-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge 2.9 into 3.0 #754
base: develop-3.0
Are you sure you want to change the base?
Merge 2.9 into 3.0 #754
Commits on Feb 28, 2019
-
Configuration menu - View commit details
-
Copy full SHA for d7b0f5e - Browse repository at this point
Copy the full SHA d7b0f5eView commit details -
Merge pull request #749 from martinsumner/develop-2.9
Update rebar.config
Configuration menu - View commit details
-
Copy full SHA for 73b7733 - Browse repository at this point
Copy the full SHA 73b7733View commit details -
Point riak-erlang-client at dependency compatible with develop-2.9
Configuration menu - View commit details
-
Copy full SHA for a0f4b37 - Browse repository at this point
Copy the full SHA a0f4b37View commit details -
Merge pull request #750 from martinsumner/develop-2.9
Update rebar.config
Configuration menu - View commit details
-
Copy full SHA for 09975fe - Browse repository at this point
Copy the full SHA 09975feView commit details
Commits on Mar 8, 2019
-
[sec] yz xml extractor: prevent XXE attack
XML External Entity attack 1. if HTTP API is exposed: - read any file on the system — via /search/extract, the error message leaks file content; - send HTTP «GET /» request to any host — by PUT/POSTing text/xml document, or via /search/extract. This is also likely riak DoS if the host is attacker-controlled. 2. if PB API is exposed - send HTTP «GET /» request to any host — by PUT/POST, see above. Example request: <?xml version="1.0"?> <!DOCTYPE meow [ <!ENTITY xxe2 SYSTEM "/etc/passwd"> <!ENTITY xxe1 SYSTEM "http://host/ping-me"> ]> <meow>&xxe1;</meow>
Configuration menu - View commit details
-
Copy full SHA for ba52825 - Browse repository at this point
Copy the full SHA ba52825View commit details -
[sec] http search: get rid of ‘yz-fprof’ header handling
It doesn't check user-provided path in any way. This allows overriding any file on the system with riak permissions.
Configuration menu - View commit details
-
Copy full SHA for 5ebab64 - Browse repository at this point
Copy the full SHA 5ebab64View commit details -
Configuration menu - View commit details
-
Copy full SHA for 0001bdf - Browse repository at this point
Copy the full SHA 0001bdfView commit details
Commits on May 9, 2019
-
Merge branch 'develop-3.0' into develop-2.9-3.0-merge
Martin Cox authoredMay 9, 2019 Configuration menu - View commit details
-
Copy full SHA for f906c4a - Browse repository at this point
Copy the full SHA f906c4aView commit details