ReleaseNotes/ReleaseNotes-2.5.1.txt - gerrit - Git at Google

 = Release notes for Gerrit 2.5.1

 Gerrit 2.5.1 is now available:

 link:https://www.gerritcodereview.com/download/gerrit-full-2.5.1.war[https://www.gerritcodereview.com/download/gerrit-full-2.5.1.war]

 There are no schema changes from 2.5, or 2.5.1.

 However, if upgrading from a version older than 2.5, follow the upgrade
 procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes].

 == Security Fixes
 * Correctly identify Git-over-HTTP operations
 +
 Git operations over HTTP should be classified as using AccessPath.GIT
 and not WEB_UI. This ensures RefControl will correctly test for Create,
 Push or Delete access on a reference instead of Owner.
 +
 E.g. without this fix project owners are able to force push commits
 via HTTP that are already in the history of the target branch, even
 without having any Push access right assigned.

 * Make sure only Gerrit admins can change the parent of a project
 +
 Only Gerrit administrators should be able to change the parent of a
 project because by changing the parent project access rights and BLOCK
 rules which are configured on a parent project can be avoided.
 +
 The `set-project-parent` SSH command already verifies that the caller
 is a Gerrit administrator, however project owners can change the parent
 project by modifying the `project.config` file and pushing to the
 `refs/meta/config` branch.
 +
 This fix ensures that changes to the `project.config` file that change
 the parent project can only be pushed/submitted by Gerrit
 administrators.
 +
 In addition it is now no longer possible to
 +
 ** set a non-existing project as parent (as this would make the project
   be orphaned)
 ** set a parent project for the `All-Projects` root project (the root
   project by definition has no parent)
 by pushing changes of the `project.config` file to `refs/meta/config`.

 == Bug Fixes
 * Fix RequestCleanup bug with Git over HTTP
 +
 Decide if a continuation is going to be used early, before the filter
 that will attempt to cleanup a RequestCleanup. If so don't allow
 entering the RequestCleanup part of the system until the request is
 actually going to be processed.
 +
 This fixes the IllegalStateException `Request has already been cleaned
 up` that occurred when running on Jetty and pushing over HTTP for URLs
 where the path starts with `/p/`.

 * Match all git fetch/clone/push commands to the command executor
 +
 Route not just `/p/` but any Git access to the same thread pool as the
 SSH server is using, allowing all requests to compete fairly for
 resources.

 * Fix auto closing of changes on direct push
 +
 When a commit is directly pushed into a repository (bypassing code
 review) and this commit has a Change-Id in its commit message then the
 corresponding change is automatically closed if it is open.

 * Allow assigning `Push` for `refs/meta/config` on `All-Projects`
 +
 The `refs/meta/config` branch of the `All-Projects project` should only
 be modified by Gerrit administrators because being able to do
 modifications on this branch means that the user could assign himself
 administrator permissions.
 +
 In addition to being administrator we already require that the
 administrator has the `Push` access right for `refs/meta/config` in
 order to be able to modify it (just as with all other branches
 administrators do not have edit permissions by default).
 +
 The problem was that assigning the `Push` access right for
 `refs/meta/config` on the `All-Projects` project was not allowed.
 +
 Having the `Push` access right for `refs/meta/config` on the
 `All-Projects` project without being administrator already has no
 effect.
 +
 Prohibiting to assign the Push access right for `refs/meta/config` on
 the `All-Project` project was anyway pointless since it was e.g.
 possible to assign the `Push` access right on `refs/meta/*`.
	= Release notes for Gerrit 2.5.1

	Gerrit 2.5.1 is now available:

	link:https://www.gerritcodereview.com/download/gerrit-full-2.5.1.war[https://www.gerritcodereview.com/download/gerrit-full-2.5.1.war]

	There are no schema changes from 2.5, or 2.5.1.

	However, if upgrading from a version older than 2.5, follow the upgrade
	procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes].

	== Security Fixes
	* Correctly identify Git-over-HTTP operations
	+
	Git operations over HTTP should be classified as using AccessPath.GIT
	and not WEB_UI. This ensures RefControl will correctly test for Create,
	Push or Delete access on a reference instead of Owner.
	+
	E.g. without this fix project owners are able to force push commits
	via HTTP that are already in the history of the target branch, even
	without having any Push access right assigned.

	* Make sure only Gerrit admins can change the parent of a project
	+
	Only Gerrit administrators should be able to change the parent of a
	project because by changing the parent project access rights and BLOCK
	rules which are configured on a parent project can be avoided.
	+
	The `set-project-parent` SSH command already verifies that the caller
	is a Gerrit administrator, however project owners can change the parent
	project by modifying the `project.config` file and pushing to the
	`refs/meta/config` branch.
	+
	This fix ensures that changes to the `project.config` file that change
	the parent project can only be pushed/submitted by Gerrit
	administrators.
	+
	In addition it is now no longer possible to
	+
	** set a non-existing project as parent (as this would make the project
	be orphaned)
	** set a parent project for the `All-Projects` root project (the root
	project by definition has no parent)
	by pushing changes of the `project.config` file to `refs/meta/config`.

	== Bug Fixes
	* Fix RequestCleanup bug with Git over HTTP
	+
	Decide if a continuation is going to be used early, before the filter
	that will attempt to cleanup a RequestCleanup. If so don't allow
	entering the RequestCleanup part of the system until the request is
	actually going to be processed.
	+
	This fixes the IllegalStateException `Request has already been cleaned
	up` that occurred when running on Jetty and pushing over HTTP for URLs
	where the path starts with `/p/`.

	* Match all git fetch/clone/push commands to the command executor
	+
	Route not just `/p/` but any Git access to the same thread pool as the
	SSH server is using, allowing all requests to compete fairly for
	resources.

	* Fix auto closing of changes on direct push
	+
	When a commit is directly pushed into a repository (bypassing code
	review) and this commit has a Change-Id in its commit message then the
	corresponding change is automatically closed if it is open.

	* Allow assigning `Push` for `refs/meta/config` on `All-Projects`
	+
	The `refs/meta/config` branch of the `All-Projects project` should only
	be modified by Gerrit administrators because being able to do
	modifications on this branch means that the user could assign himself
	administrator permissions.
	+
	In addition to being administrator we already require that the
	administrator has the `Push` access right for `refs/meta/config` in
	order to be able to modify it (just as with all other branches
	administrators do not have edit permissions by default).
	+
	The problem was that assigning the `Push` access right for
	`refs/meta/config` on the `All-Projects` project was not allowed.
	+
	Having the `Push` access right for `refs/meta/config` on the
	`All-Projects` project without being administrator already has no
	effect.
	+
	Prohibiting to assign the Push access right for `refs/meta/config` on
	the `All-Project` project was anyway pointless since it was e.g.
	possible to assign the `Push` access right on `refs/meta/*`.