summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 9.4.7v9.4.7release-tools-create-branch9-4-stable-patch-999-4-stable-patch-19-4-stableJarka Kadlecova2017-10-161-1/+1
|
* Update CHANGELOG.md for 9.4.7Jarka Kadlecova2017-10-167-29/+9
| | | [ci skip]
* Merge branch '3435-backport-9-4' into 'security-9-4'Stan Hu2017-10-154-23/+2
| | | | | 3435 backport for 9.4 See merge request gitlab/gitlabhq!2206
* Merge branch 'winh-upgrade-nokogiri' into 'master'Robert Speicher2017-10-122-5/+5
| | | | | | Upgrade Nokogiri because of CVE-2017-9050 See merge request gitlab-org/gitlab-ce!14427
* Upgrade mail and nokogiri gems due to security issuesMarkus Koller2017-10-122-4/+9
|
* Merge branch '38126-security-username-change-9-4' into 'security-9-4'Douwe Maan2017-10-124-12/+49
| | | | | Move project repositories between namespaces when renaming users (9.4) See merge request gitlab/gitlabhq!2201
* Merge branch 'winh-search-bar-xss-9.4' into 'security-9-4'Phil Hughes2017-10-123-2/+29
| | | | | Escape user name in filtered search bar See merge request gitlab/gitlabhq!2196
* Merge branch 'rs-sanitize-unicode-in-protocol-9-4' into 'security-9-4'Douwe Maan2017-10-123-2/+22
| | | | | [9.4] Prevent a persistent XSS in user-provided markup See merge request gitlab/gitlabhq!2204
* Merge branch '37759-also-treat-newlines-as-separator' into 'master'Kamil Trzciński2017-10-123-14/+30
| | | | | | | Treat newlines as separators for pipeline emails service Closes #37759 See merge request gitlab-org/gitlab-ce!14250
* Merge branch 'fix-arbitrary-redirect-vulnerability' into 'security-10-0'Robert Speicher2017-10-123-10/+15
| | | | | | Fix arbitrary redirect location vulnerability See merge request gitlab/gitlabhq!2192
* Update VERSION to 9.4.6v9.4.6Jose Ivan Vargas2017-09-061-1/+1
|
* Update CHANGELOG.md for 9.4.6Jose Ivan Vargas2017-09-0610-39/+12
| | | [ci skip]
* Merge branch 'fix-comment-reflection-9-4' into 'security-9-4'Jacob Schatz2017-09-062-5/+22
|\ | | | | | | | | Fix Live Comment XSS Vulnerability for 9.4 See merge request gitlab/gitlabhq!2189
| * Added missing at signJose Ivan Vargas2017-09-051-3/+3
| |
| * Resetting the value just to be sure afterwards again through .text()Tim Zallmann2017-09-051-0/+3
| |
| * Fixed Test for Notes SpecTim Zallmann2017-09-051-3/+2
| |
| * Fixes vulnerability in posting a comment in the temporary renderingTim Zallmann2017-09-052-5/+20
| |
* | Merge branch 'rs-issue-29992-9-4' into 'security-9-4'Robert Speicher2017-09-064-28/+31
|\ \ | | | | | | | | | | | | [9.4] Merge branch 'fix/gem-security-updates' into 'master' See merge request gitlab/gitlabhq!2182
| * | Merge branch 'fix/gem-security-updates' into 'master'Robert Speicher2017-08-314-28/+31
| |/ | | | | | | | | | | Upgrade mail and nokogiri gems due to security issues See merge request !13662
* | Merge branch 'rs-commit-block-xss-9-4' into 'security-9-4'Robert Speicher2017-09-063-3/+30
|\ \ | |/ |/| | | | | [9.4] Prevent a persistent XSS in the commit author block See merge request gitlab/gitlabhq!2187
| * Unmark the commit author/committer link as HTML-safeTim Zallmann2017-09-053-3/+30
|/ | | | | | | | We now make use of the `content_tag` helper so that the untrusted input is escaped and the trusted output is then automatically safe. When we don't need to wrap the name in a `span` tag (when `avatar` is falsey), it's treated as unsafe by default, so no further sanitization/escaping is necessary.
* Merge branch 'rs-issue-36098-9-4' into 'security-9-4'Robert Speicher2017-08-313-4/+42
|\ | | | | | | | | [9.4] Limit `style` attribute on `th` and `td` elements to specific properties See merge request gitlab/gitlabhq!2167
| * Limit `style` attribute on `th` and `td` elements to specific propertiesRobert Speicher2017-08-143-4/+42
| | | | | | | | | | | | | | | | | | Previously we whitelisted the entire `style` attribute on `th` and `td` elements, in order to allow Markdown table alignment to work. But this opened us up to a potential exploit by allowing a malicious user to define properties besides `text-align` in the attribute. We now remove everything except `text-align: (center|left|right)`.
