[DRE-commits] [gitlab] 01/01: Revert "Fix CVE-2017-8778"

Balasankar C balasankarc-guest at moszumanska.debian.org
Sat May 6 17:32:33 UTC 2017 

This is an automated email from the git hooks/post-receive script.

balasankarc-guest pushed a commit to branch master
in repository gitlab.

commit 7cf57f4eb845ac05f89d50c9f97df699a3ef5448
Author: Balasankar C <balasankarc at autistici.org>
Date:   Sat May 6 23:02:07 2017 +0530

    Revert "Fix CVE-2017-8778"
    
    This reverts commit 7241318db49ec356f31dac96345a4ff730d313f0.
---
 debian/changelog                   |  7 ---
 debian/patches/cve-2017-8778.patch | 87 --------------------------------------
 debian/patches/series              |  1 -
 3 files changed, 95 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 3760828..7788c76 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,3 @@
-gitlab (8.13.11+dfsg1-6) UNRELEASED; urgency=medium
-
-  * Team upload.
-  * Fix CVE-2017-8778 (Closes: #861870)
-
- -- Balasankar C <balasankarc at autistici.org>  Fri, 05 May 2017 23:55:26 +0530
-
 gitlab (8.13.11+dfsg1-5) unstable; urgency=medium
 
   * Fix letsencrypt email handling in config
diff --git a/debian/patches/cve-2017-8778.patch b/debian/patches/cve-2017-8778.patch
deleted file mode 100644
index 60cf64c..0000000
--- a/debian/patches/cve-2017-8778.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-Description: Patch against CVE-2017-8778
-Author: Brian Neel <brian at gitlab.com>
-Origin: <upstream|backport|vendor|other>, <URL, required except if Author is present>
-Bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471
-Applied-Upstream: https://gitlab.com/gitlab-org/gitlab-ce/commit/dd944bf14f4a0fd555db32d5833325fa459d9565
-Last-Update: 2017-05-05
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
---- a/app/uploaders/file_uploader.rb
-+++ b/app/uploaders/file_uploader.rb
-@@ -36,7 +36,7 @@
-     escaped_filename = filename.gsub("]", "\\]")
-
-     markdown = "[#{escaped_filename}](#{self.secure_url})"
--    markdown.prepend("!") if image_or_video?
-+    markdown.prepend("!") if image_or_video? || dangerous?
-
-     {
-       alt:      filename,
---- a/app/uploaders/uploader_helper.rb
-+++ b/app/uploaders/uploader_helper.rb
-@@ -7,11 +7,19 @@
-   # on IE >= 9.
-   # http://archive.sublimevideo.info/20150912/docs.sublimevideo.net/troubleshooting.html
-   VIDEO_EXT = %w[mp4 m4v mov webm ogv]
-+  # These extension types can contain dangerous code and should only be embedded inline with
-+  # proper filtering. They should always be tagged as "Content-Disposition: attachment", not "inline".
-+  DANGEROUS_EXT = %w[svg]
-+
-
-   def image?
-     extension_match?(IMAGE_EXT)
-   end
-
-+  def dangerous?
-+    extension_match?(DANGEROUS_EXT)
-+  end
-+
-   def video?
-     extension_match?(VIDEO_EXT)
-   end
---- a/spec/controllers/uploads_controller_spec.rb
-+++ b/spec/controllers/uploads_controller_spec.rb
-@@ -4,6 +4,28 @@
-   let!(:user) { create(:user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
-
-   describe "GET show" do
-+    context 'Content-Disposition security measures' do
-+      let(:project) { create(:empty_project, :public) }
-+
-+      context 'for PNG files' do
-+        it 'returns Content-Disposition: inline' do
-+          note = create(:note, :with_attachment, project: project)
-+          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.png'
-+
-+          expect(response['Content-Disposition']).to start_with('inline;')
-+        end
-+      end
-+
-+      context 'for SVG files' do
-+        it 'returns Content-Disposition: attachment' do
-+          note = create(:note, :with_svg_attachment, project: project)
-+          get :show, model: 'note', mounted_as: 'attachment', id: note.id, filename: 'image.svg'
-+
-+          expect(response['Content-Disposition']).to start_with('attachment;')
-+        end
-+      end
-+    end
-+
-     context "when viewing a user avatar" do
-       context "when signed in" do
-         before do
---- a/spec/factories/notes.rb
-+++ b/spec/factories/notes.rb
-@@ -83,7 +83,11 @@
-     end
-
-     trait :with_attachment do
--      attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "`/png") }
-+      attachment { fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png") }
-+    end
-+
-+    trait :with_svg_attachment do
-+      attachment { fixture_file_upload(Rails.root + "spec/fixtures/unsanitized.svg", "image/svg+xml") }
-     end
-   end
- end
diff --git a/debian/patches/series b/debian/patches/series
index e1c69c4..d846552 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,4 +10,3 @@ pid-log-paths.patch
 0210-use-jquery-ui-rails6.patch
 0300-git-2-11-support.patch
 cve-2017-0882.patch
-cve-2017-8778.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/gitlab.git

More information about the Pkg-ruby-extras-commits mailing list