summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 8.4.10v8.4.10Robert Speicher2016-04-271-1/+1
|
* Update CHANGELOG for 8.4.10Robert Speicher2016-04-261-4/+5
| | | | [ci skip]
* Merge branch 'rs-notes-privilege-escalation' into 'master'Robert Speicher2016-04-262-8/+39
| | | | | | | | Prevent privilege escalation via notes API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15577 See merge request !1964
* Update changelogDouwe Maan2016-04-261-1/+0
|
* Revert "Merge branch '15579-filter-milestone-confidential-issues-api' into ↵Douwe Maan2016-04-262-39/+2
| | | | | | 'master'" This reverts commit 550f9a740c472ac4075284f08a2074ecffd64920.
* Merge branch 'fix/private-labels-permissions' into 'master'Grzegorz Bizon2016-04-265-18/+94
| | | | | | | | | | | | | | | | | | | Fix vulnerability that leaks private labels and milestones This fixes vulnerability that leaks information about private labels and milestones because of insecure direct object reference in issueable create service. This affects merge requests and issues. See https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 This MR introduces additional check that rejects labels and milestone that does not belong to the same project issue/merg request does. `IssuableBaseService` may benefit from encapsulating filters in separate class/module, which then may improve coherency in this class. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15439 See merge request !1954 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch 'fix-project-hook-delete-permissions' into 'master'Rémy Coutable2016-04-262-4/+14
| | | | | | | | | | Prevent users from deleting Webhooks via API they do not own Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15576 See merge request !1959 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch '15437-fix-xss-in-issue-tracker-service' into 'master'Robert Speicher2016-04-2627-163/+880
| | | | | | | | | | Prevent XSS via custom issue tracker URL Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/15437 See merge request !1955 Signed-off-by: Rémy Coutable <remy@rymai.me>
* Merge branch '15579-filter-milestone-confidential-issues-api' into 'master'Robert Speicher2016-04-252-2/+39
| | | | | | | | Prevent information disclosure via milestone API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15579 See merge request !1961
* Merge branch '15591-fix-project-leak-in-new-mr-view' into 'master'Robert Speicher2016-04-252-0/+26
| | | | | | | | Prevent information disclosure via new merge request page Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15591. See merge request !1963
* Merge branch 'fix-impersonation-issue' into 'master'Robert Speicher2016-04-259-70/+189
| | | | | | | | Prevent privilege escalation via "impersonate" feature Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15548 See merge request !1956
* Merge branch 'fix-private-snippet-api' into 'master'Robert Speicher2016-04-255-7/+116
| | | | | | | | Prevent information disclosure via snippet API Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15580 See merge request !1958
* Merge branch 'issue_15434' into 'master' Jacob Schatz2016-04-252-2/+2
| | | | | | | | | | | | | | | | | Fixes XSS injection REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15434 **Without the fix** ![xss1](/uploads/0a7b0b15fb87066965a7c73f1dbaa815/xss1.gif) **With the fix** ![xss2](/uploads/473cfa0aa80656f24c58aebf1fd97fff/xss2.gif) See merge request !1952
* Merge branch 'dev_issue_15331' into 'master' Robert Speicher2016-04-253-5/+17
| | | | | | | | | Fixes window.opener bug Adds `noreferrer` value to rel attribute for external links REF: https://gitlab.com/gitlab-org/gitlab-ce/issues/15331 See merge request !1953
* Update VERSION to 8.4.9v8.4.9Rémy Coutable2016-04-201-1/+1
|
* Fix failing user lookup feature testRobert Speicher2016-04-191-1/+1
|
* Remove persistent XSS vulnerability in `commit_person_link` helperRobert Speicher2016-04-193-2/+5
| | | | See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1948
* Update VERSION to 8.4.8v8.4.8Robert Speicher2016-04-071-1/+1
|
* Merge branch 'fix/2fa-authentication-spoofing' into 'master'Rémy Coutable2016-04-073-6/+113
| | | | | | Fix 2FA authentication spoofing Signed-off-by: Rémy Coutable <remy@rymai.me>
* Version 8.4.7v8.4.7Rémy Coutable2016-04-051-1/+1
|
* Add 8.4.7 CHANGELOG itemRémy Coutable2016-04-051-0/+3
| | | | | | [ci skip] Signed-off-by: Rémy Coutable <remy@rymai.me>
* Don't fetch any tags from a forked repoStan Hu2016-04-051-1/+1
| | | | Closes #13957
* Version 8.4.6v8.4.6Robert Speicher2016-03-171-1/+1
|
* Merge branch '8-4-git-2-7-4' into '8-4-stable' Robert Speicher2016-03-173-5/+9
|\ | | | | | | | | | | | | Bump Git version requirement to 2.7.4 (for 8.4) [ci skip] See merge request !3283
| * Bump Git version requirement to 2.7.4 (for 8.4)Douwe Maan2016-03-173-5/+9
|/
* Version 8.4.5v8.4.5Robert Speicher2016-02-251-1/+1
|
* Update CHANGELOGRobert Speicher2016-02-251-0/+3
| | | | [ci skip]
* Merge branch 'fix-gitlab_git-version' into '8-4-stable' TR.8.4.4Robert Speicher2016-02-151-1/+1
|\ | | | | | | | | | | | | Fix missing gitlab_git version bump Closes #13430 See merge request !2811
| * Fix missing gitlab_git version bumpStan Hu2016-02-141-1/+1
|/ | | | Closes #13430
* Merge branch 'bump-gitlab-git' into '8-4-stable' Robert Speicher2016-02-101-1/+1
|\ | | | | | | | | | | | | Bump gitlab_git to ~> 7.2.24 bump gitlab_git to ~> 7.2.24 (closes: #13245) See merge request !2772
| * bump gitlab_git to ~> 7.2.24 (closes: #13245)Pirate Praveen2016-02-091-1/+1
| |
* | Version 8.4.4v8.4.4Robert Speicher2016-02-091-1/+1
