summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Diff touch upsAnnabel Dunstone2016-04-075-11/+8
|
* Fix lint errorsAnnabel Dunstone2016-04-073-8/+6
|
* Remove comment count & iconAnnabel Dunstone2016-04-071-3/+0
|
* Diff design updatesAnnabel Dunstone2016-04-0715-67/+90
|
* Merge conflict fixesAnnabel Dunstone2016-04-071-15/+15
|
* Update diff_comments testsAnnabel Dunstone2016-04-072-5/+5
|
* Update diff colors and iconsAnnabel Dunstone2016-04-077-15/+29
|
* Move diff colors to variablesAnnabel Dunstone2016-04-073-14/+24
|
* Change reply button to text fieldAnnabel Dunstone2016-04-072-7/+19
|
* Merge branch 'revert-missing-changelog' into 'master' Jacob Schatz2016-04-071-1/+0
|\ | | | | | | | | | | | | Remove changelog entry for new navigation sidebar. See merge request !3608
| * Remove changelog entry for new navigation sidebar.Jacob Schatz2016-04-071-1/+0
| |
* | Merge branch 'code-wrapping' into 'master' Jacob Schatz2016-04-072-0/+6
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | Fix side-by-side code format & commit message wrap ![Screen_Shot_2016-04-07_at_1.31.28_PM](/uploads/bad00284e4dfbec1fdd75220c34f4a98/Screen_Shot_2016-04-07_at_1.31.28_PM.png) ![Screen_Shot_2016-04-07_at_1.32.23_PM](/uploads/7cd344765025e93d0035934a473b4bb3/Screen_Shot_2016-04-07_at_1.32.23_PM.png) See merge request !3605
| * | Fix side-by-side code format & commit message wrapcode-wrappingAnnabel Dunstone2016-04-072-0/+6
| | |
* | | Merge branch 'revert-2ed6cd9e' into 'master' Jacob Schatz2016-04-0719-109/+130
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | Revert "Merge branch 'new-navigation-prototype' into 'master'" This reverts merge request !3494 See merge request !3607
| * | | Revert "Merge branch 'new-navigation-prototype' into 'master'"Jacob Schatz2016-04-0719-109/+130
| | |/ | |/| | | | This reverts merge request !3494
* | | Update CHANGELOG for 8.6.5, 8.5.10, 8.4.8, and 8.3.7Robert Speicher2016-04-071-3/+17
|/ / | | | | | | [ci skip]
* | Merge branch 'revert-5e8740ee' into 'master' Jacob Schatz2016-04-071-1/+1
|\ \ | |/ |/| | | | | | | | | Revert "Merge branch 'fix-sidebar-exapnd' into 'master'" This reverts merge request !3520 See merge request !3606
| * Revert "Merge branch 'fix-sidebar-exapnd' into 'master'"revert-5e8740eeJacob Schatz2016-04-071-1/+1
|/ | | This reverts merge request !3520
* Merge branch 'indentation-bug' into 'master' Jacob Schatz2016-04-071-3/+3
|\ | | | | | | | | | | | | Preserve white space See merge request !3602
| * Indentation updateindentation-bugAnnabel Dunstone2016-04-071-2/+0
| |
| * Preserve white spaceAnnabel Dunstone2016-04-071-1/+3
| |
* | Merge branch 'fix-number-of-todos-sidebar-is-not-updated' into 'master' Jacob Schatz2016-04-073-1/+4
|\ \ | | | | | | | | | | | | | | | | | | Update number of Todos in the sidebar when it's marked as "Done" Closes #15002 See merge request !3600
| * | Update CHANGELOGfix-number-of-todos-sidebar-is-not-updatedDouglas Barbosa Alexandre2016-04-071-0/+1
| | |
| * | Update number of Todos in the sidebar when it's marked as "Done"Douglas Barbosa Alexandre2016-04-072-1/+3
| |/
* | Merge branch 'issue_14012' into 'master' Rémy Coutable2016-04-075-6/+42
|\ \ | |/ |/| | | | | | | | | Fix problem when creating milestones in groups without projects Fixes #14012 See merge request !3481
| * Implement review suggestionsFelipe Artur2016-04-074-7/+6
| |
| * Improve codeFelipe Artur2016-04-053-17/+22
| |
| * Improve codeFelipe Artur2016-04-051-7/+15
| |
| * Fix problem when creating milestones in groups without projectsFelipe Artur2016-04-052-5/+29
