Gerrit 2.5.1 is now available:

https://www.gerritcodereview.com/download/gerrit-full-2.5.1.war

There are no schema changes from 2.5, or 2.5.1.

However, if upgrading from a version older than 2.5, follow the upgrade procedure in the 2.5 Release Notes.

Security Fixes

  • Correctly identify Git-over-HTTP operations

    Git operations over HTTP should be classified as using AccessPath.GIT and not WEB_UI. This ensures RefControl will correctly test for Create, Push or Delete access on a reference instead of Owner.

    E.g. without this fix project owners are able to force push commits via HTTP that are already in the history of the target branch, even without having any Push access right assigned.

  • Make sure only Gerrit admins can change the parent of a project

    Only Gerrit administrators should be able to change the parent of a project because by changing the parent project access rights and BLOCK rules which are configured on a parent project can be avoided.

    The set-project-parent SSH command already verifies that the caller is a Gerrit administrator, however project owners can change the parent project by modifying the project.config file and pushing to the refs/meta/config branch.

    This fix ensures that changes to the project.config file that change the parent project can only be pushed/submitted by Gerrit administrators.

    In addition it is now no longer possible to

    • set a non-existing project as parent (as this would make the project be orphaned)

    • set a parent project for the All-Projects root project (the root project by definition has no parent) by pushing changes of the project.config file to refs/meta/config.

Bug Fixes

  • Fix RequestCleanup bug with Git over HTTP

    Decide if a continuation is going to be used early, before the filter that will attempt to cleanup a RequestCleanup. If so don’t allow entering the RequestCleanup part of the system until the request is actually going to be processed.

    This fixes the IllegalStateException Request has already been cleaned up that occurred when running on Jetty and pushing over HTTP for URLs where the path starts with /p/.

  • Match all git fetch/clone/push commands to the command executor

    Route not just /p/ but any Git access to the same thread pool as the SSH server is using, allowing all requests to compete fairly for resources.

  • Fix auto closing of changes on direct push

    When a commit is directly pushed into a repository (bypassing code review) and this commit has a Change-Id in its commit message then the corresponding change is automatically closed if it is open.

  • Allow assigning Push for refs/meta/config on All-Projects

    The refs/meta/config branch of the All-Projects project should only be modified by Gerrit administrators because being able to do modifications on this branch means that the user could assign himself administrator permissions.

    In addition to being administrator we already require that the administrator has the Push access right for refs/meta/config in order to be able to modify it (just as with all other branches administrators do not have edit permissions by default).

    The problem was that assigning the Push access right for refs/meta/config on the All-Projects project was not allowed.

    Having the Push access right for refs/meta/config on the All-Projects project without being administrator already has no effect.

    Prohibiting to assign the Push access right for refs/meta/config on the All-Project project was anyway pointless since it was e.g. possible to assign the Push access right on refs/meta/*.