summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 11.5.1v11.5.1GitLab Release Tools Bot2018-11-261-1/+1
|
* Update CHANGELOG.md for 11.5.1GitLab Release Tools Bot2018-11-2618-87/+23
| | | [ci skip]
* Merge branch 'security-11-5-fj-crlf-injection' into 'security-11-5'Steve Azzopardi2018-11-265-54/+128
|\ | | | | | | | | [11.5] Fix CRLF issue in UrlValidator See merge request gitlab/gitlabhq!2652
| * [11.5] Fix CRLF issue in UrlValidatorFrancisco Javier López2018-11-265-54/+128
|/
* Merge branch 'security-fix-uri-xss-applications-11-5' into 'security-11-5'Steve Azzopardi2018-11-267-2/+121
|\ | | | | | | | | [11.5] Resolve "Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols" See merge request gitlab/gitlabhq!2658
| * Resolve reflected XSS in Ouath authorize windowJames Lopez2018-11-267-2/+121
| |
* | Merge branch 'security-11-5-fix-webhook-ssrf-ipv6' into 'security-11-5'Steve Azzopardi2018-11-263-13/+112
|\ \ | | | | | | | | | | | | [11.5] Fix SSRF in project integrations See merge request gitlab/gitlabhq!2611
| * | Fix SSRF in project integrationsFrancisco Javier López2018-11-123-13/+112
| | | | | | | | | | | | | | | | | | This commit fixes a SSRF vulnerability related to project hooks and ipv6 addresses. It also addresses a problem with ipv6 mapped addresses.
* | | Merge branch 'security-email-change-notification-11-5' into 'security-11-5'Steve Azzopardi2018-11-265-0/+32
|\ \ \ | | | | | | | | | | | | | | | | [11.5] Resolve: "Provide email notification when a user changes their email address" See merge request gitlab/gitlabhq!2602
| * | | Provide email notification on email updatesJames Lopez2018-11-125-0/+32
| |/ /
* | | Merge branch 'security-guest-comments-11-5' into 'security-11-5'Steve Azzopardi2018-11-2613-34/+187
|\ \ \ | |_|/ |/| | | | | | | | [11.5] Fixed ability to comment on and edit/delete comments on locked or confidential issues See merge request gitlab/gitlabhq!2646
| * | [11.5] Fixed ability to comment on and edit/delete comments on locked or ↵Chantal Rollison2018-11-2613-34/+187
|/ / | | | | | | confidential issues
* | Merge branch 'security-11-5-pages-toctou-race' into 'security-11-5'Steve Azzopardi2018-11-262-1/+7
|\ \ | | | | | | | | | | | | [11.5] [pages] Possible symlink time of check to time of use race condition See merge request gitlab/gitlabhq!2649
| * | Upgrade GitLab Pages to v1.3.1Alessio Caiazza2018-11-212-1/+7
| | |
* | | Merge branch 'security-fix-pat-web-access-11-5' into 'security-11-5'Steve Azzopardi2018-11-2628-281/+538
|\ \ \ | | | | | | | | | | | | | | | | [11.5] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2655
| * | | Update code to use API scope on PAT authJames Lopez2018-11-2328-281/+538
|/ / /
* | | Merge branch ↵Steve Azzopardi2018-11-235-2/+25
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | 'security-11-5-xss-in-markdown-following-unrecognized-html-element' into 'security-11-5' [11.5] XSS in markdown following unrecognized HTML element See merge request gitlab/gitlabhq!2631
| * | | Sanitize output of SpacedLinkFilterBrett Walker2018-11-165-2/+25
| | | |
* | | | Merge branch 'security-mermaid-xss-11-5' into 'security-11-5'Steve Azzopardi2018-11-234-1/+21
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Fix XSS in mermaid diagrams See merge request gitlab/gitlabhq!2641
| * | | | Configure mermaid to not render HTML content in diagramsWinnie Hellmann2018-11-192-0/+8
| | | | | | | | | | | | | | | | | | | | (cherry picked from commit f2e9f22f7d3d84abeea5ba2918ee5ffcc55f2dad)
| * | | | Add failing test for XSS in mermaid diagramsWinnie Hellmann2018-11-192-1/+13
| | |/ / | |/| | | | | | | | | | (cherry picked from commit fdea799d37ae9ca3f5e80f191a55be543a79857a)
* | | | Merge branch 'security-bvl-exposure-in-commits-list-11-5' into 'security-11-5'Steve Azzopardi2018-11-233-55/+67
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Don't expose confidential information in commit message list See merge request gitlab/gitlabhq!2642
| * | | | Don't use fragment cache on commit pageBob Van Landuyt2018-11-193-55/+67
| |/ / / | | | | | | | | | | | | | | | | This makes sure the user viewing the commit does not get to see anything they're not allowed to see
* | | | Merge branch 'security-issue_51301-11-5' into 'security-11-5'Steve Azzopardi2018-11-236-12/+96
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Resolve: Promoting a milestone is missing an authorization check See merge request gitlab/gitlabhq!2619
| * | | | Fix milestone promotion authorizationFelipe Artur2018-11-146-12/+96
| | |_|/ | |/| | | | | | | | | | | | | | Promoting milestone was missing an authorization check, guest users were being able to promote project milestones to group milestones.
* | | | Merge branch 'security-2736-prometheus-ssrf-11-5' into 'security-11-5'Steve Azzopardi2018-11-234-3/+25
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Do not follow redirects in prometheus service See merge request gitlab/gitlabhq!2623
| * | | | No redirects in prometheus servicerpereira22018-11-144-3/+25
| |/ / / | | | | | | | | | | | | Do not allow redirects in the prometheus service to prevent SSRFs.
