From 67db7fce51a8db11f5db77a5f7ff5804639b562b Mon Sep 17 00:00:00 2001
From: Pirate Praveen <praveen@debian.org>
Date: Mon, 20 Aug 2018 21:37:37 +0530
Subject: [PATCH 1/3] New upstream version 10.7.7+dfsg

---
 CHANGELOG.md                                        | 7 +++++++
 VERSION                                             | 2 +-
 lib/gitlab/import_export/file_importer.rb           | 3 ++-
 spec/lib/gitlab/import_export/file_importer_spec.rb | 7 +++++++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f0300f4dd2..3a5d2102a5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 documentation](doc/development/changelog.md) for instructions on adding your own
 entry.
 
+## 10.7.7 (2018-07-17)
+
+### Security (1 change)
+
+- Fix symlink vulnerability in project import.
+
+
 ## 10.7.6 (2018-06-21)
 
 ### Security (6 changes)
diff --git a/VERSION b/VERSION
index e1a586a880..bef54bc566 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-10.7.6
+10.7.7
diff --git a/lib/gitlab/import_export/file_importer.rb b/lib/gitlab/import_export/file_importer.rb
index 0f4c349803..4c411f4847 100644
--- a/lib/gitlab/import_export/file_importer.rb
+++ b/lib/gitlab/import_export/file_importer.rb
@@ -4,6 +4,7 @@ module Gitlab
       include Gitlab::ImportExport::CommandLineUtil
 
       MAX_RETRIES = 8
+      IGNORED_FILENAMES = %w(. ..).freeze
 
       def self.import(*args)
         new(*args).import
@@ -59,7 +60,7 @@ module Gitlab
       end
 
       def extracted_files
-        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| f =~ %r{.*/\.{1,2}$} }
+        Dir.glob("#{@shared.export_path}/**/*", File::FNM_DOTMATCH).reject { |f| IGNORED_FILENAMES.include?(File.basename(f)) }
       end
     end
   end
diff --git a/spec/lib/gitlab/import_export/file_importer_spec.rb b/spec/lib/gitlab/import_export/file_importer_spec.rb
index 58b9fb06cc..265937f899 100644
--- a/spec/lib/gitlab/import_export/file_importer_spec.rb
+++ b/spec/lib/gitlab/import_export/file_importer_spec.rb
@@ -7,6 +7,7 @@ describe Gitlab::ImportExport::FileImporter do
   let(:symlink_file) { "#{shared.export_path}/invalid.json" }
   let(:hidden_symlink_file) { "#{shared.export_path}/.hidden" }
   let(:subfolder_symlink_file) { "#{shared.export_path}/subfolder/invalid.json" }
+  let(:evil_symlink_file) { "#{shared.export_path}/.\nevil" }
 
   before do
     stub_const('Gitlab::ImportExport::FileImporter::MAX_RETRIES', 0)
@@ -34,6 +35,10 @@ describe Gitlab::ImportExport::FileImporter do
       expect(File.exist?(hidden_symlink_file)).to be false
     end
 
+    it 'removes evil symlinks in root folder' do
+      expect(File.exist?(evil_symlink_file)).to be false
+    end
+
     it 'removes symlinks in subfolders' do
       expect(File.exist?(subfolder_symlink_file)).to be false
     end
@@ -75,5 +80,7 @@ describe Gitlab::ImportExport::FileImporter do
     FileUtils.touch(valid_file)
     FileUtils.ln_s(valid_file, symlink_file)
     FileUtils.ln_s(valid_file, subfolder_symlink_file)
+    FileUtils.ln_s(valid_file, hidden_symlink_file)
+    FileUtils.ln_s(valid_file, evil_symlink_file)
   end
 end

From 9066e2d87e38957109d18bb0976ee2dc6f2105c4 Mon Sep 17 00:00:00 2001
From: Pirate Praveen <praveen@debian.org>
Date: Mon, 20 Aug 2018 21:38:23 +0530
Subject: [PATCH 2/3] Bump Standards-Version to 4.2.0 (no changes needed)

---
 debian/control | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index a7a0f6f10c..95141da59f 100644
--- a/debian/control
+++ b/debian/control
@@ -6,7 +6,7 @@ Uploaders: Cédric Boutillier <boutil@debian.org>,
  Pirate Praveen <praveen@debian.org>,
  Balasankar C <balasankarc@autistici.org>
 Build-Depends: debhelper (>= 10~), gem2deb, bc
-Standards-Version: 4.1.4
+Standards-Version: 4.2.0
 Vcs-Git: https://salsa.debian.org/ruby-team/gitlab.git
 Vcs-Browser: https://salsa.debian.org/ruby-team/gitlab
 Homepage: https://about.gitlab.com/

From fe15e9e04fb5670d7336a87430c0ddebe66c8b45 Mon Sep 17 00:00:00 2001
From: Pirate Praveen <praveen@debian.org>
Date: Mon, 20 Aug 2018 21:51:16 +0530
Subject: [PATCH 3/3] update changelog

---
 debian/changelog | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1090642bb9..bd032418fb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gitlab (10.7.7+dfsg-1) experimental; urgency=medium
+
+  * New upstream version 10.7.7+dfsg (Fixes: CVE-2018-14364) (Closes: #904026)
+  * Bump Standards-Version to 4.2.0 (no changes needed)
+
+ -- Pirate Praveen <praveen@debian.org>  Mon, 20 Aug 2018 21:38:35 +0530
+
 gitlab (10.7.6+dfsg-2) experimental; urgency=medium
 
   * Support html-sanitizer >= 2.7.1 (see upstream issue 48415)