Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed vulnerabilities labels #409

Merged
merged 1 commit into from
Dec 17, 2016

Conversation

lunny
Copy link
Member

@lunny lunny commented Dec 17, 2016

No description provided.

@lunny lunny added type/bug topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Dec 17, 2016
@lunny lunny added this to the 1.0.0 milestone Dec 17, 2016
@tboerger
Copy link
Member

LGTM

@tboerger tboerger added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Dec 17, 2016
@strk
Copy link
Member

strk commented Dec 17, 2016

LGTM

@tboerger tboerger added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 17, 2016
@lunny lunny merged commit 7c46667 into go-gitea:master Dec 17, 2016
@lunny lunny deleted the lunny/fixed_vulnerabilities_labels branch December 17, 2016 11:49
ethantkoenig added a commit to ethantkoenig/gitea that referenced this pull request Jan 27, 2017
* Bug fix for edit-hook API endpoint

* Fixes issue go-gitea#283

Delete old temp local copy before we create a new temp local copy

* In the wiki title replace tab with a space (go-gitea#371)

* Correction LDAP validation (go-gitea#342)

* Correction LDAP username validation

As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it.

* Check for zero length passwords in LDAP module.

According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD.

* Clearing the login/email spaces at the [start/end]

* Autogenerate Version on build (go-gitea#190)

* Autogenerate Version On Build

* Fixes

* Changed Version to v0.9.0

* balls

* I hate newlines

* Don't remove .VERSION-file on `make clean`

* v0.9.0 => 1.0.0

* damn new-lines...

* Always rebuild templates/.VERSION

* Delete .VERSION

* Update Makefile

* bug fixed branch name for pushupdate (go-gitea#380)

* Don't use custom PBKDF2 function (go-gitea#382)

* fixed vulnerabilities (go-gitea#392)

* Update example install url from try.gogs.io to try.gitea.io (go-gitea#385)

* Update example install url from try.gogs.io to try.gitea.io

* Ask if issue can be reproduced on try.gitea.io

* Link try.gitea.io to the README

* Fixing multiple docker issues (go-gitea#386)

* Added stupid docker task to makefile

* Dropped unknown option PrintLastLog from docker ssh config

* OpenSSH should log to docker stdout

* Set random pw for docker git user, otherwise it is locked

* Stop using templates and public within docker

* Disable coverage report for now (go-gitea#395)

Until aircover gets updated so that it works again I have disabled to
coverage report upload for now.

* fixed vulnerabilities on deleting release (go-gitea#399)

* Revert "Disable coverage report for now" (go-gitea#400)

* Update gitea/sdk vendor (go-gitea#406)

* Fix typo (go-gitea#407)

* Remove fixed FIXME (go-gitea#408)

* fixed vulnerabilities labels (go-gitea#409)

* add ZH readme (go-gitea#405)

* Add support for using "libravatar" as the GravatarSource

Just to make it easier for administrator to configure libre avatar,
as it is done for "duoshuo" and "gravatar"

* serve video files using the HTML5 video tag (go-gitea#418)

* serve video files using the HTML5 video tag

* lint fix: add comment to IsVideoFile

* change test mail subject and body to 'Gitea Test Mail!'

Signed-off-by: Michael de Wit <[email protected]>

* Fix random string generator (go-gitea#384)

* Remove unused custom-alphabet feature of random string generator

Fix random string generator

Random string generator should return error if it fails to read random data via crypto/rand

* Fixes variable (un)initialization mixed assign
Update test GetRandomString

* Change default Android theme color meta tag (go-gitea#389)

* Do not override the binary version name from drone (go-gitea#436)

Signed-off-by: Thomas Boerger <[email protected]>

* Remove remaining Gogs reference on locales and cmd (go-gitea#430)

* Add Korean support (go-gitea#437)

* Add Korean support

* replace Gogs to Gitea

* Update locales (go-gitea#440)

* Update locales

* replace Gogs to Gitea

* Fix homepage docs link broken (go-gitea#417)

* fix homepage docs link broken

* fix homepage docs links after docs updated

* Fix string format verbs (go-gitea#3637)

* issue comment api fix (go-gitea#449)

* ListAllInRepo & Delete Issue-Comments

* Moar data in issue-comments

* Bug fixes and tests for modules/base (go-gitea#442)

Also address other TODOs

* UpdateIssueUsersByMentions was calling database write operations while (go-gitea#443)

a transaction session was in progress. MailParticipants was failing
silently because of the SQLITE_LOCKED error. Make sure failures in
MailParticipants enter the log, and pass on the transaction context.

