Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/changelogs
AgeCommit message (Collapse)Author
2019-08-09Update CHANGELOG.md for 12.0.5GitLab Release Tools Bot
[ci skip]
2019-08-09Update Gitaly to v1.47.2 for security fixPaul Okstad
2019-08-02Upgrade pages version to 1.6.2Vladimir Shushlin
2019-07-25Update CHANGELOG.md for 12.0.4GitLab Release Tools Bot
[ci skip]
2019-07-24Merge branch 'security-fix-badges-leaked-to-unauthorized-users-12-0' into ↵GitLab Release Tools Bot
'12-0-stable' Don't display badges when builds are restricted See merge request gitlab/gitlabhq!3185
2019-07-24Merge branch 'security-github-ssrf-redirect-12-0' into '12-0-stable'GitLab Release Tools Bot
Do not allow localhost url redirection in GitHub Integration See merge request gitlab/gitlabhq!3206
2019-07-24Merge branch 'security-dns-ssrf-bypass-12-0' into '12-0-stable'GitLab Release Tools Bot
Server Side Request Forgery mitigation bypass See merge request gitlab/gitlabhq!3213
2019-07-24Merge branch 'security-mr-pipeline-permissions-12-0' into '12-0-stable'GitLab Release Tools Bot
MR pipeline permissions See merge request gitlab/gitlabhq!3216
2019-07-24Merge branch 'security-60143-patch-additional-xss-issue-12.0' into '12-0-stable'GitLab Release Tools Bot
Extract SanitizeNodeLink and apply to WikiLinkFilter See merge request gitlab/gitlabhq!3222
2019-07-24Merge branch 'security-remove-take-trigger-ownership-feature-12-0' into ↵GitLab Release Tools Bot
'12-0-stable' Drop feature to take ownership of a trigger token See merge request gitlab/gitlabhq!3227
2019-07-24Merge branch ↵GitLab Release Tools Bot
'security-2873-restrict-slash-commands-to-users-who-can-log-in-12-0' into '12-0-stable' Restrict slash commands to users who can log in See merge request gitlab/gitlabhq!3238
2019-07-24Merge branch 'security-bvl-filter-mr-params-12-0' into '12-0-stable'GitLab Release Tools Bot
Filter params in MR build service See merge request gitlab/gitlabhq!3254
2019-07-17Filter params in MR build serviceBob Van Landuyt
Reusing the existing `IssuableBaseService#filter_params` which uses the policies to determine what params a user can set, and which values it can be set to. This also removed the need for the seperate call to `IssuableBaseService#ensure_milestone_available`. The `Issues::BuildService` does not suffer from this because it limits the params that are assignable to the `title`, `description` and `milestone_id`.
2019-07-17Drop feature to take ownership of a trigger tokenFabio Pitino
Removing API and frontend interactions that allowed users to take ownership of a trigger token. Removed mentions from the documentation.
2019-07-15Do not show moved issue ids for user not authorizedFelipe Artur
Do not show moved issue id for users that cannot read issue
2019-07-12Restrict slash commands to users who can log inHordur Freyr Yngvason
2019-07-09Do not allow localhost url redirection in GitHub Integrationmanojmj
2019-07-08Extract SanitizeNodeLink and apply to WikiLinkFilterKerri Miller
The SanitizationFilter was running before the WikiFilter. Since WikiFilter can modify links, we could see links that _should_ be stopped by SanatizationFilter being rendered on the page. I (kerrizor) had previously addressed the bug in: https://gitlab.com/gitlab-org/gitlab-ee/commit/7bc971915bbeadb950bb0e1f13510bf3038229a4 However, an additional exploit was discovered after that was merged. Working through the issue, we couldn't simply shuffle the order of filters, due to some implicit assumptions about the order of filters, so instead we've extracted the logic that sanitizes a Nokogiri-generated Node object, and applied it to the WikiLinkFilter as well. On moving filters around: Once we start moving around filters, we get cascading failures; fix one, another one crops up. Many of the existing filters in the WikiPipeline chain seem to assume that other filters have already done their work, and thus operate on a "transform anything that's left" basis; WikiFilter, for instance, assumes any link it finds in the markdown should be prepended with the wiki_base_path.. but if it does that, it also turns `href="@user"` into `href="/path/to/wiki/@user"`, which the UserReferenceFilter doesn't see as a user reference it needs to transform into a user profile link. This is true for all the reference filters in the WikiPipeline.
