1. 31 Jan, 2019 1 commit
    • Stan Hu's avatar
      Alias GitHub and BitBucket OAuth2 callback URLs · 88f2e961
      Stan Hu authored
      To prevent an OAuth2 covert redirect vulnerability, this commit adds and
      uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
      following paths:
      
      GitHub: /users/auth/-/import/github
      Bitbucket: /users/auth/-/import/bitbucket
      
      This allows admins to put a more restrictive callback URL in the OAuth2
      configuration settings. Instead of https://example.com, admins can now use:
      
      https://example.com/users/auth
      
      It's possible but not trivial to change Devise and OmniAuth to use a
      different prefix for callback URLs instead of /users/auth. For now,
      aliasing the import URLs under the /users/auth namespace should suffice.
      
      Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
      88f2e961
  2. 22 Jan, 2019 1 commit
    • Stan Hu's avatar
      Alias GitHub and BitBucket OAuth2 callback URLs · 6d57b2fd
      Stan Hu authored
      To prevent an OAuth2 covert redirect vulnerability, this commit adds and
      uses an alias for the GitHub and BitBucket OAuth2 callback URLs to the
      following paths:
      
      GitHub: /users/auth/-/import/github
      Bitbucket: /users/auth/-/import/bitbucket
      
      This allows admins to put a more restrictive callback URL in the OAuth2
      configuration settings. Instead of https://example.com, admins can now use:
      
      https://example.com/users/auth
      
      It's possible but not trivial to change Devise and OmniAuth to use a
      different prefix for callback URLs instead of /users/auth. For now,
      aliasing the import URLs under the /users/auth namespace should suffice.
      
      Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/56663
      6d57b2fd
  3. 13 Nov, 2018 1 commit
  4. 09 Aug, 2018 1 commit
  5. 10 Jul, 2018 1 commit
  6. 06 Jul, 2018 1 commit
  7. 21 Dec, 2016 1 commit
  8. 19 Dec, 2016 1 commit
  9. 16 Dec, 2016 1 commit
  10. 08 Dec, 2016 1 commit
  11. 29 Nov, 2016 1 commit
  12. 30 Aug, 2016 4 commits
  13. 12 May, 2016 1 commit
  14. 07 Dec, 2015 1 commit
  15. 15 May, 2015 1 commit
  16. 20 Mar, 2015 1 commit
  17. 25 Feb, 2015 1 commit
  18. 24 Feb, 2015 1 commit