# HG changeset patch # User Marcin Kuzminski # Date 2018-05-17 10:05:10 # Node ID 4b0930b4ae21dd74f0011ae85e9d074294c99740 # Parent f690c910fbdebc8440a83dad2f6df81c5879ba75 # Parent 202306da02b06680a8bc07d6ab05c8c00c4bdbd2 release: merge back stable branch into default diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -37,3 +37,4 @@ 8fbd8b0c3ddc2fa4ac9e4ca16942a03eb593df2d f0609aa5d5d05a1ca2f97c3995542236131c9d8a v4.11.6 b5b30547d90d2e088472a70c84878f429ffbf40d v4.12.0 9072253aa8894d20c00b4a43dc61c2168c1eff94 v4.12.1 +6a517543ea9ef9987d74371bd2a315eb0b232dc9 v4.12.2 diff --git a/docs/release-notes/release-notes-4.12.0.rst b/docs/release-notes/release-notes-4.12.0.rst --- a/docs/release-notes/release-notes-4.12.0.rst +++ b/docs/release-notes/release-notes-4.12.0.rst @@ -32,7 +32,7 @@ New Features prevent problems when connection to LDAP is not stable causing RhodeCode instances to freeze waiting on LDAP connections. - User groups: expose public user group profiles. Allows to see members of a user - groups by other team members, if they have proper permissions. + group by other team members, if they have proper permissions. - UI: show pull request page in quick nav menu on my account for quicker access. - UI: hidden/outdated comments now have visible markers next to line numbers. This allows access to them without showing all hidden comments. @@ -99,7 +99,7 @@ Performance ^^^^^^^^^^^ - Diffs: don't use recurred diffset attachment in diffs. This makes -this structure much harder to garbage collect. Reduces memory usage. + this structure much harder to garbage collect. Reduces memory usage. - Diff cache: added caching for better performance of large pull requests. @@ -114,7 +114,7 @@ Fixes - Pull requests: fixed cases with default expected refs are closed or unavailable. For Mercurial with closed default branch a compare across forks could fail. - Core: properly report 502 errors for gevent and gunicorn. - Gevent wtih Gunicorn doesn't raise normal pycurl errors. + Gevent with Gunicorn doesn't raise normal pycurl errors. - Auth plugins: fixed problem with cache of settings in multi-worker mode. The previous implementation had a bug that cached the settings in each class, caused not refreshing the update of settings in multi-worker mode. @@ -130,14 +130,15 @@ Upgrade notes ^^^^^^^^^^^^^ - This release adds support for SVN hook. This required lots of changes on how we -handle SVN protocol. We did thoughtful tests for SVN compatibility. -Please be advised to check the behaviour of SVN repositories during this update. + handle SVN protocol. We did thoughtful tests for SVN compatibility. + Please be advised to check the behaviour of SVN repositories during this update. A check and migrate of SVN hooks is required. In order to do so, please execute `Rescan filesystem` from admin > settings > Remap and Rescan. This will migrate all SVN hook to latest available version. To migrate single repository only, please go to the following url: `your-rhodecode-server.com/REPO_NAME/settings/advanced/hooks` -- Diff caches are turned off by default for backward compatibility. We however recommend -turning them on either individually for bigger repositories or globally for every repository. -This setting can be found in admin > settings > vcs, or repository > settings > vcs +- Diff caches are turned off by default for backward compatibility. + We however recommend turning them on either individually for bigger + repositories or globally for every repository. + This setting can be found in admin > settings > vcs, or repository > settings > vcs diff --git a/docs/release-notes/release-notes-4.12.2.rst b/docs/release-notes/release-notes-4.12.2.rst new file mode 100644 --- /dev/null +++ b/docs/release-notes/release-notes-4.12.2.rst @@ -0,0 +1,41 @@ +|RCE| 4.12.2 |RNS| +------------------ + +Release Date +^^^^^^^^^^^^ + +- 2018-05-16 + + +New Features +^^^^^^^^^^^^ + + + +General +^^^^^^^ + +- Jenkins: further improve handling of proxied Jenkins server. + + +Security +^^^^^^^^ + +- SSH: fixed found problem with key-storage that could allow remote logins + performed by rhodecode authorized users with specially crafted SSH Keys. + + +Performance +^^^^^^^^^^^ + + + +Fixes +^^^^^ + + + +Upgrade notes +^^^^^^^^^^^^^ + +- Unscheduled release addressing found security problem. diff --git a/docs/release-notes/release-notes.rst b/docs/release-notes/release-notes.rst --- a/docs/release-notes/release-notes.rst +++ b/docs/release-notes/release-notes.rst @@ -9,6 +9,7 @@ Release Notes .. toctree:: :maxdepth: 1 + release-notes-4.12.2.rst release-notes-4.12.1.rst release-notes-4.12.0.rst release-notes-4.11.6.rst diff --git a/rhodecode/apps/admin/views/users.py b/rhodecode/apps/admin/views/users.py --- a/rhodecode/apps/admin/views/users.py +++ b/rhodecode/apps/admin/views/users.py @@ -835,7 +835,7 @@ class UsersView(UserAppView): fingerprint = key.hash_md5() ssh_key = SshKeyModel().create( - c.user.user_id, fingerprint, key_data, description) + c.user.user_id, fingerprint, key.keydata, description) ssh_key_data = ssh_key.get_api_data() audit_logger.store_web( diff --git a/rhodecode/apps/my_account/views/my_account_ssh_keys.py b/rhodecode/apps/my_account/views/my_account_ssh_keys.py --- a/rhodecode/apps/my_account/views/my_account_ssh_keys.py +++ b/rhodecode/apps/my_account/views/my_account_ssh_keys.py @@ -98,7 +98,7 @@ class MyAccountSshKeysView(BaseAppView, fingerprint = key.hash_md5() ssh_key = SshKeyModel().create( - c.user.user_id, fingerprint, key_data, description) + c.user.user_id, fingerprint, key.keydata, description) ssh_key_data = ssh_key.get_api_data() audit_logger.store_web( diff --git a/rhodecode/apps/ssh_support/utils.py b/rhodecode/apps/ssh_support/utils.py --- a/rhodecode/apps/ssh_support/utils.py +++ b/rhodecode/apps/ssh_support/utils.py @@ -84,16 +84,23 @@ def _generate_ssh_authorized_keys_file( for user_key in all_active_keys: username = user_key.user.username user_id = user_key.user.user_id + # replace all newline from ends and inside + safe_key_data = user_key.ssh_key_data\ + .strip()\ + .replace('\n', ' ') \ + .replace('\t', ' ') \ + .replace('\r', ' ') - keys_file.write( - line_tmpl.format( - ssh_opts=ssh_opts or SSH_OPTS, - wrapper_command=ssh_wrapper_cmd, - ini_path=ini_path, - user_id=user_id, - user=username, - user_key_id=user_key.ssh_key_id, - key=user_key.ssh_key_data)) + line = line_tmpl.format( + ssh_opts=ssh_opts or SSH_OPTS, + wrapper_command=ssh_wrapper_cmd, + ini_path=ini_path, + user_id=user_id, + user=username, + user_key_id=user_key.ssh_key_id, + key=safe_key_data) + + keys_file.write(line) log.debug('addkey: Key added for user: `%s`', username) keys_file.close() diff --git a/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako b/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako --- a/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako +++ b/rhodecode/templates/admin/users/user_edit_ssh_keys_generate.mako @@ -8,13 +8,13 @@