| |
* | Merge branch 'variables-build-log' into 'master' Robert Speicher2016-02-093-3/+8
| | | | | | | | | | | | | | | | | | Add notice about variables in build log Related to: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1942 [ci skip] See merge request !2761
* | Update CHANGELOGRobert Speicher2016-02-091-0/+1
| | | | | | | | [ci skip]
* | Merge branch 'backup-database-timeout-fix' into 'master'Robert Speicher2016-02-092-0/+4
| | | | | | | | | | | | | | | | | | | | | | Fix timeout issue for rake task gitlab:backup:create This is a fix for a database timeout which can occur when the backup create task is taking very long (1-2 hours). It seems that ActiveRecord is loosing the connection after a hour idleness and need to be reconnected before use. See merge request !2757
* | Merge branch 'ci-permissions-stable' into '8-4-stable' Robert Speicher2016-02-0836-213/+409
|\ \ | |/ |/| | | | | | | | | Limit guest access builds This is https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/1942 for ce-stable See merge request !1943
| * Fix build/permissions.feature tests adding missing stepsKamil Trzcinski2016-02-082-3/+7
| |
| * Limit guest access buildsKamil Trzcinski2016-02-0836-213/+405
|/ | | | | | | | | | | | | | | | | | | This solves https://dev.gitlab.org/gitlab/gitlabhq/issues/2646 1. This MR simplifies CI permission model: - read_build: allows to read a list of builds, artifacts and trace - update_build: allows to cancel and retry builds - admin_build: allows to manage triggers, runners and variables - read_commit_status: allows to read a list of commit statuses (including the status of a build, but doesn't allow to see a build details) - create_commit_status: allows to create a new commit status using API 2. I do make sure that the proper permissions are used in all places where the CI can be shown. 3. Add the `read_build` ability if user is anonymous or guest and allow_guest_to_access_builds is enabled. 4. Add CI setting: public_builds. 5. The artifacts specific permission are removed, since they are covered by `*_build`.
* Merge branch 'omniauth-saml-update' into 'master'Robert Speicher2016-02-033-5/+8
| | | | | | Updated omniuath-saml to the latest version. See merge request !2684
* Version 8.4.3v8.4.3Robert Speicher2016-02-021-1/+1
|
* Merge branch 'rs-relax-autosize' into 'master'Robert Speicher2016-02-026-3/+281
| | | | | | | | | | | | | | | | | | | Allow manual resize of js-autosize textareas First, the autosize library was being too controlling and removed the `resize` property from any elements to which it was attached, removing the drag handle. We've disabled this behavior in the vendored library and added a spec to prevent a regression during an upgrade. Second, we detect (as best we can) when the user manually resizes an autosize textarea, and then remove the autosize behavior from it and increase its max-height. This should allow for the best of both worlds. Closes #12832 See merge request !2653
* Merge branch 'expand-git-instrumentation' into 'master'Yorick Peterse2016-02-021-2/+20
| | | | | | | | Expand Git instrumentation This instruments some extra `Gitlab::Git` code as well as a collection of `Rugged` constants. See merge request !2664
* Merge branch 'increase_lfs_size_column' into 'master'Drew Blessing2016-01-313-3/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Increase LFS objects size column Fixes #12745 Increases the `size` column integer limit to an 8-byte integer. This allows for a max value of `9223372036854775807` which is 9,223,372,036 GB. That should do it :smiley: I tested this by first reproducing the error (push a file larger than 2.1 GB). The error was: ``` RangeError (3145728000 is out of range for ActiveRecord::ConnectionAdapters::PostgreSQL::OID::Integer with limit 4): lib/gitlab/lfs/response.rb:232:in `store_file' lib/gitlab/lfs/response.rb:170:in `render_lfs_upload_ok' lib/gitlab/lfs/response.rb:51:in `block in render_storage_upload_store_response' lib/gitlab/lfs/response.rb:204:in `render_response_to_push' lib/gitlab/lfs/response.rb:50:in `render_storage_upload_store_response' lib/gitlab/lfs/router.rb:76:in `put_response' lib/gitlab/lfs/router.rb:20:in `try_call' lib/gitlab/backend/grack_auth.rb:41:in `call' lib/gitlab/backend/grack_auth.rb:18:in `call_with_kerberos_support' lib/gitlab/backend/grack_auth.rb:8:in `call' ``` Then I ran this migration and pushed the file again. It uploaded successfully. See merge request !2644
* Merge branch 'rs-ldap-user' into 'master' Robert Speicher2016-01-311-7/+8
| | | | | | | Backport LDAP user assignment changes from EE See https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/146 See merge request !2641
* Merge branch 'update_sentry_gem' into 'master'Robert Speicher2016-01-312-1/+3
| | | | | | | | | | Update sentry-raven gem. Should resolve `fatal: Not a git repository (or any of the parent directories): .git` warnings. Fixes #12657 See merge request !2636
* Merge branch 'mr-merge-base' into 'master'Robert Speicher2016-01-317-23/+27
| | | | | | | | Correctly determine MR diff base when MR has merge conflicts Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/12779 See merge request !2632
* Merge branch 'highlight-blame' into 'master' Robert Speicher2016-01-316-43/+84
| | | | | Fix highlighting in blame view. See merge request !2630
* Version 8.4.2v8.4.2Robert Speicher2016-01-271-1/+1
|
* Update gitlab-workhorse versions in documentationRobert Speicher2016-01-272-2/+2
| | | | [ci skip]
* Update CHANGELOGRobert Speicher2016-01-271-4/+2
| | | | [ci skip]
View Lorry Controller Status