rhodecode-enterprise-ce Files · docs/release-notes/release-notes-4.9.1.rst

auth-token: expose fetched token in unified way into request attribute....

auth-token: expose fetched token in unified way into request attribute. - This will allow re-using exposed access token for HTTP views in single place - We will support also exposing tokens from url if special _auth_token will be used as url param - We'll no longer require double logic for extraction of URL/HEADER auth-tokens and have a single place to extract it.

marcink - - Load All Authors

File last commit:

r2197:4edcf89e stable


                r4002:5f150e86

default

Download file

             release-notes-4.9.1.rst
        
                    54 lines
            
             | 1.0 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / release-notes / release-notes-4.9.1.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
docs: added release notes for 4.9.1

              r2197
            
      |RCE| 4.9.1 |RNS|

      -----------------

      Release Date

      ^^^^^^^^^^^^

      - 2017-10-26

      New Features

      ^^^^^^^^^^^^

      General

      ^^^^^^^

      Security

      ^^^^^^^^

      - security(critical): repo-forks: fix issue when forging fork_repo_id parameter

        could allow reading other people forks.

      - security(high): auth: don't expose full set of permissions into channelstream

        payload. Forged requests could return list of private repositories in the system.

      - security(medium): general-security: limit the maximum password input length

        to 72 characters.

      - security(medium): select2: always escape .text attributes to prevent XSS

        via branches or tags names.

      Performance

      ^^^^^^^^^^^

      - git: improve performance and reduce memory usage on large clones.

      Fixes

      ^^^^^

      - user-groups: fix potential problem with ldap group sync in external auth plugins.

      Upgrade notes

      ^^^^^^^^^^^^^

      - This release changes the maximum allowed input password to 72 characters. This

        prevent resource consumption attack. If you need longer password than 72

        characters please contact our team.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink docs: added release notes for 4.9.1	r2197	\|RCE\| 4.9.1 \|RNS\|
		-----------------

		Release Date
		^^^^^^^^^^^^

		- 2017-10-26


		New Features
		^^^^^^^^^^^^



		General
		^^^^^^^



		Security
		^^^^^^^^

		- security(critical): repo-forks: fix issue when forging fork_repo_id parameter
		could allow reading other people forks.
		- security(high): auth: don't expose full set of permissions into channelstream
		payload. Forged requests could return list of private repositories in the system.
		- security(medium): general-security: limit the maximum password input length
		to 72 characters.
		- security(medium): select2: always escape .text attributes to prevent XSS
		via branches or tags names.



		Performance
		^^^^^^^^^^^

		- git: improve performance and reduce memory usage on large clones.



		Fixes
		^^^^^


		- user-groups: fix potential problem with ldap group sync in external auth plugins.



		Upgrade notes
		^^^^^^^^^^^^^

		- This release changes the maximum allowed input password to 72 characters. This
		prevent resource consumption attack. If you need longer password than 72
		characters please contact our team.