Tags: guoqiangyan/gocd
Tags
Security Fixes Limiting agent registration if not auto-registered * Limiting is required since agent registration enpoint is unauthenticated * Default limit is 100 and can be configured using the SystemEnvironment 'max.pending.agents.allowed' Using CSS to wrap content instead using word_breaker * Commit messages are escaped * Post Comment endpoint needs 'Confirm:True' header * Fixed failing tests. Escaping html when user input is involved. * Escaping server health messages and description on Java side. * Fixed failing tests. * Removed css for package repository name in the submit prompt to maintain consistency. * VSM page * Escaped username on the dashboard, stage detail page, environments page and pipeline history page. * Escape the build cause to display the correct message when build is triggered by a commit. Only Admins and Pipeline Group Admins can test connection. Setting GIT_ALLOW_PROTOCOL to a default set if not set by the user. Remove servlets that allow stopping of the go server via via curl. * This servlet is completely insecure and uses the `request.getRemoteHost` to determine if the request is coming from `localhost`. Spoofing the headeris a matter of calling `curl -H 'X-Forwarded-For: 127.0.0.1' ...`
Bumping up the versions of javasysmon. Explicitly making javasysmon 1.7 compatible Build: https://build.go.cd/go/tab/build/detail/javasysmon/7/package/1/jar
PreviousNext