##// END OF EJS Templates
u » pc » rhodecode-enterprise-ce-fork-pc
RSS

Fork of rhodecode-enterprise-ce

authentication: introduce a group sync flag for plugins....
authentication: introduce a group sync flag for plugins. - we'll skip any syncing on plugins which simply don't get any group information - we let plugins define if they wish to sync groups - prevent from odd cases in which someone sets user groups as syncing, and using regular plugin. In this case memebership of that group would be wiped, and it's generaly bad behaviour.
marcink - - Load All Authors

File last commit:

r2197:4edcf89e stable
r2495:4f076134 default
Show More
release-notes-4.9.1.rst
54 lines | 1.0 KiB | text/x-rst | RstLexer
/ docs / release-notes / release-notes-4.9.1.rst
History | Annotation | Raw |Copy content |Copy permalink

|RCE| 4.9.1 |RNS|

Release Date

  • 2017-10-26

New Features

General

Security

  • security(critical): repo-forks: fix issue when forging fork_repo_id parameter could allow reading other people forks.
  • security(high): auth: don't expose full set of permissions into channelstream payload. Forged requests could return list of private repositories in the system.
  • security(medium): general-security: limit the maximum password input length to 72 characters.
  • security(medium): select2: always escape .text attributes to prevent XSS via branches or tags names.

Performance

  • git: improve performance and reduce memory usage on large clones.

Fixes

  • user-groups: fix potential problem with ldap group sync in external auth plugins.

Upgrade notes

  • This release changes the maximum allowed input password to 72 characters. This prevent resource consumption attack. If you need longer password than 72 characters please contact our team.