* | Merge branch '36743-existing-repo-9-4' into 'security-9-4'Douwe Maan2017-08-3117-25/+143
|\ \ | | | | | | | | | | | | [9.4] Prevent project creation (blank, import or fork) when repository already exists on disk See merge request gitlab/gitlabhq!2171
| * | Fix wiki_formatter_specGabriel Mazetto2017-08-291-2/+2
| | |
| * | Fix specsDouwe Maan2017-08-292-3/+1
| | |
| * | Fix seed_fu for MySQLGabriel Mazetto2017-08-281-2/+1
| | |
| * | Fix import_file_specGabriel Mazetto2017-08-281-0/+1
| | |
| * | Fix seed_fuGabriel Mazetto2017-08-282-4/+2
| | |
| * | Prevent new / renamed project from using a repository path that already ↵Gabriel Mazetto2017-08-2814-16/+138
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | exists on disk There are some redundancies in the validation steps, and that is to preserve current error messages behavior Also few specs have to be changed in order to fix madness in validation logic.
* | | Merge branch 'rs-issue-36104-9-4' into 'security-9-4'Douwe Maan2017-08-308-8/+23
|\ \ \ | | | | | | | | | | | | | | | | [9.4] Disallow the `name` attribute on all user-provided markup See merge request gitlab/gitlabhq!2173
| * | | Disallow the `name` attribute on all user-provided markupRobert Speicher2017-08-238-8/+23
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | A malicious user was able to do something like <img src="" name="getElementById"> to override the `document.getElementById` method, which would result in JavaScript errors being thrown. See https://gitlab.com/gitlab-org/gitlab-ce/issues/36104
* | | Merge branch 'fix-user-select-dropdown-escaping' into 'security-9-5'Clement Ho2017-08-291-6/+6
| | | | | | | | | | | | | | | Fixes the User Selection Display (9.5) See merge request gitlab/gitlabhq!2177
* | | Merge branch '29943-environment-folder' into 'security-9-5'Kamil Trzciński2017-08-299-125/+162
| | | | | | | | | | | | | | | | | | Do not use `location.pathname` when accessing environments folders See merge request !2147
* | | Merge branch 'dm-go-get-xss' into 'security-9-3'Robert Speicher2017-08-293-11/+44
| | | | | | | | | | | | | | | Fix XSS issue in go-get handling See merge request !2128
* | | Merge branch 'update-pages-9-4' into 'security-9-4'Douwe Maan2017-08-241-1/+1
|\ \ \ | | | | | | | | | | | | | | | | Update GitLab Pages (9.4) See merge request !2158
| * | | Update GitLab Pages to v0.5.1Nick Thomas2017-08-081-1/+1
| | | |
* | | | Merge remote-tracking branch 'dev/9-4-stable' into security-9-4Gabriel Mazetto2017-08-23515-1817/+9004
|\ \ \ \ | |_|/ / |/| | / | | |/ | |/|
| * | Merge branch '9-4-add-missing-i18n-guidelines' into '9-4-stable'Rémy Coutable2017-08-161-0/+5
| |\ \ | | | | | | | | | | | | | | | | Add missing guidelines for i18n setup See merge request !13541
| | * | Add missing guidelines for i18n setup9-4-add-missing-i18n-guidelinesRubén Dávila2017-08-141-0/+5
| |/ /
| * | Update VERSION to 9.4.5v9.4.5James Edwards-Jones2017-08-141-1/+1
| | |
| * | Update CHANGELOG.md for 9.4.5James Edwards-Jones2017-08-1419-73/+21
| | | | | | | | | [ci skip]
| * | Fix spec failures in 9-4-stable-patch-59-4-stable-patch-5James Edwards-Jones2017-08-113-4/+4
| | | | | | | | | | | | | | | | | | | | | Unable to find css "h1.project-title" in spec/features/profiles/account_spec.rb:46 Unable to find css "h1.project-title" in spec/features/profiles/account_spec.rb:53 Failure/Error: expect(recorded.count).to be_within(1).of(57) in spec/serializers/pipeline_serializer_spec.rb:113 Metrics/AbcSize: Assignment Branch Condition size is too high in app/controllers/admin/projects_controller.rb:5
| * | Merge branch 'fix-jenkins-error' into '9-4-stable-patch-5'James Edwards-Jones2017-08-112-3/+3
| |\ \ | | | | | | | | | | | | | | | | Fix displaying specific error message when Jenkins test fails See merge request !13510
| | * | Fix displaying specific error message when Jenkins test failsfix-jenkins-errorJarka Kadlecova2017-08-112-3/+3
| | | |
| * | | Merge branch '35131-do-not-run-ee_compat_check-for-stableish-branches' into ↵Rémy Coutable2017-08-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'master' Do not run the `ee_compat_check` job for stableish branches Closes #35131 See merge request !13497
| * | | Merge branch 'mk-fix-case-insensitive-redirect-matching' into 'master'Sean McGivern2017-08-114-27/+73
| | | | | | | | | | | | | | | | | | | | | | | | Fix conflicting redirect search See merge request !13357
| * | | Merge branch '36158-new-issue-button' into 'master'Phil Hughes2017-08-113-3/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Render new issue link in failed job as a regular link instead of a UJS one Closes #36158 See merge request !13450
| * | | Merge branch '35342-re2-in-upgrade-docs' into 'master'Rémy Coutable2017-08-116-0/+53
| | | | | | | | | | | | | | | | | | | | Include RE2 in the upgrade docs See merge request !13448
| * | | Merge branch ↵Filipa Lacerda2017-08-117-4/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | '35052-please-select-a-file-when-attempting-to-upload-or-replace-from-the-ui' into 'master' Resolve "'Please select a file' when attempting to upload or replace from the UI" Closes #35052 See merge request !12863
View Lorry Controller Status