| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
| |
3435 backport for 9.4
See merge request gitlab/gitlabhq!2206
|
|
|
|
|
|
| |
Upgrade Nokogiri because of CVE-2017-9050
See merge request gitlab-org/gitlab-ce!14427
|
| |
|
|
|
|
|
| |
Move project repositories between namespaces when renaming users (9.4)
See merge request gitlab/gitlabhq!2201
|
|
|
|
|
| |
Escape user name in filtered search bar
See merge request gitlab/gitlabhq!2196
|
|
|
|
|
| |
[9.4] Prevent a persistent XSS in user-provided markup
See merge request gitlab/gitlabhq!2204
|
|
|
|
|
|
|
| |
Treat newlines as separators for pipeline emails service
Closes #37759
See merge request gitlab-org/gitlab-ce!14250
|
|
|
|
|
|
| |
Fix arbitrary redirect location vulnerability
See merge request gitlab/gitlabhq!2192
|
| |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| | |
Fix Live Comment XSS Vulnerability for 9.4
See merge request gitlab/gitlabhq!2189
|
| | |
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
[9.4] Merge branch 'fix/gem-security-updates' into 'master'
See merge request gitlab/gitlabhq!2182
|
| |/
| |
| |
| |
| |
| | |
Upgrade mail and nokogiri gems due to security issues
See merge request !13662
|
|\ \
| |/
|/|
| |
| | |
[9.4] Prevent a persistent XSS in the commit author block
See merge request gitlab/gitlabhq!2187
|
|/
|
|
|
|
|
|
| |
We now make use of the `content_tag` helper so that the untrusted input
is escaped and the trusted output is then automatically safe. When we
don't need to wrap the name in a `span` tag (when `avatar` is falsey),
it's treated as unsafe by default, so no further sanitization/escaping
is necessary.
|
|\
| |
| |
| |
| | |
[9.4] Limit `style` attribute on `th` and `td` elements to specific properties
See merge request gitlab/gitlabhq!2167
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously we whitelisted the entire `style` attribute on `th` and `td`
elements, in order to allow Markdown table alignment to work. But this
opened us up to a potential exploit by allowing a malicious user to
define properties besides `text-align` in the attribute.
We now remove everything except `text-align: (center|left|right)`.
|
|\ \
| | |
| | |
| | |
| | | |
[9.4] Prevent project creation (blank, import or fork) when repository already exists on disk
See merge request gitlab/gitlabhq!2171
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
exists on disk
There are some redundancies in the validation steps, and that is to
preserve current error messages behavior
Also few specs have to be changed in order to fix madness in validation
logic.
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
[9.4] Disallow the `name` attribute on all user-provided markup
See merge request gitlab/gitlabhq!2173
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
A malicious user was able to do something like
<img src="" name="getElementById">
to override the `document.getElementById` method, which would result in
JavaScript errors being thrown.
See https://gitlab.com/gitlab-org/gitlab-ce/issues/36104
|
| | |
| | |
| | |
| | |
| | | |
Fixes the User Selection Display (9.5)
See merge request gitlab/gitlabhq!2177
|
| | |
| | |
| | |
| | |
| | |
| | | |
Do not use `location.pathname` when accessing environments folders
See merge request !2147
|
| | |
| | |
| | |
| | |
| | | |
Fix XSS issue in go-get handling
See merge request !2128
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Update GitLab Pages (9.4)
See merge request !2158
|
| | | | |
|
|\ \ \ \
| |_|/ /
|/| | /
| | |/
| |/| |
|
| |\ \
| | | |
| | | |
| | | |
| | | | |
Add missing guidelines for i18n setup
See merge request !13541
|
| |/ / |
|
| | | |
|
| | |
| | |
| | | |
[ci skip]
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Unable to find css "h1.project-title" in spec/features/profiles/account_spec.rb:46
Unable to find css "h1.project-title" in spec/features/profiles/account_spec.rb:53
Failure/Error: expect(recorded.count).to be_within(1).of(57) in spec/serializers/pipeline_serializer_spec.rb:113
Metrics/AbcSize: Assignment Branch Condition size is too high in app/controllers/admin/projects_controller.rb:5
|
| |\ \
| | | |
| | | |
| | | |
| | | | |
Fix displaying specific error message when Jenkins test fails
See merge request !13510
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
'master'
Do not run the `ee_compat_check` job for stableish branches
Closes #35131
See merge request !13497
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fix conflicting redirect search
See merge request !13357
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Render new issue link in failed job as a regular link instead of a UJS one
Closes #36158
See merge request !13450
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Include RE2 in the upgrade docs
See merge request !13448
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
'35052-please-select-a-file-when-attempting-to-upload-or-replace-from-the-ui' into 'master'
Resolve "'Please select a file' when attempting to upload or replace from the UI"
Closes #35052
See merge request !12863
|