Add patch for cve-2017-0920
This commit is contained in:
Pirate Praveen
parent
3a35221826
commit
216662c34f
2 changed files with 72 additions and 0 deletions
71
debian/patches/cve-2017-0920.patch
vendored
Normal file
71
debian/patches/cve-2017-0920.patch
vendored
Normal file
|
|
@ -0,0 +1,71 @@
|
|||
From 523050b6383256072364937bd61054aebca2978b Mon Sep 17 00:00:00 2001
|
||||
From: Sean McGivern <sean@gitlab.com>
|
||||
Date: Fri, 5 Jan 2018 17:55:37 +0000
|
||||
Subject: [PATCH] Merge branch '41567-projectfix' into 'security-10-3'
|
||||
|
||||
check project access on MR create
|
||||
|
||||
See merge request gitlab/gitlabhq!2273
|
||||
|
||||
(cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834)
|
||||
|
||||
43e85f49 check project access on MR create
|
||||
---
|
||||
app/services/merge_requests/create_service.rb | 28 ++++++++++++++++++++++------
|
||||
changelogs/unreleased/projectfix.yml | 6 ++++++
|
||||
spec/features/cycle_analytics_spec.rb | 1 +
|
||||
spec/models/project_services/microsoft_teams_service_spec.rb | 4 ++++
|
||||
spec/requests/api/merge_requests_spec.rb | 26 +++++++++++++++++++-------
|
||||
spec/requests/api/v3/merge_requests_spec.rb | 26 +++++++++++++++++++-------
|
||||
spec/services/merge_requests/create_service_spec.rb | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
spec/support/slack_mattermost_notifications_shared_examples.rb | 1 +
|
||||
8 files changed, 133 insertions(+), 20 deletions(-)
|
||||
create mode 100644 changelogs/unreleased/projectfix.yml
|
||||
|
||||
--- a/app/services/merge_requests/create_service.rb
|
||||
+++ b/app/services/merge_requests/create_service.rb
|
||||
@@ -1,16 +1,12 @@
|
||||
module MergeRequests
|
||||
class CreateService < MergeRequests::BaseService
|
||||
def execute
|
||||
- # @project is used to determine whether the user can set the merge request's
|
||||
- # assignee, milestone and labels. Whether they can depends on their
|
||||
- # permissions on the target project.
|
||||
- source_project = @project
|
||||
- @project = Project.find(params[:target_project_id]) if params[:target_project_id]
|
||||
+ set_projects!
|
||||
|
||||
params[:target_project_id] ||= source_project.id
|
||||
|
||||
merge_request = MergeRequest.new
|
||||
- merge_request.source_project = source_project
|
||||
+ merge_request.source_project = @source_project
|
||||
merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch)
|
||||
|
||||
create(merge_request)
|
||||
@@ -22,5 +18,25 @@
|
||||
todo_service.new_merge_request(issuable, current_user)
|
||||
issuable.cache_merge_request_closes_issues!(current_user)
|
||||
end
|
||||
+
|
||||
+ def set_projects!
|
||||
+ # @project is used to determine whether the user can set the merge request's
|
||||
+ # assignee, milestone and labels. Whether they can depends on their
|
||||
+ # permissions on the target project.
|
||||
+ @source_project = @project
|
||||
+ @project = Project.find(params[:target_project_id]) if params[:target_project_id]
|
||||
+
|
||||
+ # make sure that source/target project ids are not in
|
||||
+ # params so it can't be overridden later when updating attributes
|
||||
+ # from params when applying quick actions
|
||||
+ params.delete(:source_project_id)
|
||||
+ params.delete(:target_project_id)
|
||||
+
|
||||
+ unless can?(current_user, :read_project, @source_project) &&
|
||||
+ can?(current_user, :read_project, @project)
|
||||
+
|
||||
+ raise Gitlab::Access::AccessDeniedError
|
||||
+ end
|
||||
+ end
|
||||
end
|
||||
end
|
||||
1
debian/patches/series
vendored
1
debian/patches/series
vendored
|
|
@ -17,3 +17,4 @@ cve-2017-0918.patch
|
|||
cve-2017-0925.patch
|
||||
cve-2017-0916.patch
|
||||
cve-2018-8971.patch
|
||||
cve-2017-0920.patch
|
||||
|
|
|
|||
Loading…
Reference in a new issue