delta/gitlab/gitlab-ce.git/app/controllers/concerns, branch github-import-docs gitlab.com: gitlab-org/gitlab-ce.git Export assigned issues in iCalendar feed 2018-05-31T14:01:04+00:00 Imre Farkas ifarkas@gitlab.com 2018-05-31T14:01:04+00:00 20dfe25c151cc883ce0d38b67125b5ca41e6d422 






Resolve "Opening Project with invite but without accepting leads to 404 error page"
2018-05-17T09:19:47+00:00

🙈  jacopo beschi 🙉
intrip@gmail.com

2018-05-17T09:19:47+00:00

01275667e323d4702cc396f6f756305b06cba726












Fix cross-origin errors when attempting to download JavaScript attachments
2018-05-14T04:49:51+00:00

Stan Hu
stanhu@gmail.com

2018-05-14T04:43:48+00:00

0c43170630b5b4e90e8f91526066435a06e077eb

If you upload a file with a .js extension, Rails' cross-origin JavaScript
protection will prevent a user from downloading the file with a 422 error.
Setting the content-type to `text/plain` will allow the user to download
the file as a plaintext file.

Closes #45826





If you upload a file with a .js extension, Rails' cross-origin JavaScript
protection will prevent a user from downloading the file with a 422 error.
Setting the content-type to `text/plain` will allow the user to download
the file as a plaintext file.

Closes #45826







Merge branch 'ccr/weight_1481' into 'master'
2018-05-07T16:35:37+00:00

Douwe Maan
douwe@gitlab.com

2018-05-07T16:35:37+00:00

f50d8079f0080e60a2e2c66f0cc93fc9bd6b1c80

Backport of 1481-changing-weight-values-should-trigger-system-notes

See merge request gitlab-org/gitlab-ce!18699




Backport of 1481-changing-weight-values-should-trigger-system-notes

See merge request gitlab-org/gitlab-ce!18699






Reuses `InternalRedirect` when possible
2018-05-04T11:54:43+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2018-05-02T18:25:21+00:00

39916fdfeddfd75279d13fa976fdb07f3b9b0e26

`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.

It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.

It is already used by:

- `TermsController`
- `ContinueParams`
  - `ImportsController`
  - `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
   redirecting to a different instance using Geo.





`InternalRedirect` prevents Open redirect issues by only allowing
redirection to paths on the same host.

It cleans up any unwanted strings from the path that could point to
another host (fe. //about.gitlab.com/hello). While preserving the
querystring and fragment of the uri.

It is already used by:

- `TermsController`
- `ContinueParams`
  - `ImportsController`
  - `ForksController`
- `SessionsController`: Only for verifying the host in CE. EE allows
   redirecting to a different instance using Geo.







Enforces terms in the web application
2018-05-04T11:54:43+00:00

Bob Van Landuyt
bob@vanlanduyt.co

2018-04-27T14:50:33+00:00

7684217d6806408cd338260119364419260d1720

This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.





This enforces the terms in the web application. These cases are
specced:

- Logging in: When terms are enforced, and a user logs in that has not
  accepted the terms, they are presented with the screen. They get
  directed to their customized root path afterwards.
- Signing up: After signing up, the first screen the user is presented
  with the screen to accept the terms. After they accept they are
  directed to the dashboard.
- While a session is active:
  - For a GET: The user will be directed to the terms page first,
    after they accept the terms, they will be directed to the page
    they were going to
  - For any other request: They are directed to the terms, after they
    accept the terms, they are directed back to the page they came
    from to retry the request. Any information entered would be
    persisted in localstorage and available on the page.







Backport of 1481-changing-weight-values-should-trigger-system-notes
2018-05-03T18:18:51+00:00

Chantal Rollison
crollison@gitlab.com

2018-05-02T21:34:05+00:00

1019dff2371b30979b33ce823abeadadad9cfab3












[Rails5] Use `safe_params` instead of `params` in `url_for` helpers
2018-04-28T10:35:16+00:00

blackst0ne
blackst0ne.ru@gmail.com

2018-04-28T10:35:16+00:00

350e26b8a660f2d98ef874be3fa1a15b93965979

This commits replaces `params` with `safe_params` in `url_for` helpers
to resolve security issues [1] and failing specs with the

```
ArgumentError:
  Attempting to generate a URL from non-sanitized request parameters!
  An attacker can inject malicious data into the generated URL, such as
  changing the host. Whitelist and sanitize passed parameters to be secure.
```

error.

[1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168





This commits replaces `params` with `safe_params` in `url_for` helpers
to resolve security issues [1] and failing specs with the

```
ArgumentError:
  Attempting to generate a URL from non-sanitized request parameters!
  An attacker can inject malicious data into the generated URL, such as
  changing the host. Whitelist and sanitize passed parameters to be secure.
```

error.

[1]: https://gitlab.com/gitlab-org/gitlab-ce/issues/45168







Fix an N+1 for MRs from forks on the MR index page
2018-04-24T11:06:05+00:00

Sean McGivern
sean@gitlab.com

2018-04-24T11:06:05+00:00

943fc87d9f5c817970d268e1a70ab43ed74cd6b1












Refactor OmniauthCallbacksController to remove duplication
2018-04-22T22:50:55+00:00

James Edwards-Jones
jedwardsjones@gitlab.com

2018-04-18T14:03:27+00:00

f10c999bca2b5b37b068ff3680a6e35a6707828d

Moves LDAP to its own controller with tests
Provides path forward for implementing GroupSaml





Moves LDAP to its own controller with tests
Provides path forward for implementing GroupSaml