issue: let caller pass in database context, and use it
issue_comment: obtain database context to pass to UpdateIssueMentions
issue_comment: log any error from call to MailParticipants
issue_mail: pass on database context to UpdateIssueMentions

* update code.gitea.io/git (go-gitea#450)

* init script gentoo (go-gitea#447)

* init script for gentoo (go-gitea#3761)

* replace Gogs to Gitea

* remove override port number

* remove port

* New settings option for a custom SSH host (go-gitea#3763) (go-gitea#446)

* New settings option for a custom SSH host (go-gitea#3763)

* let default ssh listen addr empty

* fix bug go-gitea#1122 log.smtp receiver configure error (go-gitea#3602) (go-gitea#451)

* Check if file is a symlink with web editor (go-gitea#3687) (go-gitea#445)

* Check if file is a symlink with web editor (go-gitea#3687)

* editor checks for symlinks

* translate file_is_a_symlink message

* credit translation author

* fix error constant

* fix tag webhook 404 error (go-gitea#420)

* Bindata is optional and over-writable on restart (go-gitea#354)

* Moved conf assets into options folder

* Dropped old bindata

* Started to integrate options bindata and accessors

* Do not enforce a builtin app.ini

* Replaced bindata calls with options

* Dropped bindata task from makefile, it's the generate task now

* Always embedd app.ini to provide sane config defaults

* Use sane defaults for the configuration

* Defined default value for SSH_KEYGEN_PATH

* Dropped "NEVER EVER MODIFY THIS FILE" header from app.ini

* Fixed new paths in latest test additions

* Drop bindata with make clean task

* Set more proper default values

* resolved go-gitea#394 (go-gitea#396)

* Change screenshoots to Gitea (go-gitea#454)

* Fix race condition in unit test (go-gitea#456)

* Add default values for settings (go-gitea#455)

* add default values for settings

* more default values

* more default settings and labels resource

* mv locale to options

* Integrated an initial changelog (go-gitea#457)

* Simplified README and added a release badge (go-gitea#460)

* Dropped the status from readme, it's anway always outdated

* Added version badge

* Cleaned the install instructions

* Dropped paragraphs that should be documented on the docs

* Simplified the content, refer to the website

* Dropped the logo, lets show screenshots

* Fixed TRANSLATORS link

* update zh readme (go-gitea#462)

* Fix broken godoc link and add arch in English README (go-gitea#463)

* fix broken godoc link and add arch in English README

* typo

* Fixed drone tagging

* Properly handle drone tags and release/* branches (go-gitea#466)

* Raised version to 1.1.0 (go-gitea#468)

* Enables mssql support (go-gitea#383)

* Enables mssql support

Port of dlobs work in gogs.
Enables options in index.js
Enables MSSQL as a database option in go.
Sets ID to 0 on initial migration. Required for
MSSQL insert statements.

Signed-off-by: Beau Trepp <[email protected]>

* Vendors in denisenkom/go-mssqldb

Includes golang.org/x/crypto/md4
as this is required by go-msssqldb

Signed-off-by: Beau Trepp <[email protected]>

* API Endpoint for watching (go-gitea#191)

* Bug fixes for Issues filters (go-gitea#413)

Correctly handle simultaneous assignee/poster filters, and conflicting assignee filters

* Added minimum password length to app.ini (go-gitea#223)

* Added sorting to the labels & milestones page (go-gitea#199)

* Simplified MinPasswordLength check (go-gitea#475)

* Added sorting to organizations, repos & users page (go-gitea#222)

* Organization webhook API endpoints

* Update sdk

* Implement sendmail (go-gitea#355)

* Implemented sendmail. This piggybacks on existing configuration to keep the change simple

* Changed privicy of new sendSMTP and sendSendmail functions

* Fixed Lint errors

* Seperated SMTP and sendmail into their own senders

* Making new structs private as they should not be used externally now

* Added sendmail setting to ini file

* Minor code cleanup

* Provide button to delete merged pull request (go-gitea#441)

* provide button to delete merged pull request

* golint fix

* Git LFS support v2 (go-gitea#122)

* Import github.com/git-lfs/lfs-test-server as lfs module base

Imported commit is 3968aac269a77b73924649b9412ae03f7ccd3198

Removed:

Dockerfile CONTRIBUTING.md mgmt* script/ vendor/ kvlogger.go
.dockerignore .gitignore README.md