${_('Private key')}

-# Save the content as
-# Windows: /Users//.ssh/id_rsa_rhodecode_access_priv.key
-# macOS: /Users//.ssh/id_rsa_rhodecode_access_priv.key
-# Linux: /home//.ssh/id_rsa_rhodecode_access_priv.key
+# Save the below content as
+# Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_priv.key
+# macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_priv.key
+# Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
 
 # Change permissions to 0600 to make it secure, and usable.
-e.g chmod 0600 /home//.ssh/id_rsa_rhodecode_access_priv.key
+e.g chmod 0600 /home/{username}/.ssh/id_rsa_rhodecode_access_priv.key
@@ -24,10 +24,10 @@ e.g chmod 0600 /home//.ssh/id_

${_('Public key')}

-# Save the content as
-# Windows: /Users//.ssh/id_rsa_rhodecode_access_pub.key
-# macOS: /Users//.ssh/id_rsa_rhodecode_access_pub.key
-# Linux: /home//.ssh/id_rsa_rhodecode_access_pub.key
+# Save the below content as
+# Windows: /Users/{username}/.ssh/id_rsa_rhodecode_access_pub.key
+# macOS: /Users/{yourname}/.ssh/id_rsa_rhodecode_access_pub.key
+# Linux: /home/{username}/.ssh/id_rsa_rhodecode_access_pub.key