| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
|
|
| |
'security-11-6'
[11.6] Use sanitized user status message in user popover
See merge request gitlab/gitlabhq!2838
(cherry picked from commit 919913d4511c1e78b65d6bb29082ddc597b525f3)
9b736da4 Use sanitized user status message for user popover
|
| |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| | |
[11.6] Fix requiring the rubyzip Gem
See merge request gitlab/gitlabhq!2878
|
|/
|
|
|
|
|
| |
In commit 6fa5fd8515e0f2d5a6341134560021f353d84362 the `require: false`
was removed to ensure the Gem was loaded at run time. Unfortunately, the
`require` necessary for the rubyzip Gem is "zip" and not "rubyzip". As a
result, Bundler would not require the Gem. This meant that we would
still run into constant errors when referring to `Zip::File`.
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
This reverts commit 066208f1762b1a60408c62a9098a71b2ed905958.
|
|\
| |
| |
| |
| | |
[11.6] Fix uninitialized constant with GitLab Pages deploy
See merge request gitlab/gitlabhq!2873
|
|/
|
|
|
|
|
|
|
|
|
|
| |
pages:deploy step was failing with the following error:
```
unitialized constant SafeZip::Extract::Zip
```
Since license_finder already pulls in rubyzip, we can make it
a required gem. We also use the scope operator to make the reference to
Zip::File explicit.
|
| |
|
|
|
| |
[ci skip]
|
|
|
|
|
|
|
|
|
| |
Fix a JS race in a spec
Closes #56860
See merge request gitlab-org/gitlab-ce!24684
(cherry picked from commit b5e10cd3ac4e15e7421ebc9acc5d4f9ca9e8e3ea)
|
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Sanitize user full name to clean up any URL to prevent mail clients from auto-linking URLs
See merge request gitlab/gitlabhq!2829
(cherry picked from commit 7dd747b8ce1f59672c530af25237bdf661cb480a)
61fc453c Add `sanitize_name` helper to sanitize URLs in user full name
e5cd214e Use `sanitize_name` to sanitize URL in user full name
1b000d5a Add changelog entry
|
|
|
|
|
|
|
|
|
| |
[11.6] Sent notification only to authorized users
See merge request gitlab/gitlabhq!2857
(cherry picked from commit 4152329ce44bbc7567a1c7b03d5bf9e84bb1efc7)
fb0fd18c Sent notification only to authorized users
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Resolve "[Security] Stored XSS via KaTeX"
See merge request gitlab/gitlabhq!2755
(cherry picked from commit f79ff59ee1e21a5dbff19b86c5d5af16b62ac894)
024098db 11.6 backport of fix for XSS in KaTex Links
37b798d7 Merge branch 'security-11-6' of https://dev.gitlab.org/gitlab/gitlabhq into...
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Disable git v2 protocol temporarily
See merge request gitlab/gitlabhq!2860
(cherry picked from commit 5c80952f99aea931d53ac58b6068e1eabd8b6295)
d7d7bc0d Allow Gitaly to be built from a custom URL
c478d134 Disable git v2 protocol temporarily
|
|
|
|
|
|
|
|
|
| |
[11.6] Alias GitHub and BitBucket OAuth2 callback URLs
See merge request gitlab/gitlabhq!2846
(cherry picked from commit f8a23d89e6f94a74b2779b3b215c475a39ba8de3)
f652a9e0 Alias GitHub and BitBucket OAuth2 callback URLs
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Security fix user email tag push leak
See merge request gitlab/gitlabhq!2808
(cherry picked from commit 7260e6e0c2ad3df7dea2c0bd5c0d91c4bc5b15ae)
589c57c7 Prefer build() rather than create()
63d13410 Fix private user email being visible in tag webhooks
|
|
|
|
|
|
|
|
|
| |
[11.6] Fix error disclosure on Project Import
See merge request gitlab/gitlabhq!2733
(cherry picked from commit b4797537a586bce6a96580a0257f59f9c6a92c14)
f470ad2f Fix path disclosure on Project Import
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Contributed projects info is still visible even user enable private profile
See merge request gitlab/gitlabhq!2765
(cherry picked from commit dfc0edd52628ba86578f1b6645575049b9db1058)
7502af85 Fix contributed projects finder shown private info
06aadabb Use old spec syntax
|
|
|
|
|
|
|
|
|
|
| |
[11.6] Fix Imported Project Retains Prior Visibility Setting
See merge request gitlab/gitlabhq!2853
(cherry picked from commit 348a5dbc905cac1d61158e9fb83b82185a27cb04)
aaca3d2b Fix tree restorer visibility level
1d942ad1 Update schema file
|
|\
| |
| |
| |
| | |
[11.6] GitLab vulnerable to IDN homograph attacks and RTLO attacks
See merge request gitlab/gitlabhq!2822
|
| |
| |
| |
| |
| |
| |
| | |
Such as those with IDN homographs or embedded
right-to-left (RTLO) characters.
