diff options
| author | Grzegorz Bizon <grzegorz@gitlab.com> | 2016-04-22 06:51:40 +0000 |
|---|---|---|
| committer | Grzegorz Bizon <grzegorz@gitlab.com> | 2016-04-22 06:51:40 +0000 |
| commit | 988dad46499e22defc4e0b646b4580db23a44925 (patch) | |
| tree | e1fca49b6d764f0c2be3c00577889c918d50a6c8 /spec/helpers | |
| parent | aea97991977bc2af27ce93f5b5e2bd9b7735999e (diff) | |
| parent | 55df95c3886b42e92b0079b4d9d5eef0011f44d5 (diff) | |
| download | gitlab-ce-988dad46499e22defc4e0b646b4580db23a44925.tar.gz | |
Merge branch 'fix/private-labels-permissions' into 'master'
Fix vulnerability that leaks private labels and milestones
## Summary
This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service.
This affects merge requests and issues.
See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439
## Fix
This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does.
## Further work
`IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class.
Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439
See merge request !1954
Diffstat (limited to 'spec/helpers')
0 files changed, 0 insertions, 0 deletions