[ci skip]

Prepare 10.1.6 Security Release

See merge request gitlab/gitlabhq!2291

[10.1] Prevent login with disabled OAuth providers

See merge request gitlab/gitlabhq!2249

(cherry picked from commit e4951cc45f29a9ec1e07408102ab339444ff43e8)

71d8d00c Prevents login with disabled OAuth providers

Port of [10.2] Sanitizes IPython notebook output

See merge request gitlab/gitlabhq!2284

(cherry picked from commit 72ce40bdebe73a06dc282d42f2c8a729730c9cee)

989d1187 Port of [10.2] Sanitizes IPython notebook output

Merge branch '41293-fix-command-injection-vulnerability-on-system_hook_push-queue-through-web-hook-10-1' into 'security-10-1'

[10.1] Don't allow line breaks on HTTP headers

See merge request gitlab/gitlabhq!2286

(cherry picked from commit 271ef222fa964481379a14a9c07805621a7d52a6)

a30812d3 Don't allow line breaks on HTTP headers

[10.1] Fix RCE via project import mechanism

See merge request gitlab/gitlabhq!2292

(cherry picked from commit 9a399c554268f3ac9e9cd2340600c2df2f5dfa47)

fdbd8d03 Fix RCE via project import mechanism

[10.1] Migrate `can_push` column from `keys` to `deploy_keys_project`

See merge request gitlab/gitlabhq!2274

(cherry picked from commit b8ed2ac5bf4a75d0787315e741d4c9aacd36e07e)

5f214517 Backport to 10.1

[10.1] backport - check project access on MR create

See merge request gitlab/gitlabhq!2280

(cherry picked from commit 6ca3de3c1e97590f62677227c7eef2f000db766c)

285551b9 check project access on MR create

[10.1] Fix path traversal in gitlab-ci.yml cache:key

See merge request gitlab/gitlabhq!2272

(cherry picked from commit 991ae1d593e78e7c2484d5fe5b12dfce44a94bc8)

754c83ea Fix path traversal in gitlab-ci.yml cache:key

Validate project path in Gitlab import - 10.1 port

See merge request gitlab/gitlabhq!2266

(cherry picked from commit 14e7f46a07a45bf851178ae6c90c519460bf9736)

13ad8b50 Validate project path in Gitlab import

Remove order param from the MilestoneFinder - 10.1 port

See merge request gitlab/gitlabhq!2265

(cherry picked from commit 5f0bb7928b40029a2ced18063c36697e3f8e80c2)

85c6530e Remove order param from the MilestoneFinder

[10.1] Fix XSS in issue label dropdown

See merge request gitlab/gitlabhq!2252

(cherry picked from commit 447270c2603dc4962d6aed87baeaeb56c59788ba)

71c6cded Fix XSS in issue label dropdown
0cc81a51 Move xss_label to smaller test scope

[10.1] Fix XSS vulnerability in Pipeline job trace - back port 10.1

See merge request gitlab/gitlabhq!2261

(cherry picked from commit ddb49b9053a31db0dfb93e02be1975549f991695)

dc3d4676 Fix XSS vulnerability in Pipeline job trace

Merge branch 'security-10-1-do-not-expose-passwords-or-tokens-in-service-integrations-api' into 'security-10-1'

Filter out sensitive fields from the project services API

See merge request gitlab/gitlabhq!2283

(cherry picked from commit cde3ae62e8f602b8db4fbdd382fba1a90780be7f)

c958086d Filter out sensitive fields from the project services API

Bump redis-rails to 5.0.2 to get redis-store security updates

Closes #40889

See merge request gitlab-org/gitlab-ce!15773

Add changelog entries for 10.1.5

See merge request gitlab-org/gitlab-ce!15908

[ci skip]

Prepare 10.1.4 release

See merge request gitlab-org/gitlab-ce!15379

Prevent error when authorizing an admin-created OAauth application without a set owner

Closes #40086

See merge request gitlab-org/gitlab-ce!15349

Don't try to create fork network memberships for forks of forks

Closes #40072

See merge request gitlab-org/gitlab-ce!15366

Prevent position update for image diff notes

Closes #40058

See merge request gitlab-org/gitlab-ce!15357

Formats bytes to human readable number in registry table

See merge request gitlab-org/gitlab-ce!15359

[ci skip]

Prepare 10.1.3 release

See merge request gitlab-org/gitlab-ce!15209

Prevent fast forward merge when rebase is required

Closes #39773

See merge request gitlab-org/gitlab-ce!15296

* 10-1-stable:
  Merge branch '32059-fix-oauth-phishing' into 'master'

Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization

See merge request gitlab-org/gitlab-ce!15311

Prevent OAuth phishing attack by presenting detailed wording about app to user during authorization

See merge request gitlab/gitlabhq!2205

* 10-1-stable:
  Add 10.1.2 security fixes to CHANGELOG.md

Resolve "Fix GKE wording"

Closes #39648

See merge request gitlab-org/gitlab-ce!15204

Make sure group and project creation is blocked for new users that are external by default

Closes #39664

See merge request gitlab-org/gitlab-ce!15212

Resolve "GPG tooltips not working in Safari"

Closes #38385

See merge request gitlab-org/gitlab-ce!15228

Fix arguments error on Import/Export fetch_ref method

Closes #39541

See merge request gitlab-org/gitlab-ce!15241

* 10-1-jivl-fix-cancel-button-file-upload-new-issue:
  Merge branch 'jivl-fix-cancel-button-file-upload-new-issue' into 'master'

* 10-1-stable:
  Update VERSION to 10.1.2
  Update CHANGELOG.md for 10.1.2
  Merge branch 'fix-mysql-grant-check' into 'master'
  Merge branch '36099-api-responses-missing-x-content-type-options-header' into '10-1-stable'
  Merge branch 'ssrf-protections-round-2' into 'security-10-1'