Autolinked hrefs should be escaped
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Do not expose trigger token when user should not see it
See merge request gitlab/gitlabhq!2759
(cherry picked from commit 33fbd62b9b4a73679a9f3cd1d9020e5dc6e9072d)
64a328be Do not expose trigger token when user should not see it
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Fix DoS in reference extraction regexes
See merge request gitlab/gitlabhq!2778
(cherry picked from commit 06f1ea1f540b62aefbaa4f69901de2d29df11e7c)
e73f2f1d Fix slow project reference pattern regex
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2782
(cherry picked from commit ee0f107791921dec7a6e3d43fe45ebef43d864be)
6e10237d Don't process MR refs for guests in the notes
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Bump Rails version to 5.0.7.1
See merge request gitlab/gitlabhq!2797
(cherry picked from commit 3a5dd09effda664888b25c935142b5c8fc23c304)
f705c816 Bump Ruby on Rails version to 5.0.7.1
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-fix-wiki-access-rights-with-external-wiki-enabled-11-6' into 'security-11-6'
[11.6] Fix access to internal wiki when external wiki is enabled
See merge request gitlab/gitlabhq!2801
(cherry picked from commit 1edd23f18210a03ab3e1f6925aa4e434f68cee79)
24a48893 Fixed bug when external wiki is enabled
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Pipelines section is available to unauthorized users
See merge request gitlab/gitlabhq!2805
(cherry picked from commit 6f6e0e2ba7e8e2afe38e2d57883a8dfda0685d86)
e5c0b597 Backport security fix
181c74a1 Add CHANGELONG entry
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Use common error for not logged in users when creating issues
See merge request gitlab/gitlabhq!2812
(cherry picked from commit fe692173d2da5df4646050725359bc7fd1c99f4e)
a2dba33c Use common error for unauthenticated users
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Group Guests are no longer able to see merge requests
See merge request gitlab/gitlabhq!2815
(cherry picked from commit a662cfdb80a9d7fe6eacbc1a40fb24b5a7b9272e)
f7a2dabd Group Guests are no longer able to see merge requests
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] LFS object forgery in project import
See merge request gitlab/gitlabhq!2818
(cherry picked from commit 6402c62822692b924ee95234cbcc2578501236f9)
bb635c64 Added validations to prevent LFS object forgery
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Fix discussion replies permissions check
See merge request gitlab/gitlabhq!2825
(cherry picked from commit 367767766d9727101908a1f195120732d72201b1)
313a9f2e Prevent comments by email when issue is locked
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[11.6] Security extract pages with rubyzip
See merge request gitlab/gitlabhq!2834
(cherry picked from commit a55b637dea3b526ad48bd9a27352c5d7ca2d54db)
57be1a57 Extract GitLab Pages using RubyZip
eeeafb9b Fix Gemfile.rails4.lock
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Stop showing ci for guest users
See merge request gitlab/gitlabhq!2836
(cherry picked from commit 6390008e01ddfbbcff3b0f16f88bdd38bfcaf0ed)
75ec9ba8 Stop showing ci for guest users
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Revoke award_emoji permissions for confidential issues
See merge request gitlab/gitlabhq!2850
(cherry picked from commit f645472619fe1e1ec4fdaa02010408d548287efb)
47d86827 Prevent award_emoji to notes not visible to user
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
'security-11-6'
[11.6] Verify that LFS upload requests are genuine
See merge request gitlab/gitlabhq!2863
(cherry picked from commit 6154e199fee175685e24a5b0b0d57f5971b1ed08)
edb61807 Verify that LFS upload requests are genuine
|
|/
|
|
|
|
|
| |
Fix failing MySQL spec due to deadlock condition
Closes #55161
See merge request gitlab-org/gitlab-ce!24378
|
| |
|
|
|
| |
[ci skip]
|
|\
| |
| |
| |
| | |
Prepare 11.6.5 release
See merge request gitlab-org/gitlab-ce!24439
|
| |
| |
| |
| |
| |
| | |
The `params` keyword argument only works in Rails 5. Removing it will
cause a Rails 4 deprecation warning, but that's better than not working
at all.
|
| |
| |
| |
| |
| |
| |
| | |
Resolve a transient failure in MWPS feature spec
Closes gitlab-ee#6770
See merge request gitlab-org/gitlab-ce!23838
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix no avatar not showing in user selection box
Closes #56268
See merge request gitlab-org/gitlab-ce!24346
(cherry picked from commit 8285205815ccdb25238fcae1c1e91063a46f19b0)
2265ce34 Fix no avatar not showing in user selection box
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix requests profiler in admin page not rendering HTML properly
Closes #56152
See merge request gitlab-org/gitlab-ce!24291
(cherry picked from commit 59c0c173b471d50007442c95464df0cac0030fc6)
4ac4ba26 Fix requests profiler in admin page not rendering HTML properly
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix broken templated "Too many changes to show" text
Closes #56138
See merge request gitlab-org/gitlab-ce!24282
(cherry picked from commit 819de8e8084e1b0cc102664abb8bbc836ff99ede)
488d7d1f Fix broken templated "Too many changes to show" text
|