* | | | Merge branch 'security-11-5-stored-xss-for-environments' into 'security-11-5'Steve Azzopardi2018-11-237-6/+67
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Stored XSS for Environments See merge request gitlab/gitlabhq!2614
| * | | | Validate URI scheme also for internal URIAlessio Caiazza2018-11-167-6/+67
| | |_|/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a backport for 11.5 stable branch. Gitlab::UrlBlocker ignores scheme when validating URI matching either config.gitlab or config.gitlab_shell This patch enforces matching config.gitlab.protocol for internal web and ssh for internal shell. A cleanup migration for stored XSS from environments table is included.
* | | | Merge branch 'security-private-group-11-5' into 'security-11-5'Steve Azzopardi2018-11-233-0/+26
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Fixed read name of private groups See merge request gitlab/gitlabhq!2590
| * | | | Fixed read name of private groupsChantal Rollison2018-11-063-0/+26
| | |/ / | |/| |
* | | | Merge branch 'security-182-update-workhorse-11-5' into 'security-11-5'Steve Azzopardi2018-11-233-1/+9
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | [11.5] Redact sensitive information on gitlab-workhorse log See merge request gitlab/gitlabhq!2628
| * | | | Redact sensitive information on workhorse logMark Chao2018-11-233-1/+9
| | |/ / | |/| |
* | | | Merge branch '11-5-stable' into security-11-5Steve Azzopardi2018-11-23257-1247/+392
|\ \ \ \ | |_|_|/ |/| | |
| * | | Update VERSION to 11.5.0v11.5.0GitLab Release Tools Bot2018-11-211-1/+1
| | | |
| * | | Update CHANGELOG.md for 11.5.0GitLab Release Tools Bot2018-11-21239-1192/+262
| | | | | | | | | | | | [ci skip]
| * | | Update VERSION to 11.5.0-rc13v11.5.0-rc13GitLab Release Tools Bot2018-11-201-1/+1
| | | |
| * | | Merge branch 'sh-fix-issue-8448-ce' into 'master'Steve Azzopardi2018-11-201-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Stub Rails.application.env_config to prevent spec failures Closes gitlab-ee#8488 See merge request gitlab-org/gitlab-ce!23222
| * | | Merge branch 'docs-runbook-guide' into 'master'Mike Lewis2018-11-209-3/+91
| | | | | | | | | | | | | | | | | | | | add guide for creating runbook See merge request gitlab-org/gitlab-ce!22885
| * | | Merge branch '11-5-stable-prepare-rc13' into '11-5-stable'11-5-stable-prepare-rc13Cindy Pallares 🦉2018-11-209-60/+30
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Prepare 11.5 RC13 release See merge request gitlab-org/gitlab-ce!23206
| | * | | Merge branch 'jramsay/file-tree-docs' into 'master'Achilleas Pipinellis2018-11-192-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update merge request file tree docs See merge request gitlab-org/gitlab-ce!23187 (cherry picked from commit fa1fadb4dc214ded1e8f167bf7ae418608e639a5) fff9aa64 Update merge request file tree docs
| | * | | Merge branch 'image-discussion-ff-fix' into 'master'Filipa Lacerda2018-11-193-13/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixed image discussion styling Closes #54110 See merge request gitlab-org/gitlab-ce!23127 (cherry picked from commit ef1a158773c7cfbf681df6ed7f3514963ad8ca1b) 718c66f6 Fixed image discussion styling
| | * | | Merge branch 'docs/clusters-knative' into 'master'Marcia Ramos2018-11-191-13/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update the cluster docs for Knative See merge request gitlab-org/gitlab-ce!23113 (cherry picked from commit 17ef595865cde550e101806f69ead4b4394a79ae) 7b2fe02b Update the cluster docs for Knative
| | * | | Merge branch 'osw-remove-comment-on-any-diff-line-ff' into 'master'Douwe Maan2018-11-192-28/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove 'comment_on_any_diff_line' feature flag Closes #54034 See merge request gitlab-org/gitlab-ce!23093 (cherry picked from commit b7cedd91e5ec07461b25f3920ae6cf2b00f3d84e) 6c796702 Remove 'comment_on_any_diff_line' feature flag
| | * | | Merge branch 'libre-to-core' into 'master'Marcia Ramos2018-11-191-3/+4
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Documentation: update Libre -> Core See merge request gitlab-org/gitlab-ce!22533 (cherry picked from commit 633f59cb8e1d27ce13b532faac3b40141e002671) bd8021ae Update Libre -> Core be00c403 Add missing links d3ddd3fd Fix include intro note as per documentation guidelines
| * | | Merge branch '11-5-stable-fix-changelog' into '11-5-stable'Stan Hu2018-11-191-0/+0
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Move changelog for issue 54189 to correct location See merge request gitlab-org/gitlab-ce!23216
| | * | | Move changelog for issue 54189 to correct locationCindy Pallares2018-11-191-0/+0
| |/ / /
| * | | Update VERSION to 11.5.0-rc12v11.5.0-rc12GitLab Release Tools Bot2018-11-181-1/+1
| | | |
| * | | Merge branch 'sh-fix-issue-54189-11-5' into 'security-11-5'Steve Azzopardi2018-11-184-1/+37
| | | | | | | | | | | | | | | | | | | | [11.5] Prevent templated services from being imported See merge request gitlab/gitlabhq!2635
| * | | Merge branch 'security-11-5-2717-xss-username-autocomplete' into 'security-11-5'Steve Azzopardi2018-11-183-10/+39
| | | | | | | | | | | | | | | | | | | | [11.5] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2606
View Lorry Controller Status