diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:20:53 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-02-27 14:20:53 +0000 |
commit | 1b00e2bf07304fcb0e926f1381fdaed8446d8353 (patch) | |
tree | d1100815343fec061224b5bb0037e3fbe34006e0 /lib | |
parent | 8b269cadb2538b281247ec3074948fa0a39f9418 (diff) | |
parent | dbcf037b9d608a3d17ff3f4f1c234b4f28f2de15 (diff) | |
download | gitlab-ce-1b00e2bf07304fcb0e926f1381fdaed8446d8353.tar.gz |
Merge branch 'security-50334-11-8' into '11-8-stable'
Fix git clone revealing private repo's presence
See merge request gitlab/gitlabhq!2938
Diffstat (limited to 'lib')
-rw-r--r-- | lib/constraints/project_url_constrainer.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/constraints/project_url_constrainer.rb b/lib/constraints/project_url_constrainer.rb index eadfbf7bc01..d41490d2ebd 100644 --- a/lib/constraints/project_url_constrainer.rb +++ b/lib/constraints/project_url_constrainer.rb @@ -2,12 +2,13 @@ module Constraints class ProjectUrlConstrainer - def matches?(request) + def matches?(request, existence_check: true) namespace_path = request.params[:namespace_id] project_path = request.params[:project_id] || request.params[:id] full_path = [namespace_path, project_path].join('/') return false unless ProjectPathValidator.valid_path?(full_path) + return true unless existence_check # We intentionally allow SELECT(*) here so result of this query can be used # as cache for further Project.find_by_full_path calls within request |