From 6cf7dd625a7db143c146de1b146cba7dbcbc2576 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 10 Apr 2015 18:27:42 +0200
Subject: Fix persistent XSS vulnerability around profile website URLs.

---
 CHANGELOG          | 2 ++
 app/models/user.rb | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 0878c03207b..3c119a93d36 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,8 @@
 Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.10.0 (unreleased)
+  - Fix persistent XSS vulnerability around profile website URLs.
+  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
   - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
diff --git a/app/models/user.rb b/app/models/user.rb
index 515f29ea0ba..e2b6757bc4d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -486,13 +486,13 @@ class User < ActiveRecord::Base
   end
 
   def full_website_url
-    return "http://#{website_url}" if website_url !~ /^https?:\/\//
+    return "http://#{website_url}" if website_url !~ /\Ahttps?:\/\//
 
     website_url
   end
 
   def short_website_url
-    website_url.gsub(/https?:\/\//, '')
+    website_url.sub(/\Ahttps?:\/\//, '')
   end
 
   def all_ssh_keys
-- 
cgit v1.2.1


From 0ece6bd82839d0c9e3e27b65a6a201771f09190e Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 10 Apr 2015 18:30:02 +0200
Subject: Use `\A` and `\z` in regexes instead of `^` and `$`.

---
 app/controllers/application_controller.rb    | 2 +-
 app/helpers/application_helper.rb            | 2 +-
 app/helpers/gitlab_markdown_helper.rb        | 4 ++--
 app/helpers/submodule_helper.rb              | 2 +-
 app/models/project_services/irker_service.rb | 2 +-
 app/models/repository.rb                     | 4 ++--
 app/services/create_tag_service.rb           | 4 +---
 app/workers/post_receive.rb                  | 4 ++--
 config/initializers/devise.rb                | 2 +-
 9 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 80e983b5314..0521a9ef8cf 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -153,7 +153,7 @@ class ApplicationController < ActionController::Base
   end
 
   def method_missing(method_sym, *arguments, &block)
-    if method_sym.to_s =~ /^authorize_(.*)!$/
+    if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
       authorize_project!($1.to_sym)
     else
       super
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 3f3509bb18a..b5b0015542c 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -125,7 +125,7 @@ module ApplicationHelper
 
     # If reference is commit id - we should add it to branch/tag selectbox
     if(@ref && !options.flatten.include?(@ref) &&
-       @ref =~ /^[0-9a-zA-Z]{6,52}$/)
+       @ref =~ /\A[0-9a-zA-Z]{6,52}\z/)
       options << ['Commit', [@ref]]
     end
 
diff --git a/app/helpers/gitlab_markdown_helper.rb b/app/helpers/gitlab_markdown_helper.rb
index 17266656a4e..aa1de2f50ef 100644
--- a/app/helpers/gitlab_markdown_helper.rb
+++ b/app/helpers/gitlab_markdown_helper.rb
@@ -13,7 +13,7 @@ module GitlabMarkdownHelper
   def link_to_gfm(body, url, html_options = {})
     return "" if body.blank?
 
-    escaped_body = if body =~ /^\<img/
+    escaped_body = if body =~ /\A\<img/
                      body
                    else
                      escape_once(body)
@@ -139,7 +139,7 @@ module GitlabMarkdownHelper
       @project.path_with_namespace,
       path_with_ref(file_path),
       file_path
-    ].compact.join("/").gsub(/^\/*|\/*$/, '') + id
+    ].compact.join("/").gsub(/\A\/*|\/*\z/, '') + id
   end
 
   def sanitize_slashes(path)
diff --git a/app/helpers/submodule_helper.rb b/app/helpers/submodule_helper.rb
index 241462e5e4c..48aa1eda67d 100644
--- a/app/helpers/submodule_helper.rb
+++ b/app/helpers/submodule_helper.rb
@@ -44,7 +44,7 @@ module SubmoduleHelper
 
   def relative_self_url?(url)
     # (./)?(../repo.git) || (./)?(../../project/repo.git) )
-    url =~ /^((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\Z/ || url =~ /^((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\Z/
+    url =~ /\A((\.\/)?(\.\.\/))(?!(\.\.)|(.*\/)).*\.git\z/ || url =~ /\A((\.\/)?(\.\.\/){2})(?!(\.\.))([^\/]*)\/(?!(\.\.)|(.*\/)).*\.git\z/
   end
 