| |
* | Merge branch 'regex-for-colons' into 'master' Douwe Maan2016-04-074-2/+118
|\ \ | | | | | | | | | | | | | | | | | | Add optional colon. See merge request !3591
| * | CHANGELOGJacob Schatz2016-04-071-0/+1
| | |
| * | Remove dumb debug statement and add many tests.Jacob Schatz2016-04-073-2/+116
| | |
| * | Add optional colon.Jacob Schatz2016-04-071-1/+2
| | |
* | | Merge branch 'no-gc-auto' into 'master' Yorick Peterse2016-04-072-1/+13
|\ \ \ | | | | | | | | | | | | | | | | Disable git gc --auto See merge request !3572
| * \ \ Merge branch 'master' of https://gitlab.com/gitlab-org/gitlab-ce into no-gc-autoJacob Vosmaer2016-04-0775-374/+1052
| |\ \ \ | | |/ /
| * | | Disable git gc --autoJacob Vosmaer2016-04-062-1/+13
| | | |
* | | | Merge branch 'dont-assign-me-if-you-arent-allow' into 'master' Rémy Coutable2016-04-071-6/+8
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hide "assign to me" link if not allowed Fixes #14996 See merge request !3590
| * | | | Remove duplication. Remove JS data attributesJacob Schatz2016-04-071-6/+6
| | | | |
| * | | | Hide "assign to me" link if not alloweddont-assign-me-if-you-arent-allowJacob Schatz2016-04-071-5/+7
| | | | |
* | | | | Merge branch 'master' of dev.gitlab.org:gitlab/gitlabhqGrzegorz Bizon2016-04-072-6/+110
|\ \ \ \ \ | |_|_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | * 'master' of dev.gitlab.org:gitlab/gitlabhq: Make sessions controller specs more explicit Fix 2FA authentication spoofing vulnerability Add specs for sessions controller including 2FA
| * | | | Merge branch 'fix/2fa-authentication-spoofing' into 'master' Rémy Coutable2016-04-072-6/+110
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947
| | * | | | Make sessions controller specs more explicitGrzegorz Bizon2016-04-071-4/+5
| | | | | |
| | * | | | Fix 2FA authentication spoofing vulnerabilityGrzegorz Bizon2016-04-072-41/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login.
| | * | | | Add specs for sessions controller including 2FAGrzegorz Bizon2016-04-061-0/+93
| | | | | | | | | | | | | | | | | | | | | | | | This also contains specs for a bug described in #14900
* | | | | | Merge branch 'fix-project-404-cache-issue' into 'master' Yorick Peterse2016-04-072-0/+15
|\ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Expire caches after project creation to ensure a consistent state See merge request !3586
| * | | | | | Expire caches after project creation to ensure a consistent stateStan Hu2016-04-072-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Closes #14961
* | | | | | | Merge branch 'update_main_lang_if_unset' into 'master' Rémy Coutable2016-04-073-10/+27
|\ \ \ \ \ \ \ | |_|/ / / / / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Only update main language if it is not already set Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. cc @yorickpeterse @ayufan how does this look? See merge request !3556
| * | | | | | Only update main language if it is not already setupdate_main_lang_if_unsetDrew Blessing2016-04-063-10/+27
| | | | | | |
* | | | | | | Merge branch 'api-filter-milestone' into 'master' Rémy Coutable2016-04-074-6/+54
|\ \ \ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | API: Ability to filter milestones by state Ability to filter milestones by `active` and `closed` state. * Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931 See merge request !3566
| * | | | | | | Improve coding and doc styleRobert Schilling2016-04-064-10/+21
| | | | | | | |
View Lorry Controller Status