summaryrefslogtreecommitdiff
Commit message (Expand)AuthorAgeFilesLines
* Merge branch 'fix-rubyzip-require' into 'master'Yorick Peterse2019-01-301-1/+1
|\
| * Fix requiring the rubyzip GemYorick Peterse2019-01-301-1/+1
|/
* Merge branch 'dev-master' into 'master'Yorick Peterse2019-01-303-2/+7
|\
| * Fix uninitialized constant with GitLab Pages deployStan Hu2019-01-293-2/+7
* | Update CHANGELOG.md for 11.7.2GitLab Release Tools Bot2019-01-291-0/+34
|/
* Update CHANGELOG.md for 11.5.8GitLab Release Tools Bot2019-01-281-0/+27
* Update CHANGELOG.md for 11.7.1GitLab Release Tools Bot2019-01-2821-101/+30
* Merge branch '56860-fix-spec-race-condition-upside-the-head' into 'master'Douglas Barbosa Alexandre2019-01-281-0/+3
* Merge branch 'test-permissions' into 'master'Yorick Peterse2019-01-2835-95/+324
|\
| * [master] Pipelines section is available to unauthorized usersKamil Trzciński2019-01-2835-95/+324
|/
* Merge branch 'fix/security-group-user-removal' into 'master'Yorick Peterse2019-01-2510-11/+114
|\
| * Add subresources removal to member destroy serviceJames Lopez2019-01-2510-11/+114
* | Merge branch 'security-import-path-logging' into 'master'Yorick Peterse2019-01-258-17/+107
|\ \
| * | Fix path disclosure on Project ImportJames Lopez2019-01-078-17/+107
* | | Merge branch 'security-guests-can-see-list-of-merge-requests' into 'master'Yorick Peterse2019-01-257-20/+154
|\ \ \
| * | | Group Guests are no longer able to see merge requestsTiago Botelho2019-01-217-20/+154
* | | | Merge branch 'security-import-project-visibility' into 'master'Yorick Peterse2019-01-255-2/+219
|\ \ \ \
| * | | | Fix tree restorer visibility levelJames Lopez2019-01-245-2/+219
* | | | | Merge branch 'security-contributed-projects' into 'master'Yorick Peterse2019-01-254-0/+56
|\ \ \ \ \
| * | | | | Fix contributed projects finder shown private infoJames Lopez2019-01-084-0/+56
* | | | | | Merge branch 'security-do-not-process-mr-ref-for-guests' into 'master'Yorick Peterse2019-01-253-2/+17
|\ \ \ \ \ \
| * | | | | | Don't process MR refs for guests in the notesOswaldo Ferreira2019-01-103-2/+17
* | | | | | | Merge branch 'security-22076-sanitize-url-in-names' into 'master'Yorick Peterse2019-01-2540-54/+84
|\ \ \ \ \ \ \
| * | | | | | | Add changelog entryKushal Pandya2019-01-221-0/+6
| * | | | | | | Use `sanitize_name` to sanitize URL in user full nameKushal Pandya2019-01-2237-54/+56
| * | | | | | | Add `sanitize_name` helper to sanitize URLs in user full nameKushal Pandya2019-01-222-0/+22
* | | | | | | | Merge branch 'sh-fix-import-redirect-vulnerability' into 'master'Yorick Peterse2019-01-258-8/+43
|\ \ \ \ \ \ \ \
| * | | | | | | | Alias GitHub and BitBucket OAuth2 callback URLsStan Hu2019-01-228-8/+43
* | | | | | | | | Merge branch 'security-fix-protected-branches-creation-access-rights-ce' into...Yorick Peterse2019-01-252-23/+8
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | [master] Check access rights when creating/updating ProtectedRefsFrancisco Javier López2019-01-252-23/+8
|/ / / / / / / / /
* | | | | | | | | Merge branch 'security-2780-disable-git-v2-protocol' into 'master'Yorick Peterse2019-01-253-1/+13
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Disable git v2 protocol temporarilyNick Thomas2019-01-243-1/+13
* | | | | | | | | | Merge branch 'security-55320-stored-xss-in-user-status' into 'master'Tim Zallmann2019-01-253-7/+12
|\ \ \ \ \ \ \ \ \ \ | |_|_|_|_|_|_|_|_|/ |/| | | | | | | | |
| * | | | | | | | | Use sanitized user status message for user popoverDennis Tang2019-01-233-7/+12
| | |/ / / / / / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-2767-verify-lfs-finalize-from-workhorse' into 'master'Yorick Peterse2019-01-244-7/+25
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Verify that LFS upload requests are genuineNick Thomas2019-01-224-7/+25
| |/ / / / / / / /
* | | | | | | | | Merge branch 'security-project-move-users' into 'master'Yorick Peterse2019-01-246-7/+59
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Sent notification only to authorized usersJan Provaznik2019-01-236-7/+59
| |/ / / / / / / /
* | | | | | | | | Merge branch 'security-fix-user-email-tag-push-leak' into 'master'Yorick Peterse2019-01-243-3/+8
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Fix private user email being visible in tag webhooksLuke Duncalfe2019-01-183-3/+8
| * | | | | | | | | Prefer build() rather than create()Luke Duncalfe2019-01-151-1/+1
| | |_|/ / / / / / | |/| | | | | | |
* | | | | | | | | Merge branch 'security-stored-xss-via-katex' into 'master'Yorick Peterse2019-01-242-1/+22
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | [master] Resolve "[Security] Stored XSS via KaTeX"Constance Okoghenun2019-01-242-1/+22
|/ / / / / / / / /
* | | | | | | | | Merge branch 'extract-pages-with-rubyzip' into 'master'Yorick Peterse2019-01-2417-25/+594
|\ \ \ \ \ \ \ \ \
| * | | | | | | | | Extract GitLab Pages using RubyZipKamil Trzciński2019-01-2217-25/+594
* | | | | | | | | | Merge branch 'security-commit-status-shown-for-guest-user' into 'master'Yorick Peterse2019-01-243-1/+27
|\ \ \ \ \ \ \ \ \ \
| * | | | | | | | | | Stop showing ci for guest usersSteve Azzopardi2019-01-233-1/+27
* | | | | | | | | | | Merge branch 'security-fix-lfs-import-project-ssrf-forgery' into 'master'Yorick Peterse2019-01-2413-103/+359
|\ \ \ \ \ \ \ \ \ \ \
| * | | | | | | | | | | Added validations to prevent LFS object forgeryFrancisco Javier López2019-01-2113-103/+359
| | |_|_|_|_|_|/ / / / | |/| | | | | | | | |
* | | | | | | | | | | Merge branch 'security-pipeline-trigger-tokens-exposure' into 'master'Yorick Peterse2019-01-2411-17/+130
|\ \ \ \ \ \ \ \ \ \ \
View Lorry Controller Status