- 07 4月, 2016 40 次提交
-
-
由 Grzegorz Bizon 提交于
* 'master' of dev.gitlab.org:gitlab/gitlabhq: Make sessions controller specs more explicit Fix 2FA authentication spoofing vulnerability Add specs for sessions controller including 2FA
-
由 Rémy Coutable 提交于
Fix 2FA authentication spoofing ## Summary This is security fix for vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/14900. Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user. It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case. ## Fix This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`. Both, 2FA authentication spoofing and 2FA discovery have been covered by specs. ## Further work Current 2FA code is a bit tricky, so it probably needs some refactoring. See merge request !1947
-
由 Grzegorz Bizon 提交于
-
由 Yorick Peterse 提交于
Expire caches after project creation to ensure a consistent state See merge request !3586
-
由 Rémy Coutable 提交于
Only update main language if it is not already set Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. cc @yorickpeterse @ayufan how does this look? See merge request !3556
-
由 Grzegorz Bizon 提交于
This commit attempts to change default user search scope if otp_user_id session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with otp_user_id first, before picking it up by login.
-
由 Rémy Coutable 提交于
API: Ability to filter milestones by state Ability to filter milestones by `active` and `closed` state. * Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931 See merge request !3566
-
由 Rémy Coutable 提交于
Expose badges This MR exposes badge somewhere in visible place. ![expose_badges](/uploads/d2e290d3013d1ef2b1bdeebbbe2c5d8b/expose_badges.png) Closes #13801 See merge request !3326
-
由 Rémy Coutable 提交于
Fixes #14638. The SQL query was ambiguous and in this case we want to filter projects. See merge request !3462
-
由 Rémy Coutable 提交于
Return status code 303 after a branch DELETE operation to avoid project deletion Closes #14994 See merge request !3583
-
由 Stan Hu 提交于
Closes #14961
-
由 Jeroen van Baarsen 提交于
Update coveralls from 0.8.9 to 0.8.13 and simplecov from 0.10.0 to 0.11.2 This removes a few dependencies! It was also rude to be using coveralls 0.8.9, considering 0.8.12 introduced support for GitLab CI :) Also paves the way for updating mime-types to 3.0. Coveralls Changelog: https://github.com/lemurheavy/coveralls-ruby/releases Simplecov Changelog: https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md See merge request !3584
-
由 Robert Schilling 提交于
-
由 Robert Schilling 提交于
Fix typo in .gitlab-ci.yml doc. [ci skip] See merge request !3581
-
由 connorshea 提交于
This removes a few dependencies! It was also rude to be using coveralls 0.8.9, considering 0.8.12 introduced support for GitLab CI :) Also paves the way for updating mime-types to 3.0. Coveralls Changelog: https://github.com/lemurheavy/coveralls-ruby/releases Simplecov Changelog: https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md
-
由 Stan Hu 提交于
Closes #14994
-
由 Robert Speicher 提交于
Reset merge request widget options Fixes #14986 See merge request !3582
-
由 Jacob Schatz 提交于
-
由 Robert Speicher 提交于
Allow SAML to identify external users and set them as such Related to #4009 Fixes #14577 This allows SAML to retrieve group information form the `SAML Response` and match that to a setting that will flag all matching users as external. See merge request !3530
-
由 Robert Speicher 提交于
Wiki preview URL converting problem [via Markdown] Current implementation when rendering the preview, thinks relative links are for project repository files. We are creating a new preview route that will define correct context data to render for wikis instead. Fixes #2380, #1184 See merge request !3461
-
由 Patricio Cano 提交于
-
由 Gabriel Mazetto 提交于
-
由 Jacob Schatz 提交于
Do not add location badge when creating a group or project Closes #14952 ![](/uploads/778d0cbccffc717d601a91528ca8eb3c/Screen_Shot_2016-04-05_at_5.34.10_PM.png) ![](/uploads/dbd9eb06b510a6ac091dcf2e3fcb9c88/Screen_Shot_2016-04-05_at_5.34.21_PM.png) See merge request !3555
-
由 frodsan 提交于
-
由 Jacob Schatz 提交于
Wrap code blocks to next line Closes #14866 ![Screen_Shot_2016-04-06_at_9.27.06_AM](/uploads/8bed5c17b17c9d15fe34dc7161d31e09/Screen_Shot_2016-04-06_at_9.27.06_AM.png) See merge request !3573
-
由 Achilleas Pipinellis 提交于
Fix missing entries in permission matrix [ci skip] Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14882 See merge request !3580
-
由 Robert Speicher 提交于
Unblocks user when active_directory is disabled and it can be found We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242. That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed. Fixes #14253, #13179, #13259, #13959 See merge request !3550
-
由 Robert Schilling 提交于
-
由 Annabel Dunstone 提交于
-
由 Alfredo Sumaran 提交于
-
由 Alfredo Sumaran 提交于
-
由 Robert Schilling 提交于
-
由 Jacob Schatz 提交于
Search Design fixes Closes #14800 - Use colors according to design - Fix width of search input ![Screen_Shot_2016-04-05_at_11.12.33_AM](/uploads/83681ccd90a1a1542c056fd6dbc974d0/Screen_Shot_2016-04-05_at_11.12.33_AM.png) ![Screen_Shot_2016-04-05_at_11.11.54_AM](/uploads/f7557bea2ae055f3550b89751fd7d371/Screen_Shot_2016-04-05_at_11.11.54_AM.png) See merge request !3475
-
由 Patricio Cano 提交于
-
由 Douwe Maan 提交于
Fix header link rendering when containing numbers This fixes the problem where Markdown such as: ### 31st Would get rendered as a link tag pointing to issue number 31 inside a header tag. See gitlab-org/gitlab-ce#14936 for more information. cc @rspeicher See merge request !3568
-
由 Patricio Cano 提交于
-
由 Patricio Cano 提交于
Fix error that was causing only one group to be returned and corrected specs to use the proper attribute type
-
由 Robert Schilling 提交于
-
由 Annabel Dunstone 提交于
-
由 Annabel Dunstone 提交于
-