2019-07-05Use MergeRequest#source_project as permissions reference for ↵drew cimino
MergeRequest#all_pipelines MergeRequest#all_pipelines fetches Ci::Pipeline records from the source project, so we should specifically check that project for permissions. This was already happening for intra-project merge requests, but in the event that the target and source projects both have private builds, we should ensure that the project permissions are respected.
2019-07-04Fix Server Side Request Forgery mitigation bypassFrancisco Javier López
When we can't resolve the hostname or it is invalid, we shouldn't even perform the request. This fix also fixes the problem the SSRF rebinding attack. We can't stub feature flags outside example blocks. Nevertheless, there are some actions that calls the UrlBlocker, that are performed outside example blocks, ie: `set` instruction. That's why we have to use some signalign mechanism outside the scope of the specs.
2019-06-27Update CHANGELOG.md for 12.0.3GitLab Release Tools Bot
[ci skip]
2019-06-27Don't display badges when builds are restrictedFabio Pitino
Badges were leaked to unauthorized users even when Public Builds project setting is disabled. Added guard clause to the controller to check if user can read build.
2019-06-27Merge branch 'security-notes-in-private-snippets-12-0' into '12-0-stable'GitLab Release Tools Bot
Ability to write a note in a private snippet See merge request gitlab/gitlabhq!3142
2019-06-27Merge branch 'security-fp-prevent-billion-laughs-attack-12-0' into '12-0-stable'GitLab Release Tools Bot
Prevent Billion Laughs attack See merge request gitlab/gitlabhq!3146
2019-06-27Merge branch 'security-12-0-mr-head-pipeline-leak' into '12-0-stable'GitLab Release Tools Bot
Fix MR head pipeline leak See merge request gitlab/gitlabhq!3154
2019-06-27Merge branch ↵GitLab Release Tools Bot
'security-prevent-detection-of-merge-request-template-name-12-0' into '12-0-stable' Guests can know whether merge request template name exists or not See merge request gitlab/gitlabhq!3161
2019-06-27Merge branch 'security-persist-tmp-snippet-uploads-12-0' into '12-0-stable'GitLab Release Tools Bot
Persist tmp snippet uploads at users See merge request gitlab/gitlabhq!3162
2019-06-27Merge branch 'security-59581-related-merge-requests-count-12-0' into ↵GitLab Release Tools Bot
'12-0-stable' Expose merge requests count based on user access See merge request gitlab/gitlabhq!3167
2019-06-27Merge branch 'security-DOS_issue_comments_banzai-12-0' into '12-0-stable'GitLab Release Tools Bot
Fix DOS when rendering issue/MR comments See merge request gitlab/gitlabhq!3171
2019-06-27Merge branch 'security-bvl-enforce-graphql-type-authorization-12-0' into ↵GitLab Release Tools Bot
'12-0-stable' Fix type authorizations in GraphQL See merge request gitlab/gitlabhq!3172
2019-06-27Merge branch 'security-2858-fix-color-validation-12-0' into '12-0-stable'GitLab Release Tools Bot
Fix color validation regex causing DoS See merge request gitlab/gitlabhq!3176
2019-06-26Disable Rails SQL query cache when applying service templatesStan Hu
When the SQL query cache is active, the SELECT query for finding projects to apply service templates returns the same values. This causes an infinite loop because even though bulk INSERT queries are made, the cached results never reflect that progress. To fix this, we call `Project.uncached` around the query to ensure new data is retrieved. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/63595
2019-06-25Update CHANGELOG.md for 12.0.2GitLab Release Tools Bot
[ci skip]
2019-06-25Merge branch 'sh-quiet-backup-secrets-log' into 'master'Rémy Coutable
Silence backup warnings when CRON=1 in use Closes #63703 See merge request gitlab-org/gitlab-ce!30033 (cherry picked from commit d6c7d4c48db51fdc3eb479e53d40ce4358695218) ad3abd1d Silence backup warnings when CRON=1 in use
2019-06-25Merge branch 'sh-recover-ee-schema-backport-migration-failure' into 'master'Rémy Coutable
