Age | Commit message (Collapse) | Author | |
---|---|---|---|
2018-12-20 | Update VERSION to 11.3.14v11.3.1411-3-stable | GitLab Release Tools Bot | |
2018-12-20 | Update CHANGELOG.md for 11.3.14 | GitLab Release Tools Bot | |
[ci skip] | |||
2018-12-20 | Merge branch 'security-import-symlink-11-3' of ↵ | John Jarvis | |
dev.gitlab.org:gitlab/gitlabhq into security-11-3 | |||
2018-12-13 | Update VERSION to 11.3.13v11.3.13 | GitLab Release Tools Bot | |
2018-12-13 | Update CHANGELOG.md for 11.3.13 | GitLab Release Tools Bot | |
[ci skip] | |||
2018-12-13 | Merge branch 'security-2754-fix-lfs-import-11-3' into 'security-11-3' | John Jarvis | |
[11.3] Validate LFS hrefs before downloading them See merge request gitlab/gitlabhq!2700 | |||
2018-12-06 | Update VERSION to 11.3.12v11.3.12 | GitLab Release Tools Bot | |
2018-12-06 | Update CHANGELOG.md for 11.3.12 | GitLab Release Tools Bot | |
[ci skip] | |||
2018-12-06 | Merge branch 'security-54857-fix-templates-path-traversal-11-3' into ↵ | Cindy Pallares | |
'security-11-3' [11.3] Prevent a path traversal attack on global file templates See merge request gitlab/gitlabhq!2671 | |||
2018-11-27 | Update VERSION to 11.3.11v11.3.11 | GitLab Release Tools Bot | |
2018-11-27 | Update CHANGELOG.md for 11.3.11 | GitLab Release Tools Bot | |
[ci skip] | |||
2018-11-26 | Merge branch 'security-fix-uri-xss-applications-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols See merge request gitlab/gitlabhq!2581 | |||
2018-11-26 | Merge branch 'security-11-3-fj-crlf-injection' into 'security-11-3' | Steve Azzopardi | |
[11.3] Fix CRLF issue in UrlValidator See merge request gitlab/gitlabhq!2654 | |||
2018-11-26 | [11.3] Fix CRLF issue in UrlValidator | Francisco Javier López | |
2018-11-26 | Merge branch 'security-182-update-workhorse-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Redact sensitive information on workhorse log See merge request gitlab/gitlabhq!2586 | |||
2018-11-26 | Merge branch 'security-11-3-fix-webhook-ssrf-ipv6' into 'security-11-3' | Steve Azzopardi | |
[11.3] Fix SSRF in project integrations See merge request gitlab/gitlabhq!2609 | |||
2018-11-26 | Merge branch 'security-email-change-notification-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Resolve: "Provide email notification when a user changes their email address" See merge request gitlab/gitlabhq!2604 | |||
2018-11-26 | Merge branch 'security-guest-comments-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Fixed ability to comment on and edit/delete comments on locked or confidential issues See merge request gitlab/gitlabhq!2648 | |||
2018-11-26 | [11.3] Fixed ability to comment on and edit/delete comments on locked or ↵ | Chantal Rollison | |
confidential issues | |||
2018-11-26 | Resolve reflected XSS in Ouath authorize window | James Lopez | |
2018-11-26 | Merge branch 'security-11-3-pages-toctou-race' into 'security-11-3' | Steve Azzopardi | |
[11.3] [pages] Possible symlink time of check to time of use race condition See merge request gitlab/gitlabhq!2651 | |||
2018-11-26 | Merge branch 'security-fix-pat-web-access-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2657 | |||
2018-11-23 | Update to gitlab-workhorse 6.1.2 | Steve Azzopardi | |
6.1.1 does not include the security fix, but 6.1.2 does. | |||
2018-11-23 | Merge branch ↵ | Steve Azzopardi | |
'security-11-3-xss-in-markdown-following-unrecognized-html-element' into 'security-11-3' [11.3] XSS in markdown following unrecognized HTML element See merge request gitlab/gitlabhq!2633 | |||
2018-11-23 | Merge branch 'security-mermaid-xss-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Fix XSS in mermaid diagrams See merge request gitlab/gitlabhq!2640 | |||
2018-11-23 | Merge branch 'security-bvl-exposure-in-commits-list-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Don't expose confidential information in commit message list See merge request gitlab/gitlabhq!2644 | |||
