Branch: refs/heads/2.6 Home: https://github.com/openSUSE/open-build-service Commit: 672bb9d4ec6a6efb463cf80513d0217457311acc https://github.com/openSUSE/open-build-service/commit/672bb9d4ec6a6efb463cf8... Author: Björn Geuken <bgeuken@suse.de> Date: 2015-09-02 (Wed, 02 Sep 2015) Changed paths: M src/api/app/controllers/webui/apidocs_controller.rb Log Message: ----------- [webui] Fix hakiri report: File Access Ensure that users can't fetch files from other directories (by adding '../' to the filepath). Commit: f8cf31d2f95b6e4c4b244221718b63e51551c957 https://github.com/openSUSE/open-build-service/commit/f8cf31d2f95b6e4c4b2442... Author: Björn Geuken <bgeuken@suse.de> Date: 2015-09-02 (Wed, 02 Sep 2015) Changed paths: M src/api/app/controllers/webui/package_controller.rb Log Message: ----------- [webui] Fix hakiri reports: File access Conflicts: src/api/app/controllers/webui/package_controller.rb Commit: b7307c2beaa7dbf4e77d063ef65e12dcbe74272e https://github.com/openSUSE/open-build-service/commit/b7307c2beaa7dbf4e77d06... Author: Björn Geuken <bgeuken@suse.de> Date: 2015-09-03 (Thu, 03 Sep 2015) Changed paths: M src/api/app/controllers/webui/user_controller.rb M src/api/app/controllers/webui/webui_controller.rb M src/api/app/views/layouts/webui/_personal_navigation.html.erb M src/api/app/views/webui/user/login.html.erb M src/api/test/functional/webui/patchinfo_create_test.rb M src/api/test/functional/webui/signup_test.rb M src/api/test/functional/webui/user_controller_test.rb M src/api/test/test_helper.rb Log Message: ----------- [webui] Update OBS redirect after login After login OBS users get redirected to the page they initially visited. So far this was done via hidden fields in the views and parameters that were processed in the controller. An attacker could use those parameters to redirect to an untrusted side. This commit stores the last visited page in the session store to avoid that kind of attack. Conflicts: src/api/app/controllers/webui/user_controller.rb src/api/app/controllers/webui/webui_controller.rb src/api/test/functional/webui/signup_test.rb Commit: ebf428c3353cd507bfcf65febe91de6b95a9b7f8 https://github.com/openSUSE/open-build-service/commit/ebf428c3353cd507bfcf65... Author: Adrian Schröter <adrian@suse.de> Date: 2015-09-09 (Wed, 09 Sep 2015) Changed paths: M src/api/app/controllers/webui/apidocs_controller.rb M src/api/app/controllers/webui/package_controller.rb M src/api/app/controllers/webui/user_controller.rb M src/api/app/controllers/webui/webui_controller.rb M src/api/app/views/layouts/webui/_personal_navigation.html.erb M src/api/app/views/webui/user/login.html.erb M src/api/test/functional/webui/patchinfo_create_test.rb M src/api/test/functional/webui/signup_test.rb M src/api/test/functional/webui/user_controller_test.rb M src/api/test/test_helper.rb Log Message: ----------- Merge pull request #1092 from bgeuken/26_hakiri Hakiri fixes for 2.6 branch Compare: https://github.com/openSUSE/open-build-service/compare/f221149afe40...ebf428...