| distrib/gitblit.properties | ●●●●● patch | view | raw | blame | history | |
| docs/00_index.mkd | ●●●●● patch | view | raw | blame | history | |
| docs/04_releases.mkd | ●●●●● patch | view | raw | blame | history | |
| src/com/gitblit/FileUserService.java | ●●●●● patch | view | raw | blame | history | |
| src/com/gitblit/client/EditUserDialog.java | ●●●●● patch | view | raw | blame | history | |
| src/com/gitblit/utils/StringUtils.java | ●●●●● patch | view | raw | blame | history | |
| src/com/gitblit/wicket/pages/ChangePasswordPage.java | ●●●●● patch | view | raw | blame | history | |
| src/com/gitblit/wicket/pages/EditUserPage.java | ●●●●● patch | view | raw | blame | history |
distrib/gitblit.properties
@@ -59,7 +59,9 @@ realm.userService = users.properties # How to store passwords. # Valid values are plain or md5. Default is md5. # Valid values are plain, md5, or combined-md5. md5 is the hash of password. # combined-md5 is the hash of username.toLowerCase()+password. # Default is md5. # # SINCE 0.5.0 realm.passwordStorage = md5 docs/00_index.mkd
@@ -41,6 +41,10 @@ - added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server. - added: per-repository setting to skip size calculation (faster repositories page loading) - added: per-repository setting to skip summary metrics calculation (faster summary page loading) - added: IUserService.setup(IStoredSettings) for custom user service implementations - added: setting to control Gitblit GO context path for proxy setups **New:** *server.contextPath = /* - added: *combined-md5* password storage option which stores the hash of username+password as the password - fixed: federation protocol timestamps. dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. **This breaks 0.6.0 federation clients/servers.** - fixed: collision on rename for repositories and users @@ -49,9 +53,6 @@ - fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) - fixed: Null pointer exception if did not set federation strategy (issue 20) - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later - added: IUserService.setup(IStoredSettings) for custom user service implementations - added: setting to control Gitblit GO context path for proxy setups **New:** *server.contextPath = /* - updated: MarkdownPapers 1.2.4 issues, binaries, and sources @ [Google Code][googlecode]<br/> docs/04_releases.mkd
@@ -15,6 +15,10 @@ - added: Gitblit Manager (Java/Swing Application) for remote administration of a Gitblit server. - added: per-repository setting to skip size calculation (faster repositories page loading) - added: per-repository setting to skip summary metrics calculation (faster summary page loading) - added: IUserService.setup(IStoredSettings) for custom user service implementations - added: setting to control Gitblit GO context path for proxy setups **New:** *server.contextPath = /* - added: *combined-md5* password storage option which stores the hash of username+password as the password - fixed: federation protocol timestamps. dates are now serialized to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. **This breaks 0.6.0 federation clients/servers.** - fixed: collision on rename for repositories and users @@ -23,9 +27,6 @@ - fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) - fixed: Null pointer exception if did not set federation strategy (issue 20) - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later - added: IUserService.setup(IStoredSettings) for custom user service implementations - added: setting to control Gitblit GO context path for proxy setups **New:** *server.contextPath = /* - updated: MarkdownPapers 1.2.4 ### Older Releases src/com/gitblit/FileUserService.java
@@ -126,11 +126,20 @@ UserModel returnedUser = null; UserModel user = getUserModel(username); if (user.password.startsWith(StringUtils.MD5_TYPE)) { // password digest String md5 = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(password)); if (user.password.equalsIgnoreCase(md5)) { returnedUser = user; } } else if (user.password.startsWith(StringUtils.COMBINED_MD5_TYPE)) { // username+password digest String md5 = StringUtils.COMBINED_MD5_TYPE + StringUtils.getMD5(username.toLowerCase() + new String(password)); if (user.password.equalsIgnoreCase(md5)) { returnedUser = user; } } else if (user.password.equals(new String(password))) { // plain-text password returnedUser = user; } return returnedUser; src/com/gitblit/client/EditUserDialog.java
