diff options
| author | Luke Duncalfe <lduncalfe@eml.cc> | 2019-05-23 07:33:11 +0300 |
|---|---|---|
| committer | Luke Duncalfe <lduncalfe@eml.cc> | 2019-06-10 23:21:04 +0300 |
| commit | ba377e91e1179b5b1124df1fcdda22c1b63e82a1 (patch) | |
| tree | 3b4d44618b710f02055374154119f4f3123bb2dd /changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml | |
| parent | e5dcd1101b027d35ca23123c0712a483629b9bf6 (diff) | |
Authorize access before serving project template
Previously, if a user was a guest member of a private project, they
could access the merge request template as we were not checking
permission-levels of the user.
When a issue template is asked for, the user must have :read_issue for
the project; or :read_merge_request when a merge request template is
asked for.
We also now rescue_from FileNotFoundError and handle as 404. This is
because RepoTemplateFinder can raise a FileNotFoundError exception,
which Rails previously handled as a 500.
Handling these in a way that is consistent with
ActiveRecord::RecordNotFound exceptions, within controllers that
inherit from Projects::ApplicationController at least, and returning a
404.
https://gitlab.com/gitlab-org/gitlab-ce/issues/54943
Diffstat (limited to 'changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml')
| -rw-r--r-- | changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml new file mode 100644 index 00000000000..d7bb884cb4b --- /dev/null +++ b/changelogs/unreleased/security-prevent-detection-of-merge-request-template-name.yml @@ -0,0 +1,5 @@ +--- +title: Prevent the detection of merge request templates by unauthorized users +merge_request: +author: +type: security |