1. 19 Feb, 2018 3 commits
    • Nick Thomas's avatar
      Merge branch '97-insecure-redirects' into 'master' · 32dcea08
      Nick Thomas authored
      Serve a secure redirect in case of accessing /foo
      
      See merge request gitlab/gitlab-pages!3
      32dcea08
    • Nick Thomas's avatar
      Release v0.6.1 · bcd69d77
      Nick Thomas authored
      bcd69d77
    • Nick Thomas's avatar
      Serve a secure redirect in case of accessing /foo · fbf87a29
      Nick Thomas authored
      When a request's path resolved to a directory on disk and lacked a trailing
      slash character, we issue a 302 Found redirect to the request's path, plus the
      missing trailing slash. However, some request paths are valid absolute URIs
      (particularly protocol-neutral //example.com URIs), so this was an open redirect
      vulnerability.
      
      This problem is avoided by generating a URI from the actual location of a file
      that we want to present.
      
      There were also numerous potential bypasses of other security checks for
      inferred index.html files and custom error pages; this commit closes these
      holes at the same time by recursively running the checks if necessary.
      fbf87a29
  2. 23 Nov, 2017 2 commits
  3. 02 Oct, 2017 5 commits
  4. 29 Sep, 2017 1 commit
  5. 22 Sep, 2017 2 commits
  6. 13 Sep, 2017 3 commits
  7. 08 Sep, 2017 6 commits
  8. 29 Aug, 2017 1 commit
  9. 25 Aug, 2017 1 commit
  10. 08 Aug, 2017 2 commits
  11. 06 Jul, 2017 3 commits
  12. 05 Jul, 2017 3 commits
  13. 04 Jul, 2017 1 commit
  14. 03 Jul, 2017 6 commits
  15. 26 Jun, 2017 1 commit