Prevent EE backport migrations from running if CE is not migrated Closes #63612 See merge request gitlab-org/gitlab-ce!30002 (cherry picked from commit 34df0b303eed0cee83d8c0ec6178d3c575a0b555) 1b063778 Prevent EE backport migrations from running if CE is not migrated
2019-06-25Merge branch ↵Stan Hu
'63513-ensure-gitlab-jsoncache-includes-the-gitlab-version-in-the-cache-key' into 'master' Include the GitLab version in the cache key for Gitlab::JsonCache See merge request gitlab-org/gitlab-ce!29938 (cherry picked from commit c6f54ab12b5b276dadda0639ea647e9a2b4c1781) 94d9e335 Include the GitLab version in the cache key for Gitlab::JsonCache 1b7e7dde Add CHANGELOG entry
2019-06-25Merge branch 'sh-omit-issues-links-on-poll' into 'master'Mayra Cabrera
Omit issues links in merge request entity API response Closes #63546 See merge request gitlab-org/gitlab-ce!29917 (cherry picked from commit f47e4d025247509ab73e16c3db248b0f9ccb662c) 1b7ab11f Omit issues links in merge request entity API response
2019-06-25Merge branch 'fix-notes-emails-with-group-settings' into 'master'Douwe Maan
Fix notes email with group-level notification email Closes #63355 See merge request gitlab-org/gitlab-ce!29889 (cherry picked from commit 480eb370a477c3a230cec1ff43a71066ab5be6f9) bf73ecd7 Fix notes email with group-level notification email 8eb2d7bb Apply suggestion to spec/support/helpers/email_helpers.rb
2019-06-25Merge branch 'fix-labels-in-hooks' into 'master'Ash McKenzie
Fix label serialisation in issue and note hooks Closes #63473 See merge request gitlab-org/gitlab-ce!29850 (cherry picked from commit 88c8d177f835983a0a47796529906c69376d159d) da470249 Fix label serialisation in issue and note hooks 4189ffe2 Added labels_hook_attrs method
2019-06-25Merge branch 'bug/63162-duplicate_path_in_links' into 'master'Sean McGivern
Do not rewrite relative links for system notes Closes #63162 See merge request gitlab-org/gitlab-ce!29825 (cherry picked from commit 51df2ca5c5a1b18155b7bba9bdc26c165533428b) 35a39c1d Do not rewrite relative links for system notes
2019-06-25Merge branch 'fix-microsoft-teams-notification-flags' into 'master'Stan Hu
Fix missing API notification flags for Microsoft Teams See merge request gitlab-org/gitlab-ce!29824 (cherry picked from commit 51267258d1c39835c995eaaf29b7df678334ded1) d5d2f8fb 59702 Fix API notification flags for MS Teams f7658c0f 59702 Add changelog entry 1ce2c4dc Add missing test for Microsoft Teams notify_only_default_branch flag
2019-06-25Fix color validation regexHeinrich Lee Yu
Also prevents ReDoS vulnerability
2019-06-22Update CHANGELOG.md for 12.0.0GitLab Release Tools Bot
[ci skip]
2019-06-20Fix failing auhtorizations in GraphQLBob Van Landuyt
0. Add authorize to LabelType and NamespaceType. 1. Make sure that authorizations on non-nullable fields are also executed.
2019-06-19Merge branch '63417-add-missing-class' into 'master'Kamil Trzciński
Adds missing class in collapsible sections Closes #63417 See merge request gitlab-org/gitlab-ce!29804 (cherry picked from commit 22755a4aa2d2884629ef9050227ef461574d9d94) d3a1468b Adds missing class
2019-06-19Merge branch '12-1-auto-deploy-0010836' into 12-0-stableRobert Speicher
2019-06-18Fix DOS when rendering issue/MR commentsMario de la Ossa
2019-06-18Merge branch 'revert-concurrent-pipeline-schedule-creation' into 'master'Kamil Trzciński
Revert concurrent pipeline creation for pipeline schedules See merge request gitlab-org/gitlab-ce!29794 (cherry picked from commit ba952d53c5782e49b59ba3e5dd89c2c1eca02c80) 36b30cf1 Revert concurrent pipeline schedule creation
2019-06-18Merge branch '59023-fix-web-ide-creating-branches-off-new-commits' into 'master'Phil Hughes
Fix IDE commit to use start_ref See merge request gitlab-org/gitlab-ce!29769 (cherry picked from commit c4efc7b53aad3be5109c4256f3438f908e180c20) 894ad6f6 Fix IDE commit to use start_ref
2019-06-18Merge branch 'gitaly-version-v1.47.0' into 'master'Yorick Peterse
Upgrade Gitaly to v1.47.0 See merge request gitlab-org/gitlab-ce!29789 (cherry picked from commit 1de4ebc7eed1b6fe25feb5a5306b83b15ced6ab2) 7144f715 Update Gitaly version to v1.47.0 3efb1520 Add changelog entry
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-14 07:19:53 +0300