Add patch for cve-2017-0920
This commit is contained in:
parent
3a35221826
commit
216662c34f
2 changed files with 72 additions and 0 deletions
71
debian/patches/cve-2017-0920.patch
vendored
Normal file
71
debian/patches/cve-2017-0920.patch
vendored
Normal file
|
@ -0,0 +1,71 @@
|
||||||
|
From 523050b6383256072364937bd61054aebca2978b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sean McGivern <sean@gitlab.com>
|
||||||
|
Date: Fri, 5 Jan 2018 17:55:37 +0000
|
||||||
|
Subject: [PATCH] Merge branch '41567-projectfix' into 'security-10-3'
|
||||||
|
|
||||||
|
check project access on MR create
|
||||||
|
|
||||||
|
See merge request gitlab/gitlabhq!2273
|
||||||
|
|
||||||
|
(cherry picked from commit 1fe2325d6ef2bced4c5e97b57691c894f38b2834)
|
||||||
|
|
||||||
|
43e85f49 check project access on MR create
|
||||||
|
---
|
||||||
|
app/services/merge_requests/create_service.rb | 28 ++++++++++++++++++++++------
|
||||||
|
changelogs/unreleased/projectfix.yml | 6 ++++++
|
||||||
|
spec/features/cycle_analytics_spec.rb | 1 +
|
||||||
|
spec/models/project_services/microsoft_teams_service_spec.rb | 4 ++++
|
||||||
|
spec/requests/api/merge_requests_spec.rb | 26 +++++++++++++++++++-------
|
||||||
|
spec/requests/api/v3/merge_requests_spec.rb | 26 +++++++++++++++++++-------
|
||||||
|
spec/services/merge_requests/create_service_spec.rb | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
spec/support/slack_mattermost_notifications_shared_examples.rb | 1 +
|
||||||
|
8 files changed, 133 insertions(+), 20 deletions(-)
|
||||||
|
create mode 100644 changelogs/unreleased/projectfix.yml
|
||||||
|
|
||||||
|
--- a/app/services/merge_requests/create_service.rb
|
||||||
|
+++ b/app/services/merge_requests/create_service.rb
|
||||||
|
@@ -1,16 +1,12 @@
|
||||||
|
module MergeRequests
|
||||||
|
class CreateService < MergeRequests::BaseService
|
||||||
|
def execute
|
||||||
|
- # @project is used to determine whether the user can set the merge request's
|
||||||
|
- # assignee, milestone and labels. Whether they can depends on their
|
||||||
|
- # permissions on the target project.
|
||||||
|
- source_project = @project
|
||||||
|
- @project = Project.find(params[:target_project_id]) if params[:target_project_id]
|
||||||
|
+ set_projects!
|
||||||
|
|
||||||
|
params[:target_project_id] ||= source_project.id
|
||||||
|
|
||||||
|
merge_request = MergeRequest.new
|
||||||
|
- merge_request.source_project = source_project
|
||||||
|
+ merge_request.source_project = @source_project
|
||||||
|
merge_request.merge_params['force_remove_source_branch'] = params.delete(:force_remove_source_branch)
|
||||||
|
|
||||||
|
create(merge_request)
|
||||||
|
@@ -22,5 +18,25 @@
|
||||||
|
todo_service.new_merge_request(issuable, current_user)
|
||||||
|
issuable.cache_merge_request_closes_issues!(current_user)
|
||||||
|
end
|
||||||
|
+
|
||||||
|
+ def set_projects!
|
||||||
|
+ # @project is used to determine whether the user can set the merge request's
|
||||||
|
+ # assignee, milestone and labels. Whether they can depends on their
|
||||||
|
+ # permissions on the target project.
|
||||||
|
+ @source_project = @project
|
||||||
|
+ @project = Project.find(params[:target_project_id]) if params[:target_project_id]
|
||||||
|
+
|
||||||
|
+ # make sure that source/target project ids are not in
|
||||||
|
+ # params so it can't be overridden later when updating attributes
|
||||||
|
+ # from params when applying quick actions
|
||||||
|
+ params.delete(:source_project_id)
|
||||||
|
+ params.delete(:target_project_id)
|
||||||
|
+
|
||||||
|
+ unless can?(current_user, :read_project, @source_project) &&
|
||||||
|
+ can?(current_user, :read_project, @project)
|
||||||
|
+
|
||||||
|
+ raise Gitlab::Access::AccessDeniedError
|
||||||
|
+ end
|
||||||
|
+ end
|
||||||
|
end
|
||||||
|
end
|
1
debian/patches/series
vendored
1
debian/patches/series
vendored
|
@ -17,3 +17,4 @@ cve-2017-0918.patch
|
||||||
cve-2017-0925.patch
|
cve-2017-0925.patch
|
||||||
cve-2017-0916.patch
|
cve-2017-0916.patch
|
||||||
cve-2018-8971.patch
|
cve-2018-8971.patch
|
||||||
|
cve-2017-0920.patch
|
||||||
|
|
Loading…
Reference in a new issue