* Remove config, add JWT support from github.com/mgit-at/lfs-test-server

Imported commit f0cdcc5a01599c5a955dc1bbf683bb4acecdba83

* Add LFS settings

* Add LFS meta object model

* Add LFS routes and initialization

* Import github.com/dgrijalva/jwt-go into vendor/

* Adapt LFS module: handlers, routing, meta store

* Move LFS routes to /user/repo/info/lfs/*

* Add request header checks to LFS BatchHandler / PostHandler

* Implement LFS basic authentication

* Rework JWT secret generation / load

* Implement LFS SSH token authentication with JWT

Specification: https://github.com/github/git-lfs/tree/master/docs/api

* Integrate LFS settings into install process

* Remove LFS objects when repository is deleted

Only removes objects from content store when deleted repo is the only
referencing repository

* Make LFS module stateless

Fixes bug where LFS would not work after installation without
restarting Gitea

* Change 500 'Internal Server Error' to 400 'Bad Request'

* Change sql query to xorm call

* Remove unneeded type from LFS module

* Change internal imports to code.gitea.io/gitea/

* Add Gitea authors copyright

* Change basic auth realm to "gitea-lfs"

* Add unique indexes to LFS model

* Use xorm count function in LFS check on repository delete

* Return io.ReadCloser from content store and close after usage

* Add LFS info to runWeb()

* Export LFS content store base path

* LFS file download from UI

* Work around git-lfs client issue with unauthenticated requests

Returning a dummy Authorization header for unauthenticated requests
lets git-lfs client skip asking for auth credentials
See: git-lfs/git-lfs#1088

* Fix unauthenticated UI downloads from public repositories

* Authentication check order, Finish LFS file view logic

* Ignore LFS hooks if installed for current OS user

Fixes Gitea UI actions for repositories tracking LFS files.
Checks for minimum needed git version by parsing the semantic version
string.

* Hide LFS metafile diff from commit view, marking as binary

* Show LFS notice if file in commit view is tracked

* Add notbefore/nbf JWT claim

* Correct lint suggestions - comments for structs and functions

- Add comments to LFS model
- Function comment for GetRandomBytesAsBase64
- LFS server function comments and lint variable suggestion

* Move secret generation code out of conditional

Ensures no LFS code may run with an empty secret

* Do not hand out JWT tokens if LFS server support is disabled

* API Endpoints for collaborators (go-gitea#375)

* Improve issue references in markdown (go-gitea#471)

* Improve issue references in markdown. (go-gitea#3436)

* Fix build

* Fix lint

* Fix comment typo

* Improve the way how branches are deleted

Delete branch from HeadRepo instead of BaseRepo
Prevent the deletion of a master branch
Show a yes/no overlay when you press the delete branch button

* Added Dutch translations to the landingpage

* At the locales replaced 6 with MIN_PASSWORD_LENGTH

* fix 500 when delete orgnization and resolved go-gitea#486

* fix installation page ssh domain unavilable

* Fix default cookie name

* ignore static files statstics for linguist

* Remove redundant query in collaborator API (go-gitea#516)

* Optimization for user.GetRepositoryAccesses to reduce db query times (go-gitea#495)

* optimization for user.GetRepositoryAccesses to reduce db query times

* fix missing cache

* API endpoints for organization teams (go-gitea#370)

* Replace Gogs with Gitea (go-gitea#520)

* Implementation of Folder Jumping

* Permissions bug fix for webhooks

* commithgraph / timeline (go-gitea#428)

* Add model and tests for graph

* Add route and router for graph

* Add assets for graph

* Add template for graph

* slight optimization for GetUserRepositories (go-gitea#498)

* add default values for SSH settings (go-gitea#500)

* Repo permission bug fixes (go-gitea#513)

* Cache users on list releases (go-gitea#527)

* Tab on user profile to show starred repos (go-gitea#519)

* Tab on user profile to show starred repos

* Make golint happy and use transactions on StarRepo function

* x -> sess

* Use sess.Close() instead of sess.Rollback()

* Add copyright

* Fix lint

* Speed up conflict checking in pull request creation (go-gitea#276)

* Speed up conflict checking in pull request creation

In order to check conflicts of a PR, we set up a working tree by
cloning the base branch, which is quite time-consuming when the repository is huge.
Instead, this PR uses `git read-tree` and `git apply --check --cached` to check conflicts.

For go-gitea#258

* Use $GIT_INDEX_FILE instead of --index-output to avoid lockfile problem

The lockfile gets renamed to the final destination after the operation
finishes. But it must be located in the same filesystem, which prevents
us from using /tmp.

