Commits · 56bb5cef7164c6b66ffcd5b66a8b554b278ad991 · projects.thm.de / GitLab

06 Jun, 2019 18 commits
- Disable project templates for now · 56bb5cef
  Daniel Gerhardt authored Oct 05, 2017
```
There are only three templates and they are framework-specific. The are
removed to lower complexity of the project creation page.
```
  56bb5cef
- Remove 'Chat' nav item from profile · a715d56b
  Daniel Gerhardt authored Oct 04, 2017
  
  a715d56b
- Remove 2FA from UI for CAS users · cc050c3c
  Daniel Gerhardt authored Apr 21, 2016
```
2FA could be enabled but still was not usedi on sign-in.
```
  cc050c3c
- Remove users' ability to remove their auth connections · 043bf632
  Daniel Gerhardt authored Apr 21, 2016
  
  043bf632
- Directly link sign in button on page headers with CAS login · fe507155
  Daniel Gerhardt authored Jun 15, 2015
```
The following formerly separate commits have been merged in:

* Adjust 'Sign in' button for GitLab's CSRF protection

  GitLab introduced CSRF protection for authentication requests in
  571ba5a7. The 'Sign in' button has been
  adjusted to send a POST request.

* Opt out of turbolinks for 'Sign in' button
```
  fe507155
- Prevent group names of length < 5 when updating settings · 4697eda6
  Daniel Gerhardt authored May 04, 2015
```
This restriction does not apply to admins.
```
  4697eda6
- Forbid creation of groups with a path length < 5 · da3022a9
  Daniel Gerhardt authored Apr 28, 2015
```
This restriction does not apply to admins.
```
  da3022a9
- Adjust version info shown in documentation · 03cdf487
  Daniel Gerhardt authored Apr 15, 2015
  
  03cdf487
- Remove promotional links from dashboard's sidebar · 4516639d
  Daniel Gerhardt authored Apr 15, 2015
  
  4516639d
- Change example URLs and info for repository import · 10775977
  Daniel Gerhardt authored Apr 15, 2015
  
  10775977
- Always check visibility on correct project for clone panel · ce21a366
  Daniel Gerhardt authored Aug 26, 2015
```
The project variable can hold an object which is not an instance of
Project (e.g. ProjectWiki). In this case, visibility_level is not
defined.
```
  ce21a366
- Hide HTTPS clone button for non-public projects for CAS users · 6861e8cd
  Daniel Gerhardt authored Apr 15, 2015
```
Additionally, the prompt to set a password is no longer shown for CAS
users.
```
  6861e8cd
- Disable project import via Oauth providers · 1256eec5
  Daniel Gerhardt authored Apr 15, 2015
  
  1256eec5
- Disable Oauth application settings for end users · b06a213d
  Daniel Gerhardt authored Apr 14, 2015
  
  b06a213d
- Forbid password changing for CAS users · 2c7344cb
  Daniel Gerhardt authored Apr 14, 2015
  
  2c7344cb
- Add CAS specifc methods to user model · 8ae4b26d
  Daniel Gerhardt authored Apr 14, 2015
  
  8ae4b26d
- Forbid paths matching the pattern of THM usernames · 9ae2097d
  Daniel Gerhardt authored Apr 14, 2015
  
  9ae2097d
- Use UID instead of e-mail address as username · de1947a3
  Daniel Gerhardt authored Apr 14, 2015
  
  de1947a3
30 May, 2019 7 commits
- Update VERSION to 11.9.12 · bbb9720e
  GitLab Release Tools Bot authored May 30, 2019
  
  bbb9720e
- Update CHANGELOG.md for 11.9.12 · 3c8b8ce8
  GitLab Release Tools Bot authored May 30, 2019
```
[ci skip]
```
  3c8b8ce8
- Merge branch 'osw-disable-dns-rebind-protection-settings-11-9' into '11-9-stable' · c8f8098d
  GitLab Release Tools Bot authored May 30, 2019
```
Add DNS rebinding protection settings

See merge request gitlab/gitlabhq!3132
```
  c8f8098d
- Rename UrlBlocker argument: schemes -> protocols · 64487732
  Stan Hu authored May 29, 2019
```
This was renamed in GitLab 11.11, so the backport needs to use
the original name.
```
  64487732
- Use Rails migration v5.0 for GitLab 11.9 · a1da4104
  Stan Hu authored May 29, 2019
  
  a1da4104
- Add changelog · 4781c6da
  Oswaldo Ferreira authored May 29, 2019
  
  4781c6da
- Add DNS rebinding protection settings · 831d60aa
  Oswaldo Ferreira authored May 29, 2019
  
