1. 26 Apr, 2016 6 commits
  2. 25 Apr, 2016 6 commits
  3. 20 Apr, 2016 1 commit
  4. 19 Apr, 2016 2 commits
  5. 07 Apr, 2016 2 commits
    • Robert Speicher's avatar
      Update VERSION to 8.5.10 · 0c1d745a
      Robert Speicher authored
    • Rémy Coutable's avatar
      Merge branch 'fix/2fa-authentication-spoofing' into 'master' · 4a9f5ef9
      Rémy Coutable authored
      Fix 2FA authentication spoofing
      This is security fix for vulnerability described at
      Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.
      It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.
      This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.
      Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.
      Current 2FA code is a bit tricky, so it probably needs some refactoring.
      Signed-off-by: Rémy Coutable's avatarRémy Coutable <remy@rymai.me>
  6. 05 Apr, 2016 2 commits
  7. 17 Mar, 2016 4 commits
  8. 15 Mar, 2016 5 commits
  9. 11 Mar, 2016 2 commits
  10. 10 Mar, 2016 5 commits
  11. 08 Mar, 2016 2 commits
    • Rémy Coutable's avatar
      Version 8.5.5-rc1 · 62fc5b6a
      Rémy Coutable authored
    • Robert Speicher's avatar
      Merge branch 'add_show_role_boolean_to_group_member_view' into 'master' · f38f5797
      Robert Speicher authored
      Only show group member roles if explicitly requested
      This very simply fixes an EE problem, but I made the change here so it's less prone to errors from merges.
      In EE, prior to this change, group member roles were shown in project member list when a project is shared with a group. This is bad because the project explicitly shares with the group and sets a 'max access' level. If the max access level is 'developer' the project owner doesn't want to see 'Owner' in the group roles because it will confuse them. I verified that permissions are really being honored here, it was just an error in the view. You can see in https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/views/projects/project_members/_shared_group_members.html.haml#L18 where this was how it was intended to be. Likely a CE-EE merge introduced this bug. That's why I made the boolean required in CE even though this is for EE.
      See merge request !3044
  12. 04 Mar, 2016 3 commits