From 563fec734912d81cd7caea6fa8ec2b397fb72a9b Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Thu, 3 Apr 2014 13:03:16 +0300 Subject: [PATCH 1/9] Disable compression to prevent BREACH attack Signed-off-by: Dmitriy Zaporozhets --- lib/support/nginx/gitlab | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab index 5bff362da0e..6b31dbd4304 100644 --- a/lib/support/nginx/gitlab +++ b/lib/support/nginx/gitlab @@ -42,6 +42,9 @@ server { # if a file, which is not found in the root folder is requested, # then the proxy pass the request to the upsteam (gitlab unicorn) location @gitlab { + # We need this to prevent BREACH attack + gzip off; + proxy_read_timeout 300; # Some requests take more than 30 seconds. proxy_connect_timeout 300; # Some requests take more than 30 seconds. proxy_redirect off; From 6d196962670b35ea48588aad3cfdb6f2d11febab Mon Sep 17 00:00:00 2001 From: Job van der Voort Date: Mon, 7 Apr 2014 16:03:49 +0200 Subject: [PATCH 2/9] Fix faulty namespaces --- db/migrate/20140407135544_fix_namespaces.rb | 10 ++++++++++ db/schema.rb | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 db/migrate/20140407135544_fix_namespaces.rb diff --git a/db/migrate/20140407135544_fix_namespaces.rb b/db/migrate/20140407135544_fix_namespaces.rb new file mode 100644 index 00000000000..6207cf18d65 --- /dev/null +++ b/db/migrate/20140407135544_fix_namespaces.rb @@ -0,0 +1,10 @@ +class FixNamespaces < ActiveRecord::Migration + def up + Namespace.where('name <> path and type is null').each do |namespace| + namespace.update_attribute(:name, namespace.path) + end + end + + def down + end +end diff --git a/db/schema.rb b/db/schema.rb index d8a9d1863fc..9033aa92ac9 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20140313092127) do +ActiveRecord::Schema.define(version: 20140407135544) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" From 52cf11b9f2f22218abd79aa3936ddb7f0d6cee59 Mon Sep 17 00:00:00 2001 From: Job van der Voort Date: Mon, 7 Apr 2014 14:26:52 +0000 Subject: [PATCH 3/9] add a space --- db/migrate/20140407135544_fix_namespaces.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/db/migrate/20140407135544_fix_namespaces.rb b/db/migrate/20140407135544_fix_namespaces.rb index 6207cf18d65..8c4f2b0f6b1 100644 --- a/db/migrate/20140407135544_fix_namespaces.rb +++ b/db/migrate/20140407135544_fix_namespaces.rb @@ -1,10 +1,10 @@ class FixNamespaces < ActiveRecord::Migration def up Namespace.where('name <> path and type is null').each do |namespace| - namespace.update_attribute(:name, namespace.path) + namespace.update_attribute(:name, namespace.path) end end def down end -end +end \ No newline at end of file From 459e62959107ff407693d62e6dceae8eb26dc0b6 Mon Sep 17 00:00:00 2001 From: Cyril Rohr Date: Tue, 1 Apr 2014 16:49:16 +0100 Subject: [PATCH 4/9] Fix Procfile to be usable in production. --- Procfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Procfile b/Procfile index 18df7e78f9b..7ca70960502 100644 --- a/Procfile +++ b/Procfile @@ -1,2 +1,2 @@ -web: bundle exec unicorn_rails -p $PORT -E development -c config/unicorn_development.rb +web: bundle exec unicorn_rails -p ${PORT} -E ${RAILS_ENV} -c ${UNICORN_CONFIG:="config/unicorn.rb"} worker: bundle exec sidekiq -q post_receive,mailer,system_hook,project_web_hook,common,default,gitlab_shell From 5307dd5f74236fc48b64080d3191cba1ebe4315e Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 7 Apr 2014 15:47:20 +0000 Subject: [PATCH 5/9] Comment gzip: off be default --- lib/support/nginx/gitlab | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/support/nginx/gitlab b/lib/support/nginx/gitlab index 6b31dbd4304..f64c8d5883c 100644 --- a/lib/support/nginx/gitlab +++ b/lib/support/nginx/gitlab @@ -42,8 +42,9 @@ server { # if a file, which is not found in the root folder is requested, # then the proxy pass the request to the upsteam (gitlab unicorn) location @gitlab { - # We need this to prevent BREACH attack - gzip off; + # If you use https make sure you disable gzip compression + # to be safe against BREACH attack + # gzip off; proxy_read_timeout 300; # Some requests take more than 30 seconds. proxy_connect_timeout 300; # Some requests take more than 30 seconds. @@ -66,5 +67,4 @@ server { } error_page 502 /502.html; -} - +} \ No newline at end of file From 3befe6ec339651feedc8437b5bb10d473c3e3f66 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 7 Apr 2014 18:57:57 +0300 Subject: [PATCH 6/9] Fix show/hide discussion link Signed-off-by: Dmitriy Zaporozhets --- .../projects/notes/_discussion.html.haml | 21 +++++-------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/app/views/projects/notes/_discussion.html.haml b/app/views/projects/notes/_discussion.html.haml index 9b1f4d77587..78793eb860f 100644 --- a/app/views/projects/notes/_discussion.html.haml +++ b/app/views/projects/notes/_discussion.html.haml @@ -1,13 +1,10 @@ - note = discussion_notes.first -.discussion.js-details-container.js-toggler-container.open{ class: note.discussion_id } +.discussion.js-toggle-container{ class: note.discussion_id } .discussion-header .discussion-actions - = link_to "javascript:;", class: "js-details-target turn-on js-toggler-target" do - %i.icon-eye-close - Hide discussion - = link_to "javascript:;", class: "js-details-target turn-off js-toggler-target" do - %i.icon-eye-open - Show discussion + = link_to "#", class: "js-toggle-button" do + %i.icon-chevron-up + Show/hide discussion = image_tag avatar_icon(note.author_email), class: "avatar s32" %div = link_to_member(@project, note.author, avatar: false) @@ -33,7 +30,7 @@ = link_to_member(@project, last_note.author, avatar: false) %span.discussion-last-update #{time_ago_with_tooltip(last_note.updated_at, 'bottom', 'discussion_updated_ago')} - .discussion-body + .discussion-body.js-toggle-content - if note.for_diff_line? - if note.active? = render "projects/notes/discussion_diff", discussion_notes: discussion_notes, note: note @@ -47,11 +44,3 @@ .notes{ rel: discussion_notes.first.discussion_id } = render discussion_notes = render "projects/notes/discussion_reply_button", note: discussion_notes.first - - -# will be shown when the other one is hidden - .discussion-hidden.content.hide - .note - %em Hidden discussion. - = link_to "javascript:;", class: "js-details-target js-toggler-target" do - %i.icon-eye-open - Show From d70939f6806ed388444309def47c170fa02c5591 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 7 Apr 2014 18:59:10 +0300 Subject: [PATCH 7/9] Remove unnecessary sign * Signed-off-by: Dmitriy Zaporozhets --- app/views/devise/sessions/_oauth_providers.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/devise/sessions/_oauth_providers.html.haml b/app/views/devise/sessions/_oauth_providers.html.haml index f4556eea4a2..935bc6af505 100644 --- a/app/views/devise/sessions/_oauth_providers.html.haml +++ b/app/views/devise/sessions/_oauth_providers.html.haml @@ -2,7 +2,7 @@ - if providers.present? %hr %div{:'data-no-turbolink' => 'data-no-turbolink'} - %span Sign in with*:   + %span Sign in with:   - providers.each do |provider| %span - if default_providers.include?(provider) From d92e4830f78018b3a38bc448aaec4a045f4d3d62 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 7 Apr 2014 19:11:02 +0300 Subject: [PATCH 8/9] Allow people to remove source branch of fork project in MR Signed-off-by: Dmitriy Zaporozhets --- app/controllers/projects/merge_requests_controller.rb | 10 +++++----- app/models/merge_request.rb | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/app/controllers/projects/merge_requests_controller.rb b/app/controllers/projects/merge_requests_controller.rb index d6402dd217d..872b9500130 100644 --- a/app/controllers/projects/merge_requests_controller.rb +++ b/app/controllers/projects/merge_requests_controller.rb @@ -216,7 +216,7 @@ class Projects::MergeRequestsController < Projects::ApplicationController end def allowed_to_merge? - allowed_to_push_code?(project) + allowed_to_push_code?(project, @merge_request.target_branch) end def invalid_mr @@ -225,17 +225,17 @@ class Projects::MergeRequestsController < Projects::ApplicationController end def allowed_to_remove_source_branch? - allowed_to_push_code?(@merge_request.source_project) && + allowed_to_push_code?(@merge_request.source_project, @merge_request.source_branch) && !@merge_request.disallow_source_branch_removal? end - def allowed_to_push_code?(project) - action = if project.protected_branch?(@merge_request.target_branch) + def allowed_to_push_code?(project, branch) + action = if project.protected_branch?(branch) :push_code_to_protected_branches else :push_code end - can?(current_user, action, @project) + can?(current_user, action, project) end end diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb index 0decc7782ee..1ec76dbd39a 100644 --- a/app/models/merge_request.rb +++ b/app/models/merge_request.rb @@ -210,7 +210,7 @@ class MergeRequest < ActiveRecord::Base end def disallow_source_branch_removal? - (source_project.root_ref? source_branch) || for_fork? + source_project.root_ref?(source_branch) || source_project.protected_branches.include?(source_branch) end def project From be6cee2354140a889781c824caa151dc60a24a6d Mon Sep 17 00:00:00 2001 From: Job van der Voort Date: Mon, 7 Apr 2014 18:24:08 +0200 Subject: [PATCH 9/9] add namespace fix to changelog --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index f0a72710a92..80356beb190 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -11,6 +11,7 @@ v 6.8.0 - Fix popen bug in `rake gitlab:satellites:create` - Disable connection reaping for MySQL - Allow oauth signup without email for twitter and github + - Fix faulty namespace names that caused 500 on user creation v 6.7.3 - Fix the merge notification email not being sent (Pierre de La Morinerie)