diff options
| author | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-04-14 13:07:27 +0000 |
|---|---|---|
| committer | Dmitriy Zaporozhets <dzaporozhets@gitlab.com> | 2015-04-14 13:07:27 +0000 |
| commit | bf7932bd06e45f82c7aa80373aa3aa1bf52d4d88 (patch) | |
| tree | 2050f84049c32e1ae97302dd74888ab7d7b72824 /CHANGELOG | |
| parent | 582bff2ce437cb5c79d08827d68a566ca6689f4b (diff) | |
| parent | 5e2f25c32ee36ed5a4ad137c299b60d91b7ebdeb (diff) | |
| download | gitlab-ce-bf7932bd06e45f82c7aa80373aa3aa1bf52d4d88.tar.gz | |
Merge branch 'dir-traversal' into 'master'
Fix directory traversal vulnerabilities
Fixes gitlab/gitlab-ee#272.
As @joern mentions:
> This is not exploitable via the front-end nginx. But nevertheless this issue should be addressed.
See merge request !1760
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG index 93dfa28d974..0ecde5ef89c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,6 +4,8 @@ v 7.10.0 (unreleased) - Fix broken file browsing with a submodule that contains a relative link (Stan Hu) - Fix persistent XSS vulnerability around profile website URLs. - Fix project import URL regex to prevent arbitary local repos from being imported. + - Fix directory traversal vulnerability around uploads routes. + - Fix directory traversal vulnerability around help pages. - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu) - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu) - Add ability to configure Reply-To address in gitlab.yml (Stan Hu) |