* Temporary file names should not prefixed with '-'

* push + pull now works with reverse proxy + basic auth on apache 2.4

* Notification - Step 1 (go-gitea#523)

* Notification - Step 1

* Add copyright headers

* Cache issue and repository on notification model

* Fix URL link on CONTRIBUTING

Signed-off-by: Thibault Meyer <[email protected]>

* Notifications - Step 2

* fix gofmt error

Signed-off-by: Bo-Yi Wu <[email protected]>

* replcae go fmt with gofmt command.

Signed-off-by: Bo-Yi Wu <[email protected]>

* Updated Dutch translations

* Support http service graceful restart (go-gitea#416)

* support http service graceful restart

* fix dependencies

* API endpoints for forks (go-gitea#509)

* Restrict creating organisations by user (go-gitea#193)

* restrict creating organizations based on right on user

* revert bindata.go

* reverse vendor lib

* revert goimports change

* set AllowCreateOrganization default value to true

* revert locale

* added default value for AllowCreateOrganization

* fix typo in migration-comment

* fix comment

* add coments in migration

* fix windows build broken by go-gitea#416

* Unit tests for token and update models

* resolved go-gitea#485: when migrate empty wiki repo, then ignore (go-gitea#541)

* Fix wrong anchors for non-latin headings (go-gitea#3981) (go-gitea#512)

Change Javascript regular expression to match non-latin characters
The regex comes from here: http://stackoverflow.com/questions/150033/regular-expression-to-match-non-english-characters#comment22322603_150078

And this patch should fixed these two issues: go-gitea#3919 go-gitea#3843

* resolved go-gitea#517: fix admin ui data row missing

* Replace pull request with issue at issue_template (go-gitea#547)

* Apply dockerfile updates to raspberry dockerfile (go-gitea#548)

* UI config to toggle whether user email shows up in Explore Users (go-gitea#336)

* UI config to toggle whether user email shows up in Explore Users

* Recommendation made by @tboerger
go-gitea@66a1c59#r94122732

* fixed typo, rename ShowUserEmailInExplore to ShowUserEmail

* Fixed typo merged conflict

* Hide email in the user profile page

if you are active ShowUserEmail
ref go-gitea#336 (comment)

* Please replace MustBool() with MustBool(true)

* Makefile: on Windows, executable should have ".exe" (go-gitea#550)

* Release API endpoints

* Provide description for the INSTALL_LOCK config option (go-gitea#554)

* fix config session missing data row & resolved go-gitea#517 (go-gitea#549)

* Do not get count on /api routers

* More fine graned colors

* Showing index in front of issue title

* change the default action when deleting a release to not delete tag

* Update maintainer list for LGTM

* Fix benchmarktests (go-gitea#557)

* build failed by deleting release by API (go-gitea#562)

* bug fixed for fork repos (go-gitea#560)

* Update xorm and dependencies vendor for feature to dump to other database (go-gitea#565)

* update xorm and dependencies vendor for feature to dump to other database

* fix golint

* fix bug go-gitea#564 (go-gitea#567)

* Add pagination for notifications

* fix: Remove call to set GOMAXPROCS (go-gitea#577)

* Rename .gogs to .gitea and comply with github template guidelines (go-gitea#568) (go-gitea#582)

Signed-off-by: Manuel Kuhlmann <[email protected]>

* Fix typos in models/ (go-gitea#576)

* Check primary email address fields on CreateUser (go-gitea#556)

* Check primary email address fields on CreateUser

As this check wasn't available, uid=1 (and possibly guests too, if registration is open) is able to register new users with existing email addresses. This leads to numerous 500 errors.

* Update user.go

* Lower the email first. Then check

* Fix SQL bug in models/access (go-gitea#583)

Previously got a 'relation repo_access does not exist' error in User_GetRepositoryAccesses

* Fix diff split view coloring (go-gitea#553) (go-gitea#584)

Signed-off-by: Manuel Kuhlmann <[email protected]>

* Fix unified diff view styling (go-gitea#585)

Signed-off-by: Manuel Kuhlmann <[email protected]>

* Add the note forked from gogs (go-gitea#590)

* add the note forked from gogs

* make the sentence simple

* Clone tags within drone for proper version generation (go-gitea#591)

* Added 1.0.1 to changelog (go-gitea#594)
@go-gitea go-gitea locked and limited conversation to collaborators Nov 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants