githubFork/gitblit.git - Solinfo Gitblit

parent: fe326255 | patch | commit | ignore whitespace

Fixed security hole when cloning repository with TortoiseGit (issue 28)

James Moger

2011-10-24 d40adc7553bc900328afa918f45b6d9e9c3087fb

Fixed security hole when cloning repository with TortoiseGit (issue-28)

7 files modified

	docs/00_index.mkd	3 ●●●●● patch \| view \| raw \| blame \| history
	docs/01_features.mkd	7 ●●●●● patch \| view \| raw \| blame \| history
	docs/02_rpc.mkd	4 ●●●●● patch \| view \| raw \| blame \| history
	docs/04_releases.mkd	3 ●●●●● patch \| view \| raw \| blame \| history
	src/com/gitblit/AccessRestrictionFilter.java	1 ●●●●● patch \| view \| raw \| blame \| history
	src/com/gitblit/GitFilter.java	2 ●●●●● patch \| view \| raw \| blame \| history
	tests/com/gitblit/tests/GitServletTest.java	19 ●●●●● patch \| view \| raw \| blame \| history

 docs/00_index.mkd

@@ -29,6 +29,7 @@


**%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*



- **security**: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28)

- improved: updated ui with Twitter's Bootstrap CSS toolkit  

    **New:** *web.loginMessage = gitblit*

- improved: repositories list performance by caching repository sizes (issue 27)

@@ -45,7 +46,7 @@
- fixed: collision on rename for repositories and users

- fixed: Gitblit can now browse the Linux kernel repository (issue 25)

- fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23)

- fixed: Set the RSS content type for Firefox 4 (issue 22)

- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)

- fixed: Null pointer exception if did not set federation strategy (issue 20)

- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later

- added: IUserService.setup(IStoredSettings) for custom user service implementations


 docs/01_features.mkd

@@ -9,11 +9,12 @@
    - ![freeze](cold_16x16.png) Freeze repository (i.e. deny push, make read-only)

- Ability to federate with one or more other Gitblit instances

- JSON RPC interface

- Java/Swing Gitblit Manager tool 
- Gitweb inspired web UI

- Administrators may create, edit, rename, or delete repositories through the web UI

- Administrators may create, edit, rename, or delete users through the web UI

- Administrators may create, edit, rename, or delete repositories through the web UI or RPC interface

- Administrators may create, edit, rename, or delete users through the web UI or RPC interface

- Repository Owners may edit repositories through the web UI

- Git-notes support

- Git-notes display support

- Branch metrics (uses Google Charts)

- HEAD and Branch RSS feeds

- Blame annotations view


 docs/02_rpc.mkd

@@ -84,6 +84,7 @@
    ],

    "isFederated": false,

    "skipSizeCalculation": false,

    "skipSummaryMetrics": false,

    "size": "102 KB"

  },

  "https://localhost/git/libraries/smack.git": {

@@ -102,6 +103,7 @@
    "federationSets": [],

    "isFederated": false,

    "skipSizeCalculation": false,

    "skipSummaryMetrics": false,

    "size": "4.8 MB"

  }

}

@@ -131,6 +133,8 @@
      "libraries"

    ],

    "isFederated": false,

    "skipSizeCalculation": false,

    "skipSummaryMetrics": false,

    "size": "102 KB"

}

</pre>


 docs/04_releases.mkd

@@ -3,6 +3,7 @@
### Current Release

**%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*



- **security**: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28)

- improved: updated ui with Twitter's Bootstrap CSS toolkit  

    **New:** *web.loginMessage = gitblit*

- improved: repositories list performance by caching repository sizes (issue 27)

@@ -19,7 +20,7 @@
- fixed: collision on rename for repositories and users

- fixed: Gitblit can now browse the Linux kernel repository (issue 25)

- fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23)

- fixed: Set the RSS content type for Firefox 4 (issue 22)

- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)

- fixed: Null pointer exception if did not set federation strategy (issue 20)

- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later

- added: IUserService.setup(IStoredSettings) for custom user service implementations


 src/com/gitblit/AccessRestrictionFilter.java

@@ -25,7 +25,6 @@
import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;



import com.gitblit.AuthenticationFilter.AuthenticatedRequest;

import com.gitblit.models.RepositoryModel;

import com.gitblit.models.UserModel;

import com.gitblit.utils.StringUtils;


 src/com/gitblit/GitFilter.java

@@ -75,6 +75,8 @@
                return gitReceivePack;

            } else if (suffix.contains("?service=git-upload-pack")) {

                return gitUploadPack;

            } else {

                return gitUploadPack;

            }

        }

        return null;


 tests/com/gitblit/tests/GitServletTest.java

@@ -12,6 +12,7 @@


import org.eclipse.jgit.api.CloneCommand;

import org.eclipse.jgit.api.Git;

import org.eclipse.jgit.transport.UsernamePasswordCredentialsProvider;

import org.eclipse.jgit.util.FileUtils;



import com.gitblit.GitBlitServer;

@@ -50,7 +51,9 @@
    }



    public void testClone() throws Exception {

        FileUtils.delete(folder, FileUtils.RECURSIVE);

        if (folder.exists()) {

            FileUtils.delete(folder, FileUtils.RECURSIVE);

        }

        CloneCommand clone = Git.cloneRepository();

        clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/ticgit.git", port));

        clone.setDirectory(folder);

@@ -71,4 +74,18 @@
        git.push().setPushAll().call();

        git.getRepository().close();

    }

		
    public void testBogusLoginClone() throws Exception {

        File folder = new File(GitBlitSuite.REPOSITORIES, "working/gitblit");

        if (folder.exists()) {

            FileUtils.delete(folder, FileUtils.RECURSIVE);

        }

        CloneCommand clone = Git.cloneRepository();

        clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/gitblit.git", port));

        clone.setDirectory(folder);

        clone.setBare(false);

        clone.setCloneAllBranches(true);

        clone.setCredentialsProvider(new UsernamePasswordCredentialsProvider("bogus", "bogus"));

        clone.call();

    }

}

			@@ -29,6 +29,7 @@

			%VERSION% ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)\|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)\|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)\|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit]   released %BUILDDATE%

			- security: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28)
			- improved: updated ui with Twitter's Bootstrap CSS toolkit
			New: web.loginMessage = gitblit
			- improved: repositories list performance by caching repository sizes (issue 27)
			@@ -45,7 +46,7 @@
			- fixed: collision on rename for repositories and users
			- fixed: Gitblit can now browse the Linux kernel repository (issue 25)
			- fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23)
			- fixed: Set the RSS content type for Firefox 4 (issue 22)
			- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)
			- fixed: Null pointer exception if did not set federation strategy (issue 20)
			- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
			- added: IUserService.setup(IStoredSettings) for custom user service implementations

			@@ -9,11 +9,12 @@
			- ![freeze](cold_16x16.png) Freeze repository (i.e. deny push, make read-only)
			- Ability to federate with one or more other Gitblit instances
			- JSON RPC interface
			- Java/Swing Gitblit Manager tool
			- Gitweb inspired web UI
			- Administrators may create, edit, rename, or delete repositories through the web UI
			- Administrators may create, edit, rename, or delete users through the web UI
			- Administrators may create, edit, rename, or delete repositories through the web UI or RPC interface
			- Administrators may create, edit, rename, or delete users through the web UI or RPC interface
			- Repository Owners may edit repositories through the web UI
			- Git-notes support
			- Git-notes display support
			- Branch metrics (uses Google Charts)
			- HEAD and Branch RSS feeds
			- Blame annotations view

			@@ -84,6 +84,7 @@
			],
			"isFederated": false,
			"skipSizeCalculation": false,
			"skipSummaryMetrics": false,
			"size": "102 KB"
			},
			"https://localhost/git/libraries/smack.git": {
			@@ -102,6 +103,7 @@
			"federationSets": [],
			"isFederated": false,
			"skipSizeCalculation": false,
			"skipSummaryMetrics": false,
			"size": "4.8 MB"
			}
			}
			@@ -131,6 +133,8 @@
			"libraries"
			],
			"isFederated": false,
			"skipSizeCalculation": false,
			"skipSummaryMetrics": false,
			"size": "102 KB"
			}
			</pre>

			@@ -3,6 +3,7 @@
			### Current Release
			%VERSION% ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)\|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)\|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)\|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit]   released %BUILDDATE%

			- security: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28)
			- improved: updated ui with Twitter's Bootstrap CSS toolkit
			New: web.loginMessage = gitblit
			- improved: repositories list performance by caching repository sizes (issue 27)
			@@ -19,7 +20,7 @@
			- fixed: collision on rename for repositories and users
			- fixed: Gitblit can now browse the Linux kernel repository (issue 25)
			- fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23)
			- fixed: Set the RSS content type for Firefox 4 (issue 22)
			- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)
			- fixed: Null pointer exception if did not set federation strategy (issue 20)
			- fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
			- added: IUserService.setup(IStoredSettings) for custom user service implementations

			@@ -25,7 +25,6 @@
			import javax.servlet.http.HttpServletRequest;
			import javax.servlet.http.HttpServletResponse;

			import com.gitblit.AuthenticationFilter.AuthenticatedRequest;
			import com.gitblit.models.RepositoryModel;
			import com.gitblit.models.UserModel;
			import com.gitblit.utils.StringUtils;

			@@ -75,6 +75,8 @@
			return gitReceivePack;
			} else if (suffix.contains("?service=git-upload-pack")) {
			return gitUploadPack;
			} else {
			return gitUploadPack;
			}
			}
			return null;

			@@ -12,6 +12,7 @@

			import org.eclipse.jgit.api.CloneCommand;
			import org.eclipse.jgit.api.Git;
			import org.eclipse.jgit.transport.UsernamePasswordCredentialsProvider;
			import org.eclipse.jgit.util.FileUtils;

			import com.gitblit.GitBlitServer;
			@@ -50,7 +51,9 @@
			}

			public void testClone() throws Exception {
			FileUtils.delete(folder, FileUtils.RECURSIVE);
			if (folder.exists()) {
			FileUtils.delete(folder, FileUtils.RECURSIVE);
			}
			CloneCommand clone = Git.cloneRepository();
			clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/ticgit.git", port));
			clone.setDirectory(folder);
			@@ -71,4 +74,18 @@
			git.push().setPushAll().call();
			git.getRepository().close();
			}

			public void testBogusLoginClone() throws Exception {
			File folder = new File(GitBlitSuite.REPOSITORIES, "working/gitblit");
			if (folder.exists()) {
			FileUtils.delete(folder, FileUtils.RECURSIVE);
			}
			CloneCommand clone = Git.cloneRepository();
			clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/gitblit.git", port));
			clone.setDirectory(folder);
			clone.setBare(false);
			clone.setCloneAllBranches(true);
			clone.setCredentialsProvider(new UsernamePasswordCredentialsProvider("bogus", "bogus"));
			clone.call();
			}
			}