Branch: refs/heads/2.6
Home: https://github.com/openSUSE/open-build-service
Commit: 672bb9d4ec6a6efb463cf80513d0217457311acc
https://github.com/openSUSE/open-build-service/commit/672bb9d4ec6a6efb463cf8...
Author: Björn Geuken
Date: 2015-09-02 (Wed, 02 Sep 2015)
Changed paths:
M src/api/app/controllers/webui/apidocs_controller.rb
Log Message:
-----------
[webui] Fix hakiri report: File Access
Ensure that users can't fetch files from other directories (by adding '../' to the filepath).
Commit: f8cf31d2f95b6e4c4b244221718b63e51551c957
https://github.com/openSUSE/open-build-service/commit/f8cf31d2f95b6e4c4b2442...
Author: Björn Geuken
Date: 2015-09-02 (Wed, 02 Sep 2015)
Changed paths:
M src/api/app/controllers/webui/package_controller.rb
Log Message:
-----------
[webui] Fix hakiri reports: File access
Conflicts:
src/api/app/controllers/webui/package_controller.rb
Commit: b7307c2beaa7dbf4e77d063ef65e12dcbe74272e
https://github.com/openSUSE/open-build-service/commit/b7307c2beaa7dbf4e77d06...
Author: Björn Geuken
Date: 2015-09-03 (Thu, 03 Sep 2015)
Changed paths:
M src/api/app/controllers/webui/user_controller.rb
M src/api/app/controllers/webui/webui_controller.rb
M src/api/app/views/layouts/webui/_personal_navigation.html.erb
M src/api/app/views/webui/user/login.html.erb
M src/api/test/functional/webui/patchinfo_create_test.rb
M src/api/test/functional/webui/signup_test.rb
M src/api/test/functional/webui/user_controller_test.rb
M src/api/test/test_helper.rb
Log Message:
-----------
[webui] Update OBS redirect after login
After login OBS users get redirected to the page they initially visited. So far
this was done via hidden fields in the views and parameters that were processed
in the controller.
An attacker could use those parameters to redirect to an untrusted side.
This commit stores the last visited page in the session store to avoid that kind
of attack.
Conflicts:
src/api/app/controllers/webui/user_controller.rb
src/api/app/controllers/webui/webui_controller.rb
src/api/test/functional/webui/signup_test.rb
Commit: ebf428c3353cd507bfcf65febe91de6b95a9b7f8
https://github.com/openSUSE/open-build-service/commit/ebf428c3353cd507bfcf65...
Author: Adrian Schröter
Date: 2015-09-09 (Wed, 09 Sep 2015)
Changed paths:
M src/api/app/controllers/webui/apidocs_controller.rb
M src/api/app/controllers/webui/package_controller.rb
M src/api/app/controllers/webui/user_controller.rb
M src/api/app/controllers/webui/webui_controller.rb
M src/api/app/views/layouts/webui/_personal_navigation.html.erb
M src/api/app/views/webui/user/login.html.erb
M src/api/test/functional/webui/patchinfo_create_test.rb
M src/api/test/functional/webui/signup_test.rb
M src/api/test/functional/webui/user_controller_test.rb
M src/api/test/test_helper.rb
Log Message:
-----------
Merge pull request #1092 from bgeuken/26_hakiri
Hakiri fixes for 2.6 branch
Compare: https://github.com/openSUSE/open-build-service/compare/f221149afe40...ebf428...