Merge branch 'security-prevent-detection-of-merge-request-template-name-11-10' into '11-10-stable'

Guests can know whether merge request template name exists or not See merge request gitlab/gitlabhq!3150
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-27 00:40:19 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-06-27 00:40:19 +0300
commit: 6a9ce0402ea2ae86a1ad78b23e38346796b82ac7 (patch)
tree: 2cb4848f4c388cf92778ba5ba0c6155fe1af00b5 /config
parent: 1fe34ee740a0988233e9befb2b6dc85b88615927 (diff)
parent: 5351ebf83b4769bdd876aed0898b4202ebff6e91 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/config/routes/project.rb b/config/routes/project.rb
index 93d168fc595..bde482f0b6b 100644
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -41,7 +41,10 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
       #
       # Templates
       #
-      get '/templates/:template_type/:key' => 'templates#show', as: :template, constraints: { key: %r{[^/]+} }
+      get '/templates/:template_type/:key' => 'templates#show',
+          as: :template,
+          defaults: { format: 'json' },
+          constraints: { key: %r{[^/]+}, template_type: /issue|merge_request/, format: 'json' }
 
       resource  :avatar, only: [:show, :destroy]
       resources :commit, only: [:show], constraints: { id: /\h{7,40}/ } do
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-27 00:40:19 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-06-27 00:40:19 +0300
commit	6a9ce0402ea2ae86a1ad78b23e38346796b82ac7 (patch)
tree	2cb4848f4c388cf92778ba5ba0c6155fe1af00b5 /config
parent	1fe34ee740a0988233e9befb2b6dc85b88615927 (diff)
parent	5351ebf83b4769bdd876aed0898b4202ebff6e91 (diff)