GitLab

The following formerly separate commits have been merged in:

* Adjust 'Sign in' button for GitLab's CSRF protection

  GitLab introduced CSRF protection for authentication requests in
  571ba5a7. The 'Sign in' button has been
  adjusted to send a POST request.

* Opt out of turbolinks for 'Sign in' button

This restriction does not apply to admins.

This restriction does not apply to admins.

The project variable can hold an object which is not an instance of
Project (e.g. ProjectWiki). In this case, visibility_level is not
defined.

Additionally, the prompt to set a password is no longer shown for CAS
users.

[ci skip]

Signed-off-by: Rémy Coutable <remy@rymai.me>

Fix using wildcards in protected tags to expose protected variables - 10.2

See merge request gitlab/gitlabhq!2308

[10.2] Fix stored XSS in code blocks

See merge request gitlab/gitlabhq!2298

[10-2] Fix GitHub import allowing a user to create a group under any existing namespace

See merge request gitlab/gitlabhq!2302

[10.2] Restrict Todo API mark_as_done endpoint to the user's todos only

See merge request gitlab/gitlabhq!2315

Makes SnippetFinder ensure feature visibility

See merge request gitlab/gitlabhq!2224

[ci skip]

[10.2] Fix bug in security release with deploy keys migration

See merge request gitlab-org/gitlab-ce!16529

[ci skip]

Prepare 10.2.6 Security Release

See merge request gitlab/gitlabhq!2290

Prevent login with disabled OAuth providers

See merge request gitlab/gitlabhq!2223

(cherry picked from commit 43b6135f2226625b5e50d9aa2149a0ea74bb1336)

a4bb4a5b Prevents login with disabled OAuth providers

Sanitizes IPython notebook output

See merge request gitlab/gitlabhq!2237

(cherry picked from commit db98d764c4112dd24bc5ae9ed2bfc01052820309)

8908edbf Sanitizes iPython notebook output
90286ceb fixed karma specs

Merge branch '41293-fix-command-injection-vulnerability-on-system_hook_push-queue-through-web-hook-10-2' into 'security-10-2'

[10.2] Don't allow line breaks on HTTP headers

See merge request gitlab/gitlabhq!2287

(cherry picked from commit 1e19734413d46346dd46177d056d9c7165602197)

b7664b12 Don't allow line breaks on HTTP headers

[10.2] Fix RCE via project import mechanism

See merge request gitlab/gitlabhq!2293

(cherry picked from commit 836918b04ed739fe07b239d0e4eab58296218c8c)

cec9a6ae Fix RCE via project import mechanism

[10.2] Migrate `can_push` column from `keys` to `deploy_keys_project`

See merge request gitlab/gitlabhq!2275

(cherry picked from commit b07115bbf3a6f2340e88213f51f699302e6af1d9)

5382c682 Backport to 10.2

[10.2] backport - check project access on MR create

See merge request gitlab/gitlabhq!2279

(cherry picked from commit dd1654b7830948347a23521058a1386a8ba97b69)

8b1e50e4 check project access on MR create

[10.2] Fix path traversal in gitlab-ci.yml cache:key

See merge request gitlab/gitlabhq!2271

(cherry picked from commit 9184cd7968665137a18c4823ece239a4a1ca0e46)

1050945a Fix path traversal in gitlab-ci.yml cache:key

Validate project path in Gitlab import - 10.2 port

See merge request gitlab/gitlabhq!2267

(cherry picked from commit faea8488456aed31915ca9dd6cb2a7d3090294ec)

036fc6c9 Validate project path in Gitlab import

Remove order param from the MilestoneFinder - 10.2 port

See merge request gitlab/gitlabhq!2264

(cherry picked from commit 54c82aee8d97a7a82fff49197d023e2ebd3247e8)

bca5ca97 Remove order param from the MilestoneFinder

[10.2] Fix XSS in issue label dropdown

See merge request gitlab/gitlabhq!2251

(cherry picked from commit df15b14521c46aaad5805ae90aa04739d78eec63)

6d693d09 Fix XSS in issue label dropdown

[10.2] Fix XSS vulnerability in Pipeline job trace - backport 10 2

See merge request gitlab/gitlabhq!2260

(cherry picked from commit 4ba826b5df561e85f6fdfc86c20779b1a91b598b)

b890d809 Fix XSS vulnerability in Pipeline job trace