gerrit/ReleaseNotes/ReleaseNotes-2.5.1.txt

= Release notes for Gerrit 2.5.1

Gerrit 2.5.1 is now available:

link:https://www.gerritcodereview.com/download/gerrit-full-2.5.1.war[https://www.gerritcodereview.com/download/gerrit-full-2.5.1.war]

There are no schema changes from 2.5, or 2.5.1.

However, if upgrading from a version older than 2.5, follow the upgrade
procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes].

== Security Fixes
* Correctly identify Git-over-HTTP operations
+
Git operations over HTTP should be classified as using AccessPath.GIT
and not WEB_UI. This ensures RefControl will correctly test for Create,
Push or Delete access on a reference instead of Owner.
+
E.g. without this fix project owners are able to force push commits
via HTTP that are already in the history of the target branch, even
without having any Push access right assigned.

* Make sure only Gerrit admins can change the parent of a project
+
Only Gerrit administrators should be able to change the parent of a
project because by changing the parent project access rights and BLOCK
rules which are configured on a parent project can be avoided.
+
The `set-project-parent` SSH command already verifies that the caller
is a Gerrit administrator, however project owners can change the parent
project by modifying the `project.config` file and pushing to the
`refs/meta/config` branch.
+
This fix ensures that changes to the `project.config` file that change
the parent project can only be pushed/submitted by Gerrit
administrators.
+
In addition it is now no longer possible to
+
** set a non-existing project as parent (as this would make the project
  be orphaned)
** set a parent project for the `All-Projects` root project (the root
  project by definition has no parent)
by pushing changes of the `project.config` file to `refs/meta/config`.

== Bug Fixes
* Fix RequestCleanup bug with Git over HTTP
+
Decide if a continuation is going to be used early, before the filter
that will attempt to cleanup a RequestCleanup. If so don't allow
entering the RequestCleanup part of the system until the request is
actually going to be processed.
+
This fixes the IllegalStateException `Request has already been cleaned
up` that occurred when running on Jetty and pushing over HTTP for URLs
where the path starts with `/p/`.

* Match all git fetch/clone/push commands to the command executor
+
Route not just `/p/` but any Git access to the same thread pool as the
SSH server is using, allowing all requests to compete fairly for
resources.

* Fix auto closing of changes on direct push
+
When a commit is directly pushed into a repository (bypassing code
review) and this commit has a Change-Id in its commit message then the
corresponding change is automatically closed if it is open.

* Allow assigning `Push` for `refs/meta/config` on `All-Projects`
+
The `refs/meta/config` branch of the `All-Projects project` should only
be modified by Gerrit administrators because being able to do
modifications on this branch means that the user could assign himself
administrator permissions.
+
In addition to being administrator we already require that the
administrator has the `Push` access right for `refs/meta/config` in
order to be able to modify it (just as with all other branches
administrators do not have edit permissions by default).
+
The problem was that assigning the `Push` access right for
`refs/meta/config` on the `All-Projects` project was not allowed.
+
Having the `Push` access right for `refs/meta/config` on the
`All-Projects` project without being administrator already has no
effect.
+
Prohibiting to assign the Push access right for `refs/meta/config` on
the `All-Project` project was anyway pointless since it was e.g.
possible to assign the `Push` access right on `refs/meta/*`.