diff options
| author | Pavlo Strokov <pstrokov@gitlab.com> | 2020-09-16 15:33:43 +0300 |
|---|---|---|
| committer | Paul Okstad <pokstad@gitlab.com> | 2020-11-04 08:14:04 +0300 |
| commit | e28343e56bc5b32d42ce6cfd0795d86d963e77a8 (patch) | |
| tree | 3954fd90535a6c5bbabc780a3a0c73252aa22afb | |
| parent | d66d46a0832214cd64cadf0fefd25939178c3416 (diff) | |
Removal of all http.*.extraHeader config values
Because of incorrect usage of config options passed to clone
command they were stored in repository as a configuration values.
The bad thing that is stores user credentials that could be used
by anyone who has access to configuration of the repository.
With changes made the affected configuration values would be removed
from the repository config when 'OptimizeRepository' rpc will be
called. Eventually it will happen to all repositories and after this
we would be able to remove this code as not needed.
Closes: https://gitlab.com/gitlab-org/gitaly/-/issues/3138 https://gitlab.com/gitlab-org/gitaly/-/issues/2882
| -rw-r--r-- | changelogs/unreleased/security-ps-clean-creds.yml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-ps-clean-creds.yml b/changelogs/unreleased/security-ps-clean-creds.yml new file mode 100644 index 000000000..9d5866b3e --- /dev/null +++ b/changelogs/unreleased/security-ps-clean-creds.yml @@ -0,0 +1,5 @@ +--- +title: Removal of all http.*.extraHeader config values +merge_request: +author: +type: security |