diff options
author | Bob Van Landuyt <bob@gitlab.com> | 2018-10-04 19:28:54 +0300 |
---|---|---|
committer | Bob Van Landuyt <bob@vanlanduyt.co> | 2018-10-04 19:30:49 +0300 |
commit | 8344c4ec326cc3026db23c5484e33766310063c3 (patch) | |
tree | 69d5a01904392cdd033864e8691bc928f7481fa6 /lib/api | |
parent | bcf3ab7cabde73cae6793c70db849d5c91489b4f (diff) |
Merge branch 'security-bw-confidential-titles-through-markdown-api-11-2' into 'security-11-2'
[11.2] Confidential issue/private snippet titles can be read by unauthenticated user through GFM markdown API
See merge request gitlab/gitlabhq!2534
Diffstat (limited to 'lib/api')
-rw-r--r-- | lib/api/markdown.rb | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/api/markdown.rb b/lib/api/markdown.rb index 5d55224c1a7..09a8c34c5c0 100644 --- a/lib/api/markdown.rb +++ b/lib/api/markdown.rb @@ -10,7 +10,8 @@ module API detail "This feature was introduced in GitLab 11.0." end post do - context = { only_path: false } + context = { only_path: false, current_user: current_user } + context[:pipeline] = params[:gfm] ? :full : :plain_markdown if params[:project] project = Project.find_by_full_path(params[:project]) @@ -22,9 +23,7 @@ module API context[:skip_project_check] = true end - context[:pipeline] = params[:gfm] ? :full : :plain_markdown - - { html: Banzai.render(params[:text], context) } + { html: Banzai.render_and_post_process(params[:text], context) } end end end |