@@ -191,6 +191,7 @@ return false; } boolean rename = false; // verify username uniqueness on create if (isCreate) { if (usernames.contains(uname.toLowerCase())) { @@ -199,7 +200,8 @@ } } else { // check rename collision if (!username.equalsIgnoreCase(uname)) { rename = !StringUtils.isEmpty(username) && !username.equalsIgnoreCase(uname); if (rename) { if (usernames.contains(uname.toLowerCase())) { error(MessageFormat.format( "Failed to rename ''{0}'' because ''{1}'' already exists.", username, @@ -208,34 +210,51 @@ } } } user.username = uname; int minLength = settings.get(Keys.realm.minPasswordLength).getInteger(5); if (minLength < 4) { minLength = 4; } char[] pw = passwordField.getPassword(); if (pw == null || pw.length < minLength) { String password = new String(passwordField.getPassword()); if (StringUtils.isEmpty(password) || password.length() < minLength) { error(MessageFormat.format("Password is too short. Minimum length is {0} characters.", minLength)); return false; } char[] cpw = confirmPasswordField.getPassword(); if (cpw == null || cpw.length != pw.length) { error("Please confirm the password!"); if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { String cpw = new String(confirmPasswordField.getPassword()); if (cpw == null || cpw.length() != password.length()) { error("Please confirm the password!"); return false; } if (!password.equals(cpw)) { error("Passwords do not match!"); return false; } String type = settings.get(Keys.realm.passwordStorage).getString("md5"); if (type.equalsIgnoreCase("md5")) { // store MD5 digest of password user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); } else if (type.equalsIgnoreCase("combined-md5")) { // store MD5 digest of username+password user.password = StringUtils.COMBINED_MD5_TYPE + StringUtils.getMD5(username.toLowerCase() + password); } else { // plain-text password user.password = password; } } else if (rename && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); return false; } if (!Arrays.equals(pw, cpw)) { error("Passwords do not match!"); return false; } user.username = uname; String type = settings.get(Keys.realm.passwordStorage).getString("md5"); if (type.equalsIgnoreCase("md5")) { // store MD5 digest of password user.password = StringUtils.MD5_TYPE + StringUtils.getMD5(new String(pw)); } else { user.password = new String(pw); // no change in password user.password = password; } user.canAdmin = canAdminCheckbox.isSelected(); user.excludeFromFederation = notFederatedCheckbox.isSelected();
@@ -33,6 +33,8 @@ public class StringUtils { public static final String MD5_TYPE = "MD5:"; public static final String COMBINED_MD5_TYPE = "CMD5:"; /** * Returns true if the string is null or empty. src/com/gitblit/wicket/pages/ChangePasswordPage.java
@@ -77,14 +77,19 @@ return; } UserModel user = GitBlitWebSession.get().getUser(); // convert to MD5 digest, if appropriate String type = GitBlit.getString(Keys.realm.passwordStorage, "md5"); if (type.equalsIgnoreCase("md5")) { // store MD5 digest of password password = StringUtils.MD5_TYPE + StringUtils.getMD5(password); } else if (type.equalsIgnoreCase("combined-md5")) { // store MD5 digest of username+password password = StringUtils.COMBINED_MD5_TYPE + StringUtils.getMD5(user.username.toLowerCase() + password); } UserModel user = GitBlitWebSession.get().getUser(); user.password = password; try { GitBlit.self().updateUserModel(user.username, user, false); src/com/gitblit/wicket/pages/EditUserPage.java
@@ -70,7 +70,7 @@ } else { super.setupPage(getString("gb.edit"), userModel.username); } final Model<String> confirmPassword = new Model<String>( StringUtils.isEmpty(userModel.password) ? "" : userModel.password); CompoundPropertyModel<UserModel> model = new CompoundPropertyModel<UserModel>(userModel); @@ -109,12 +109,14 @@ return; } } boolean rename = !StringUtils.isEmpty(oldName) && !oldName.equalsIgnoreCase(username); if (!userModel.password.equals(confirmPassword.getObject())) { error("Passwords do not match!"); return; } String password = userModel.password; if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE)) { if (!password.toUpperCase().startsWith(StringUtils.MD5_TYPE) && !password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { // This is a plain text password. // Check length. int minLength = GitBlit.getInteger(Keys.realm.minPasswordLength, 5); @@ -134,7 +136,15 @@ // store MD5 digest of password userModel.password = StringUtils.MD5_TYPE + StringUtils.getMD5(userModel.password); } else if (type.equalsIgnoreCase("combined-md5")) { // store MD5 digest of username+password userModel.password = StringUtils.COMBINED_MD5_TYPE + StringUtils.getMD5(username.toLowerCase() + userModel.password); } } else if (rename && password.toUpperCase().startsWith(StringUtils.COMBINED_MD5_TYPE)) { error("Gitblit is configured for combined-md5 password hashing. You must enter a new password on account rename."); return; } Iterator<String> selectedRepositories = repositories.getSelectedChoices();
