GitLab wird am Montag, den 31. Januar, zwischen 08:00 und 12:00 Uhr wegen wichtigen Wartungsarbeiten nicht zur Verfügung stehen.

  1. 04 Jun, 2019 1 commit
  2. 03 Jun, 2019 11 commits
  3. 30 May, 2019 7 commits
  4. 28 May, 2019 12 commits
  5. 27 May, 2019 1 commit
    • Kerri Miller's avatar
      Reject slug+uri concat if slug is deemed unsafe · aef4b0a5
      Kerri Miller authored
      First reported:
      When the page slug is "javascript:" and we attempt to link to a relative
      path (using `.` or `..`) the code will concatenate the slug and the uri.
      This MR adds a guard to that concat step that will return `nil` if the
      incoming slug matches against any of the "unsafe" slug regexes;
      currently this is only for the slug "javascript:" but can be extended if
      needed. Manually tested against a non-exhaustive list from OWASP of
      common javascript XSS exploits that have to to with mangling the
      "javascript:" method, and all are caught by this change or by existing
      code that ingests the user-specified slug.
  6. 25 May, 2019 1 commit
  7. 24 May, 2019 1 commit
  8. 23 May, 2019 1 commit
  9. 22 May, 2019 1 commit
    • Douwe Maan's avatar
      Protect Gitlab::HTTP against DNS rebinding attack · 1de0a033
      Douwe Maan authored
      Gitlab::HTTP now resolves the hostname only once, verifies the IP is not
      blocked, and then uses the same IP to perform the actual request, while
      passing the original hostname in the `Host` header and SSL SNI field.
  10. 21 May, 2019 1 commit
  11. 20 May, 2019 1 commit
  12. 19 May, 2019 1 commit
  13. 06 May, 2019 1 commit
    • Mark Chao's avatar
      Validate MR branch names · cec5d2e8
      Mark Chao authored
      Prevents refspec as branch name, which would bypass branch protection
      when used in conjunction with rebase.
      HEAD seems to be a special case with lots of occurrence,
      so it is considered valid for now.
      Another special case is `refs/head/*`, which can be imported.