diff options
author | Imre Farkas <ifarkas@gitlab.com> | 2019-02-25 14:52:40 +0100 |
---|---|---|
committer | Imre Farkas <ifarkas@gitlab.com> | 2019-02-27 14:44:12 +0100 |
commit | 8343a1ac1be60308c29e899b2f1d6beab1f981a0 (patch) | |
tree | 08464a8abf968a66ed62c4badc642b5e37cc7c94 /changelogs | |
parent | 6e86d5e6189cee9711dc13b8650bf0579e31df21 (diff) | |
download | gitlab-ce-8343a1ac1be60308c29e899b2f1d6beab1f981a0.tar.gz |
Remove ability to revoke active session
Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.
Diffstat (limited to 'changelogs')
-rw-r--r-- | changelogs/unreleased/57534_filter_impersonated_sessions.yml | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/changelogs/unreleased/57534_filter_impersonated_sessions.yml b/changelogs/unreleased/57534_filter_impersonated_sessions.yml new file mode 100644 index 00000000000..80aea0ab1bc --- /dev/null +++ b/changelogs/unreleased/57534_filter_impersonated_sessions.yml @@ -0,0 +1,6 @@ +--- +title: Do not display impersonated sessions under active sessions and remove ability + to revoke session +merge_request: +author: +type: security |