   def standard_links(host, namespace, project, commit)
diff --git a/app/models/project_services/irker_service.rb b/app/models/project_services/irker_service.rb
index 2bddb7b881c..e9e1e276e7d 100644
--- a/app/models/project_services/irker_service.rb
+++ b/app/models/project_services/irker_service.rb
@@ -148,7 +148,7 @@ class IrkerService < Service
 
   def consider_uri(uri)
     # Authorize both irc://domain.com/#chan and irc://domain.com/chan
-    if uri.is_a?(URI) && uri.scheme[/^ircs?$/] && !uri.path.nil?
+    if uri.is_a?(URI) && uri.scheme[/^ircs?\z/] && !uri.path.nil?
       # Do not authorize irc://domain.com/
       if uri.fragment.nil? && uri.path.length > 1
         uri.to_s
diff --git a/app/models/repository.rb b/app/models/repository.rb
index 72769498872..263a436d521 100644
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@@ -199,7 +199,7 @@ class Repository
   def changelog
     cache.fetch(:changelog) do
       tree(:head).blobs.find do |file|
-        file.name =~ /^(changelog|history)/i
+        file.name =~ /\A(changelog|history)/i
       end
     end
   end
@@ -207,7 +207,7 @@ class Repository
   def license
     cache.fetch(:license) do
       tree(:head).blobs.find do |file|
-        file.name =~ /^license/i
+        file.name =~ /\Alicense/i
       end
     end
   end
diff --git a/app/services/create_tag_service.rb b/app/services/create_tag_service.rb
index 4115d689925..25f9e203246 100644
--- a/app/services/create_tag_service.rb
+++ b/app/services/create_tag_service.rb
@@ -13,9 +13,7 @@ class CreateTagService < BaseService
       return error('Tag already exists')
     end
 
-    if message
-      message.gsub!(/^\s+|\s+$/, '')
-    end
+    message.strip! if message
 
     repository.add_tag(tag_name, ref, message)
     new_tag = repository.find_tag(tag_name)
diff --git a/app/workers/post_receive.rb b/app/workers/post_receive.rb
index 0c3ee6ba4ff..33d8cc8861b 100644
--- a/app/workers/post_receive.rb
+++ b/app/workers/post_receive.rb
@@ -11,8 +11,8 @@ class PostReceive
       log("Check gitlab.yml config for correct gitlab_shell.repos_path variable. \"#{Gitlab.config.gitlab_shell.repos_path}\" does not match \"#{repo_path}\"")
     end
 
-    repo_path.gsub!(/\.git$/, "")
-    repo_path.gsub!(/^\//, "")
+    repo_path.gsub!(/\.git\z/, "")
+    repo_path.gsub!(/\A\//, "")
 
     project = Project.find_with_namespace(repo_path)
 
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 79abe3c695d..9dce495106f 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -208,7 +208,7 @@ Devise.setup do |config|
   if Gitlab::LDAP::Config.enabled?
     Gitlab.config.ldap.servers.values.each do |server|
       if server['allow_username_or_email_login']
-        email_stripping_proc = ->(name) {name.gsub(/@.*$/,'')}
+        email_stripping_proc = ->(name) {name.gsub(/@.*\z/,'')}
       else
         email_stripping_proc = ->(name) {name}
       end
-- 
cgit v1.2.1


From 0988be4efa8c9db6b3adcecdbad97367e837961f Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Sat, 11 Apr 2015 11:40:51 +0200
Subject: Fix a whoopsie daisy in the changelog.

---
 CHANGELOG | 1 -
 1 file changed, 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 3c119a93d36..d10fc81015d 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,7 +2,6 @@ Please view this file on the master branch, on stable branches it's out of date.
 
 v 7.10.0 (unreleased)
   - Fix persistent XSS vulnerability around profile website URLs.
-  - Fix broken file browsing with a submodule that contains a relative link (Stan Hu)
   - Fix bug where Wiki pages that included a '/' were no longer accessible (Stan Hu)
   - Fix bug where error messages from Dropzone would not be displayed on the issues page (Stan Hu)
   - Add ability to configure Reply-To address in gitlab.yml (Stan Hu)
-- 
cgit v1.2.1