Merge branch 'security-50334-11-8' into '11-8-stable'

Fix git clone revealing private repo's presence See merge request gitlab/gitlabhq!2938
author: Yorick Peterse <yorickpeterse@gmail.com> 2019-02-27 14:20:53 +0000
committer: Yorick Peterse <yorickpeterse@gmail.com> 2019-02-27 14:20:53 +0000
commit: 1b00e2bf07304fcb0e926f1381fdaed8446d8353 (patch)
tree: d1100815343fec061224b5bb0037e3fbe34006e0 /lib
parent: 8b269cadb2538b281247ec3074948fa0a39f9418 (diff)
parent: dbcf037b9d608a3d17ff3f4f1c234b4f28f2de15 (diff)
download: gitlab-ce-1b00e2bf07304fcb0e926f1381fdaed8446d8353.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/constraints/project_url_constrainer.rb b/lib/constraints/project_url_constrainer.rb
index eadfbf7bc01..d41490d2ebd 100644
--- a/lib/constraints/project_url_constrainer.rb
+++ b/lib/constraints/project_url_constrainer.rb
@@ -2,12 +2,13 @@
 
 module Constraints
   class ProjectUrlConstrainer
-    def matches?(request)
+    def matches?(request, existence_check: true)
       namespace_path = request.params[:namespace_id]
       project_path = request.params[:project_id] || request.params[:id]
       full_path = [namespace_path, project_path].join('/')
 
       return false unless ProjectPathValidator.valid_path?(full_path)
+      return true unless existence_check
 
       # We intentionally allow SELECT(*) here so result of this query can be used
       # as cache for further Project.find_by_full_path calls within request
author	Yorick Peterse <yorickpeterse@gmail.com>	2019-02-27 14:20:53 +0000
committer	Yorick Peterse <yorickpeterse@gmail.com>	2019-02-27 14:20:53 +0000
commit	1b00e2bf07304fcb0e926f1381fdaed8446d8353 (patch)
tree	d1100815343fec061224b5bb0037e3fbe34006e0 /lib
parent	8b269cadb2538b281247ec3074948fa0a39f9418 (diff)
parent	dbcf037b9d608a3d17ff3f4f1c234b4f28f2de15 (diff)
download	gitlab-ce-1b00e2bf07304fcb0e926f1381fdaed8446d8353.tar.gz