2018-11-23 | Merge branch 'security-issue_51301-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Resolve: Promoting a milestone is missing an authorization check See merge request gitlab/gitlabhq!2621 | |||
2018-11-23 | Merge branch 'security-2736-prometheus-ssrf-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Do not follow redirects in prometheus service See merge request gitlab/gitlabhq!2625 | |||
2018-11-23 | Merge branch 'security-11-3-stored-xss-for-environments' into 'security-11-3' | Steve Azzopardi | |
[11.3] Stored XSS for Environments See merge request gitlab/gitlabhq!2616 | |||
2018-11-23 | Merge branch '11-3-stable' into security-11-3 | Steve Azzopardi | |
2018-11-23 | Merge branch 'security-private-group-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Fixed read name of private groups See merge request gitlab/gitlabhq!2592 | |||
2018-11-23 | Update code to use API scope on PAT auth | James Lopez | |
2018-11-21 | Upgrade GitLab Pages to v1.1.1 | Alessio Caiazza | |
2018-11-19 | Don't use fragment cache on commit page | Bob Van Landuyt | |
This makes sure the user viewing the commit does not get to see anything they're not allowed to see | |||
2018-11-19 | Configure mermaid to not render HTML content in diagrams | Winnie Hellmann | |
(cherry picked from commit f2e9f22f7d3d84abeea5ba2918ee5ffcc55f2dad) Conflicts: app/assets/javascripts/behaviors/markdown/render_mermaid.js | |||
2018-11-19 | Add failing test for XSS in mermaid diagrams | Winnie Hellmann | |
(cherry picked from commit fdea799d37ae9ca3f5e80f191a55be543a79857a) | |||
2018-11-18 | Update VERSION to 11.3.10v11.3.10 | GitLab Release Tools Bot | |
2018-11-18 | Update CHANGELOG.md for 11.3.10 | GitLab Release Tools Bot | |
[ci skip] | |||
2018-11-18 | Merge branch 'sh-fix-issue-54189-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Prevent templated services from being imported See merge request gitlab/gitlabhq!2637 | |||
2018-11-18 | Merge branch 'security-11-3-2717-xss-username-autocomplete' into 'security-11-3' | Steve Azzopardi | |
[11.3] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2608 | |||
2018-11-18 | Merge branch 'sh-fix-issue-54189-11-3' into 'security-11-3' | Steve Azzopardi | |
[11.3] Prevent templated services from being imported See merge request gitlab/gitlabhq!2637 | |||
2018-11-18 | Merge branch 'security-11-3-2717-xss-username-autocomplete' into 'security-11-3' | Steve Azzopardi | |
[11.3] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2608 | |||
2018-11-18 | Merge branch '11-3-stable' into security-11-3 | Steve Azzopardi | |
2018-11-18 | Prevent templated services from being imported | Stan Hu | |
Templated services should only be created by admins and does not apply to project import/export. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54189 | |||
2018-11-16 | Sanitize output of SpacedLinkFilter | Brett Walker | |
2018-11-14 | No redirects in prometheus service | rpereira2 | |
Do not allow redirects in the prometheus service to prevent SSRFs. | |||
2018-11-14 | Fix milestone promotion authorization | Felipe Artur | |
Promoting milestone was missing an authorization check, guest users were being able to promote project milestones to group milestones. | |||
2018-11-14 | Validate URI scheme also for internal URI | Alessio Caiazza | |
This is a backport for 11.3 stable branch. Gitlab::UrlBlocker ignores scheme when validating URI matching either config.gitlab or config.gitlab_shell This patch enforces matching config.gitlab.protocol for internal web and ssh for internal shell. A cleanup migration for stored XSS from environments table is included. | |||
2018-11-12 | Add changelog entry | Kushal Pandya | |
2018-11-12 | Fix SSRF in project integrations | Francisco Javier López | |
This commit fixes a SSRF vulnerability related to project hooks and ipv6 addresses. It also addresses a problem with ipv6 mapped addresses. |