- Nov 27, 2018
-
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
- Nov 26, 2018
-
-
Steve Xuereb authored
[11.4] Fix SSRF in project integrations See merge request gitlab/gitlabhq!2610
-
Steve Xuereb authored
[11.4] Reflected XSS in OAuth Authorize window due to redirect_uri allowing arbitrary protocols See merge request gitlab/gitlabhq!2580
-
Steve Xuereb authored
[11.4] Fix CRLF issue in UrlValidator See merge request gitlab/gitlabhq!2653
-
-
Francisco Javier López authored
This commit fixes a SSRF vulnerability related to project hooks and ipv6 addresses. It also addresses a problem with ipv6 mapped addresses.
-
Steve Azzopardi authored
-
Steve Xuereb authored
[11.4] Resolve: "Provide email notification when a user changes their email address" See merge request gitlab/gitlabhq!2603
-
James Lopez authored
-
Steve Xuereb authored
[11.4] Fixed ability to comment on and edit/delete comments on locked or confidential issues See merge request gitlab/gitlabhq!2647
-
-
Steve Xuereb authored
[11.4] [pages] Possible symlink time of check to time of use race condition See merge request gitlab/gitlabhq!2650
-
Steve Xuereb authored
[11.4] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2656
-
- Nov 23, 2018
-
-
Steve Xuereb authored
Merge branch 'security-11-4-xss-in-markdown-following-unrecognized-html-element' into 'security-11-4' [11.4] XSS in markdown following unrecognized HTML element See merge request gitlab/gitlabhq!2632
-
Steve Xuereb authored
[11.4] Fix XSS in mermaid diagrams See merge request gitlab/gitlabhq!2622
-
Steve Xuereb authored
[11.4] Don't expose confidential information in commit message list See merge request gitlab/gitlabhq!2643
-
Steve Xuereb authored
[11.4] Resolve: Promoting a milestone is missing an authorization check See merge request gitlab/gitlabhq!2620
-
Steve Xuereb authored
[11.4] Do not follow redirects in prometheus service See merge request gitlab/gitlabhq!2624
-
Steve Xuereb authored
[11.4] Stored XSS for Environments See merge request gitlab/gitlabhq!2615
-
Steve Azzopardi authored
-
Steve Xuereb authored
[11.4] Fixed read name of private groups See merge request gitlab/gitlabhq!2591
-
Steve Xuereb authored
[11.4] Redact sensitive information on gitlab-workhorse log See merge request gitlab/gitlabhq!2585
-
James Lopez authored
-
- Nov 21, 2018
-
-
Rémy Coutable authored
ci: Add COMPILE_ASSETS to cng build trigger See merge request gitlab-org/gitlab-ce!23253
-
Alessio Caiazza authored
-
- Nov 20, 2018
-
-
Jason Plum authored
Add `COMPILE_ASSETS=true` to CNG build trigger. This stems from https://gitlab.com/charts/gitlab/issues/937, where we needed to add asset compilation to the CNG image pipelines when using `<= 11.5.x`. This is only needed on versions prior to `11.5`, as they do not have the asset compilation container backported.
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
- Nov 19, 2018
-
-
Bob Van Landuyt authored
This makes sure the user viewing the commit does not get to see anything they're not allowed to see
-
- Nov 18, 2018
-
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
Steve Xuereb authored
[11.4] Prevent templated services from being imported See merge request gitlab/gitlabhq!2636
-
Steve Xuereb authored
[11.4] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2607
-
Steve Xuereb authored
[11.4] Prevent templated services from being imported See merge request gitlab/gitlabhq!2636
-
Steve Xuereb authored
[11.4] Escape user fullname while rendering autocomplete template to prevent XSS See merge request gitlab/gitlabhq!2607
-
Stan Hu authored
Templated services should only be created by admins and does not apply to project import/export. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54189
-
- Nov 16, 2018
-
-
Brett Walker authored
-
- Nov 15, 2018
-
-
Alessio Caiazza authored
This is a backport for 11.4 stable branch. Gitlab::UrlBlocker ignores scheme when validating URI matching either config.gitlab or config.gitlab_shell This patch enforces matching config.gitlab.protocol for internal web and ssh for internal shell. A cleanup migration for stored XSS from environments table is included.
-
- Nov 14, 2018
-
-
Reuben Pereira authored
Do not allow redirects in the prometheus service to prevent SSRFs.
-