- 06 Jun, 2019 18 commits
-
-
Daniel Gerhardt authored
There are only three templates and they are framework-specific. The are removed to lower complexity of the project creation page.
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
2FA could be enabled but still was not usedi on sign-in.
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
The following formerly separate commits have been merged in: * Adjust 'Sign in' button for GitLab's CSRF protection GitLab introduced CSRF protection for authentication requests in 571ba5a7. The 'Sign in' button has been adjusted to send a POST request. * Opt out of turbolinks for 'Sign in' button
-
Daniel Gerhardt authored
This restriction does not apply to admins.
-
Daniel Gerhardt authored
This restriction does not apply to admins.
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
The project variable can hold an object which is not an instance of Project (e.g. ProjectWiki). In this case, visibility_level is not defined.
-
Daniel Gerhardt authored
Additionally, the prompt to set a password is no longer shown for CAS users.
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
-
Daniel Gerhardt authored
-
- 30 May, 2019 7 commits
-
-
GitLab Release Tools Bot authored
-
GitLab Release Tools Bot authored
[ci skip]
-
GitLab Release Tools Bot authored
Add DNS rebinding protection settings See merge request gitlab/gitlabhq!3132
-
Stan Hu authored
This was renamed in GitLab 11.11, so the backport needs to use the original name.
-
Stan Hu authored
-
Oswaldo Ferreira authored
-
Oswaldo Ferreira authored
-
- 28 May, 2019 12 commits
-
-
GitLab Release Tools Bot authored
Reject slug+uri concat if slug is deemed unsafe See merge request gitlab/gitlabhq!3107
-
GitLab Release Tools Bot authored
Protect Gitlab::HTTP against DNS rebinding attack See merge request gitlab/gitlabhq!3115
-
GitLab Release Tools Bot authored
Persistent XSS in note objects CE See merge request gitlab/gitlabhq!3081
-
GitLab Release Tools Bot authored
Fix url redaction for issue links See merge request gitlab/gitlabhq!3089
-
GitLab Release Tools Bot authored
Disallow invalid MR branch name See merge request gitlab/gitlabhq!3093
-
GitLab Release Tools Bot authored
Hide issue title on unsubscribe for anonymous users See merge request gitlab/gitlabhq!3101
-
GitLab Release Tools Bot authored
Fix confidential issue label disclosure on milestone view See merge request gitlab/gitlabhq!3104
-
GitLab Release Tools Bot authored
Resolve: Milestones leaked via search API See merge request gitlab/gitlabhq!3112
-
GitLab Release Tools Bot authored
Prevent password sign in restriction bypass See merge request gitlab/gitlabhq!3119
-
GitLab Release Tools Bot authored
Update Knative version due to a security vulnerability See merge request gitlab/gitlabhq!3122
-
Tiger Watson authored
-
GitLab Release Tools Bot authored
Fix project visibility level validation See merge request gitlab/gitlabhq!3124
-
- 27 May, 2019 1 commit
-
-
Kerri Miller authored
First reported: https://gitlab.com/gitlab-org/gitlab-ce/issues/60143 When the page slug is "javascript:" and we attempt to link to a relative path (using `.` or `..`) the code will concatenate the slug and the uri. This MR adds a guard to that concat step that will return `nil` if the incoming slug matches against any of the "unsafe" slug regexes; currently this is only for the slug "javascript:" but can be extended if needed. Manually tested against a non-exhaustive list from OWASP of common javascript XSS exploits that have to to with mangling the "javascript:" method, and all are caught by this change or by existing code that ingests the user-specified slug.
-
- 25 May, 2019 1 commit
-
-
Peter Marko authored
-
- 24 May, 2019 1 commit
-
-
Filipa Lacerda authored
Replaces a hard-coded date in the job app spec Closes #62283 See merge request gitlab-org/gitlab-ce!28709
-