Merge branch 'ssrf' into 'security'

Protect server against SSRF in project import URLs See merge request !2068
author: Douwe Maan <douwe@gitlab.com> 2017-03-15 20:09:08 +0000
committer: DJ Mountney <david@twkie.net> 2017-03-17 19:15:23 -0700
commit: f501ead612314afb06be8c1b15739a04c9ea73ff (patch)
tree: 4f7cea119641ebc2ac9c7772837bfe936b293018 /changelogs
parent: c0873f946c27da9696d026860d7d2f1e768c8ebc (diff)
download: gitlab-ce-f501ead612314afb06be8c1b15739a04c9ea73ff.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/changelogs/unreleased/ssrf-protections.yml b/changelogs/unreleased/ssrf-protections.yml
new file mode 100644
index 00000000000..8d803738009
--- /dev/null
+++ b/changelogs/unreleased/ssrf-protections.yml
@@ -0,0 +1,4 @@
+---
+title: To protect against Server-side Request Forgery project import URLs are now prohibited against localhost or the server IP except for the assigned instance URL and port. Imports are also prohibited from ports below 1024 with the exception of ports 22, 80, and 443.
+merge_request:
+author:
author	Douwe Maan <douwe@gitlab.com>	2017-03-15 20:09:08 +0000
committer	DJ Mountney <david@twkie.net>	2017-03-17 19:15:23 -0700
commit	f501ead612314afb06be8c1b15739a04c9ea73ff (patch)
tree	4f7cea119641ebc2ac9c7772837bfe936b293018 /changelogs
parent	c0873f946c27da9696d026860d7d2f1e768c8ebc (diff)
download	gitlab-ce-f501ead612314afb06be8c1b15739a04c9ea73ff.tar.gz