commit | 6caf55596202dde286a8ff156f398efd1f367090 | [log] [tgz] |
---|---|---|
author | Gal Paikin <paiking@google.com> | Mon Jul 12 17:15:23 2021 +0200 |
committer | Edwin Kempin <ekempin@google.com> | Fri Jul 16 14:41:56 2021 +0200 |
tree | 41836202572024adc2581dd6352237ec3d769bab | |
parent | feddd042fd73002d6e393dcd47e00f777681aae1 [diff] |
Fix ListOfFilesDidNotChange Due to faulty implementation, it was possible to do the following: 1. Add copyAllScoresiFlistOfFilesDidNoChange to a label. 2. Vote on that label on some change. 3. Add a new patch-set while modifying any file. By doing so, the vote should not be sticky if modifying files that are not related to this change. However, modifying any file was allowed and the vote was still sticky. We fix this vulnerability by changing the logic of the code. While at it, we "cherry-picked" I9ce454278 and I33da589e. We forgot to cherry-pick those, although this is quite a good idea to do so. The reason it's a good idea is because it's possible to edit a file, get it approved, and rename it and change it while replacing around 40% of the content such that it is still considered a rename, but realistically this is the same as creating a new file. That is a potential source for security leaks. Bug: Issue 14744 Change-Id: I6ebb5a5785219fccc67148af0d28c0cfdf49d10e (cherry picked from commit da7a9a0b0bcc59797502ccfa2f82bcebf318be8d)
Gerrit is a code review and project management tool for Git based projects.
Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.
Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.
For information about how to install and use Gerrit, refer to the documentation.
Our canonical Git repository is located on googlesource.com. There is a mirror of the repository on Github.
Please report bugs on the issue tracker.
Gerrit is the work of hundreds of contributors. We appreciate your help!
Please read the contribution guidelines.
Note that we do not accept Pull Requests via the Github mirror.
The Developer Mailing list is repo-discuss on Google Groups.
Gerrit is provided under the Apache License 2.0.
Install Bazel and run the following:
git clone --recurse-submodules https://gerrit.googlesource.com/gerrit cd gerrit && bazel build release
The instruction how to configure GerritForge/BinTray repositories is here
On Debian/Ubuntu run:
apt-get update & apt-get install gerrit=<version>-<release>
NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.
On CentOS/RedHat run:
yum clean all && yum install gerrit-<version>[-<release>]
On Fedora run:
dnf clean all && dnf install gerrit-<version>[-<release>]
Docker images of Gerrit are available on DockerHub
To run a CentOS 8 based Gerrit image:
docker run -p 8080:8080 gerritcodereview/gerrit[:version]-centos8
To run a Ubuntu 20.04 based Gerrit image:
docker run -p 8080:8080 gerritcodereview/gerrit[:version]-ubuntu20
NOTE: release is optional. Last released package of the version is installed if the release number is omitted.