  831d60aa
28 May, 2019 12 commits
- Merge branch 'security-60143-address-xss-issue-11.09' into '11-9-stable' · 7c13c20a
  GitLab Release Tools Bot authored May 28, 2019
```
Reject slug+uri concat if slug is deemed unsafe

See merge request gitlab/gitlabhq!3107
```
  7c13c20a
- Merge branch 'security-http-hostname-override-11-9' into '11-9-stable' · 43f3b64e
  GitLab Release Tools Bot authored May 28, 2019
```
Protect Gitlab::HTTP against DNS rebinding attack

See merge request gitlab/gitlabhq!3115
```
  43f3b64e
- Merge branch 'security-58856-persistent-xss-11-9' into '11-9-stable' · 7b39a999
  GitLab Release Tools Bot authored May 28, 2019
```
Persistent XSS in note objects CE

See merge request gitlab/gitlabhq!3081
```
  7b39a999
- Merge branch 'security-fix-project-existence-disclosure-11-9' into '11-9-stable' · 818b0227
  GitLab Release Tools Bot authored May 28, 2019
```
Fix url redaction for issue links

See merge request gitlab/gitlabhq!3089
```
  818b0227
- Merge branch 'security-60039-11-9' into '11-9-stable' · 7bb52f05
  GitLab Release Tools Bot authored May 28, 2019
```
Disallow invalid MR branch name

See merge request gitlab/gitlabhq!3093
```
  7bb52f05
- Merge branch 'security-unsubscribing-from-issue-11-9' into '11-9-stable' · b718cc65
  GitLab Release Tools Bot authored May 28, 2019
```
Hide issue title on unsubscribe for anonymous users

See merge request gitlab/gitlabhq!3101
```
  b718cc65
- Merge branch 'security-fix-confidential-issue-label-visibility-11-9' into '11-9-stable' · 27a42bda
  GitLab Release Tools Bot authored May 28, 2019
```
Fix confidential issue label disclosure on milestone view

See merge request gitlab/gitlabhq!3104
```
  27a42bda
- Merge branch 'security-fix_milestones_search_api_leak-11-9' into '11-9-stable' · 152dc732
  GitLab Release Tools Bot authored May 28, 2019
```
Resolve: Milestones leaked via search API

See merge request gitlab/gitlabhq!3112
```
  152dc732
- Merge branch 'security-jej/prevent-web-sign-in-bypass-11-9' into '11-9-stable' · bc89bb7b
  GitLab Release Tools Bot authored May 28, 2019
```
Prevent password sign in restriction bypass

See merge request gitlab/gitlabhq!3119
```
  bc89bb7b
- Merge branch 'security-knative-0.5-11-9' into '11-9-stable' · b6e4fe5e
  GitLab Release Tools Bot authored May 28, 2019
```
Update Knative version due to a security vulnerability

See merge request gitlab/gitlabhq!3122
```
  b6e4fe5e
- Update Knative version due to a security vulnerability · a6ce726b
  Tiger Watson authored May 28, 2019
  
  a6ce726b
- Merge branch 'sh-fix-issue-59379-11-9' into '11-9-stable' · f9f4555b
  GitLab Release Tools Bot authored May 28, 2019
```
Fix project visibility level validation

See merge request gitlab/gitlabhq!3124
```
  f9f4555b
27 May, 2019 1 commit

Reject slug+uri concat if slug is deemed unsafe · f383ad62

Kerri Miller authored May 20, 2019

First reported:
  https://gitlab.com/gitlab-org/gitlab-ce/issues/60143

When the page slug is "javascript:" and we attempt to link to a relative
path (using `.` or `..`) the code will concatenate the slug and the uri.
This MR adds a guard to that concat step that will return `nil` if the
incoming slug matches against any of the "unsafe" slug regexes;
currently this is only for the slug "javascript:" but can be extended if
needed. Manually tested against a non-exhaustive list from OWASP of
common javascript XSS exploits that have to to with mangling the
"javascript:" method, and all are caught by this change or by existing
code that ingests the user-specified slug.

f383ad62

25 May, 2019 1 commit
- Fix project visibility level validation · 4b4b0777
  Peter Marko authored May 14, 2019
  
  4b4b0777
24 May, 2019 1 commit

Merge branch '62283-fix-job-app-spec' into 'master' · b72e1e86

Filipa Lacerda authored May 24, 2019

Replaces a hard-coded date in the job app spec

Closes #62283

See merge request gitlab-org/gitlab-ce!28709

b72e1e86