gitlab
/
omnibus-gitlab
mirror of https://gitlab.com/gitlab-org/omnibus-gitlab.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'trusted-certs-whitelist-sym' into 'master' 

Ignore whitelisted files when they are within a symlinked directory

Fixes: https://gitlab.com/gitlab-org/gitlab-ce/issues/20476


Keeping the realpath check allows us to ignore symlinks that point to the cacert, if the user ran c_rehash themselves int he certs directory, the non realpath version works if the whitelisted file itself is a symlink, or rather, is within a symlinked directory.

See merge request !907
This commit is contained in:
Marin Jankovski 2016-08-03 10:22:03 +00:00
parent 4985ca6550 7c64e76eca
commit 97493919d0
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -13,6 +13,7 @@ omnibus-gitlab repository.
8.10.4
- Revert Host and X-Forwarded-Host headers in NGINX 9ac08
- Better handle the ssl certs whitelisted files when the directory has been symlinked
8.10.3

6
files/gitlab-cookbooks/gitlab/libraries/helper.rb
View File

@ -458,7 +458,7 @@ class CertificateHelper
def move_existing_certificates
Dir.glob(File.join(@omnibus_certs_dir, "*")) do |file|
case
when !valid?(file),whitelisted_files.include?(File.realpath(file))
when !valid?(file),whitelisted?(file)
next
when is_x509_certificate?(file)
move_certificate(file)
@ -468,6 +468,10 @@ class CertificateHelper
end
end
def whitelisted?(file)
whitelisted_files.include?(file) || whitelisted_files.include?(File.realpath(file))
end
def valid?(file)
exists = File.exists?(file)
FileUtils.rm_f(file) if File.symlink?(file) && !exists