1. 02 Aug, 2016 8 commits
  2. 15 Jun, 2016 1 commit
  3. 14 Jun, 2016 4 commits
  4. 27 Apr, 2016 1 commit
  5. 26 Apr, 2016 5 commits
  6. 25 Apr, 2016 6 commits
  7. 20 Apr, 2016 1 commit
  8. 19 Apr, 2016 4 commits
  9. 15 Apr, 2016 5 commits
  10. 07 Apr, 2016 5 commits
    • Robert Speicher's avatar
      Update VERSION to 8.6.5 · e63f120e
      Robert Speicher authored
      e63f120e
    • Robert Speicher's avatar
      Merge branch 'patch/fix-ldap-unblock-user-logic' into 'master' · 0a3f3668
      Robert Speicher authored
      Unblocks user when active_directory is disabled and it can be found
      
      We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242.
      
      That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed.
      
      Fixes #14253, #13179, #13259, #13959
      
      See merge request !3550
      0a3f3668
    • Yorick Peterse's avatar
      Merge branch 'reorder-language' into 'master' · 44c03542
      Yorick Peterse authored
      Update language after doing all other operations
      
      See merge request !3533
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      44c03542
    • Rémy Coutable's avatar
      Merge branch 'fix/2fa-authentication-spoofing' into 'master' · ea1b80ae
      Rémy Coutable authored
      Fix 2FA authentication spoofing
      
      ## Summary
      
      This is security fix for vulnerability described at
      https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.
      
      Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.
      
      It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.
      
      ## Fix
      
      This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.
      
      Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.
      
      ## Further work
      
      Current 2FA code is a bit tricky, so it probably needs some refactoring.
      
      See merge request !1947
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      ea1b80ae
    • Rémy Coutable's avatar
      Merge branch 'return-303-for-branch-deletion' into 'master' · 5294f536
      Rémy Coutable authored
      Return status code 303 after a branch DELETE operation to avoid project deletion
      
      Closes #14994
      
      See merge request !3583
      Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
      5294f536