hide-emails-in-atom-feeds' into 'security' · 2d05a040
Rémy Coutable authored Feb 16, 2017
```
Only show public emails in atom feeds

See merge request !2066
```
2d05a040

15 Mar, 2017 4 commits
- Merge branch 'cherry-pick-bba00a8a' into '8-17-stable' · 8fb40829
  Robert Speicher authored Mar 15, 2017
```
Backport GitLab.com Pages IP change to 8.17

[ci skip]

See merge request !9934
```
  8fb40829
- Fix migrations not specifying DOWNTIME · a8812aaa
  Rémy Coutable authored Mar 15, 2017
```
Signed-off-by: Rémy Coutable <remy@rymai.me>
```
  a8812aaa
- Add `DOWNTIME = false` to 20160620115026_add_index_on_runners_locked.rb · 67de3543
  Rémy Coutable authored Mar 15, 2017
```
Signed-off-by: Rémy Coutable <remy@rymai.me>
```
  67de3543
- Add `DOWNTIME = false` to db/migrate/20160615142710_add_index_on_requested_at_to_members · 6b21a4bf
  Rémy Coutable authored Mar 15, 2017
```
Signed-off-by: Rémy Coutable <remy@rymai.me>
```
  6b21a4bf