Age | Commit message (Collapse) | Author |
|
|
|
[ci skip]
|
|
[11.5] Fix requiring the rubyzip Gem
See merge request gitlab/gitlabhq!2877
|
|
In commit 6fa5fd8515e0f2d5a6341134560021f353d84362 the `require: false`
was removed to ensure the Gem was loaded at run time. Unfortunately, the
`require` necessary for the rubyzip Gem is "zip" and not "rubyzip". As a
result, Bundler would not require the Gem. This meant that we would
still run into constant errors when referring to `Zip::File`.
|
|
|
|
[ci skip]
|
|
[ci skip]
|
|
This reverts commit 25241cd73aabe7598e6cbd6e957642d3d9805a3d.
|
|
[11.5] Fix uninitialized constant with GitLab Pages deploy
See merge request gitlab/gitlabhq!2874
|
|
pages:deploy step was failing with the following error:
```
unitialized constant SafeZip::Extract::Zip
```
Since license_finder already pulls in rubyzip, we can make it
a required gem. We also use the scope operator to make the reference to
Zip::File explicit.
|
|
|
|
[ci skip]
|
|
Fix a JS race in a spec
Closes #56860
See merge request gitlab-org/gitlab-ce!24684
(cherry picked from commit b5e10cd3ac4e15e7421ebc9acc5d4f9ca9e8e3ea)
|
|
[11.5] Disable git v2 protocol temporarily
See merge request gitlab/gitlabhq!2861
(cherry picked from commit 49f3d2ccb4c47073caac7d05fb068d09e20fb93c)
d28a201c Allow Gitaly to be built from a custom URL
66e00613 Disable git v2 protocol temporarily
|
|
[11.5] Alias GitHub and BitBucket OAuth2 callback URLs
See merge request gitlab/gitlabhq!2847
(cherry picked from commit c038dc73735e9b0b933ab6417ca6630c3793e14c)
9eb5c6f3 Alias GitHub and BitBucket OAuth2 callback URLs
|
|
[11.5] Security fix user email tag push leak
See merge request gitlab/gitlabhq!2807
(cherry picked from commit a6a32e22eea76d202dbe1bd6343041d9c7726039)
ccb25775 Prefer build() rather than create()
d4945872 Fix private user email being visible in tag webhooks
|
|
[11.5] Fix error disclosure on Project Import
See merge request gitlab/gitlabhq!2732
(cherry picked from commit 427577d2adfd1833f6f0722a16b5410cc8d6d96b)
2e6e5af0 Fix path disclosure on Project Import
101acd98 Remove Sentry method call
|
|
[11.5] Resolve "[Security] Stored XSS via KaTeX"
See merge request gitlab/gitlabhq!2756
(cherry picked from commit a4f28a482db2ccbbc2eae5ecda4a24b9993f7dfd)
429cae1b 11.5 backport of fix for XSS in KaTex Links
46ca66ed Merge branch 'security-11-5' of https://dev.gitlab.org/gitlab/gitlabhq into...
|
|
'security-fix-wiki-access-rights-with-external-wiki-enabled-11-5' into 'security-11-5'
[11.5] Fix access to internal wiki when external wiki is enabled
See merge request gitlab/gitlabhq!2802
(cherry picked from commit a3d3820ace7cef843b3a71b1962a92fc228145e2)
b718e14f Fixed bug when external wiki is enabled
a906ba0f Fixed some related spec problems
|
|
[11.5] Contributed projects info is still visible even user enable private profile
See merge request gitlab/gitlabhq!2766
(cherry picked from commit b94b469daa0a52d193c5b5848b08bd3c44007864)
d87eaa57 Fix contributed projects finder shown private info
1b8eb080 Use old spec syntax
|
|
[11.5] Fix Imported Project Retains Prior Visibility Setting
See merge request gitlab/gitlabhq!2852
(cherry picked from commit df3008f7cd326dd9577601d2107f09ef638adcbc)
2bf7a831 Fix tree restorer visibility level
e8b277ba Fix migration error
53b9cd23 Update schema file
|
|
[11.5] Sent notification only to authorized users
See merge request gitlab/gitlabhq!2858
(cherry picked from commit 81c1e9455ca291841704687cdcff085570e89043)
baa1b756 Sent notification only to authorized users
|
|
[11.5] GitLab vulnerable to IDN homograph attacks and RTLO attacks
See merge request gitlab/gitlabhq!2823
|
|
'security-11-5'
[11.5] Do not expose trigger token when user should not see it
See merge request gitlab/gitlabhq!2760
(cherry picked from commit 138126043d62c57b4fb1e057561b433347b36d03)
bd70c84e Do not expose trigger token when user should not see it
|
|
[11.5] Fix DoS in reference extraction regexes
See merge request gitlab/gitlabhq!2779
(cherry picked from commit 9f3dc81480d4b72a201e3517335c4f18235a1f7d)
0a37ec23 Fix slow project reference pattern regex
|
|
'security-11-5'
[11.5] Don't process MR refs for guests in the notes
See merge request gitlab/gitlabhq!2783
(cherry picked from commit 5a508bb7a5e3d7a048c6b3f50f74727e1c71b56e)
d4af76d9 Don't process MR refs for guests in the notes
|
|
[11.5] Pipelines section is available to unauthorized users
See merge request gitlab/gitlabhq!2806
(cherry picked from commit 3a060db7ea48eee0f08d06f312b01936abf9cc70)
bd1ae349 Backport security fix
b2469eeb Add CHANGELOG entry
957f6694 Rename Project#all_pipelines to Project#pipelines
8a9894d6 Remove destroy_pipeline specs
|
|
[11.5] Use common error for not logged in users when creating issues
See merge request gitlab/gitlabhq!2813
(cherry picked from commit 6a1c300fadddd9d534cacc9a7c0afd5ea6b04014)
0cb3920b Use common error for unauthenticated users
|
|
'security-11-5'
[11.5] LFS object forgery in project import
See merge request gitlab/gitlabhq!2819
(cherry picked from commit 2bb4e59e6e24aaf25afa3325d9f043709d564129)
ec8e01ab Added validations to prevent LFS object forgery
|
|
'security-11-5'
[11.5] Fix discussion replies permissions check
See merge request gitlab/gitlabhq!2826
(cherry picked from commit 4f03d5181046ccaf8c09906159c5266eb3564aef)
33bbf8f0 Prevent comments by email when issue is locked
|
|
[11.5] Security extract pages with rubyzip
See merge request gitlab/gitlabhq!2835
(cherry picked from commit 75d595e1d29f3a4141b150e32ea5c592aa0a4270)
46885a07 Extract GitLab Pages using RubyZip
d2bd5db8 Fix Gemfile.rails5.lock
|
|
'security-11-5'
[11.5] Stop showing ci for guest users
See merge request gitlab/gitlabhq!2837
(cherry picked from commit ad1ab0b4ddfb94cbe3b987b556792edc18ac67eb)
d7095784 Stop showing ci for guest users
|
|
'security-11-5'
[11.5] Revoke award_emoji permissions for confidential issues
See merge request gitlab/gitlabhq!2851
(cherry picked from commit 3826a84830da05489f0147c8efd818cdddbf9143)
31d43bdf Prevent award_emoji to notes not visible to user
|
|
'security-11-5'
[11.5] Verify that LFS upload requests are genuine
See merge request gitlab/gitlabhq!2864
(cherry picked from commit 5c3d4d012e734b12140ecc527ade0f5ae8a26049)
dd634b25 Verify that LFS upload requests are genuine
|
|
Such as those with IDN homographs or embedded
right-to-left (RTLO) characters.
Autolinked hrefs should be escaped
|
|
|
|
[ci skip]
|
|
'security-11-5'
[11.5] Validate bundle files before unpacking them
See merge request gitlab/gitlabhq!2775
(cherry picked from commit 28bec61b5d3c43ef896780cb0eebf09353b51995)
68433868 Validate bundle files before unpacking them
|
|
Stop using deprecated argument to `gem`
See merge request gitlab-org/gitlab-ce!24079
|
|
|
|
[ci skip]
|
|
|
|
'security-11-5'
[11.5] Resolve "Removing a user from a private group doesn't remove them from group's project, if their project's role was changed"
See merge request gitlab/gitlabhq!2715
|
|
into security-11-5
|
|
'security-fix/security-group-user-removal-11-5'
# Conflicts:
# app/services/members/destroy_service.rb
|
|
|
|
'55402-broken-master-karma-test-failing-in-spec-javascripts-boards-components-issue_due_date_spec-js' into 'master'
Resolve "Broken master: karma test failing in spec/javascripts/boards/components/issue_due_date_spec.js"
Closes #55402
See merge request gitlab-org/gitlab-ce!23845
|
|
Disable docs lint internal_links check
Closes #55038
See merge request gitlab-org/gitlab-ce!23665
|
|
[11.5] Secret CI variables can exposed by creating a tag with the same name as an existing protected branch
See merge request gitlab/gitlabhq!2682
|
|
'security-11-5-53543-user-keeps-access-to-mr-issue-when-removed-from-team' into 'security-11-5'
[11.5] Adds validation to check if user can read project
See merge request gitlab/gitlabhq!2679
|