githubFork/gitblit.git - Solinfo Gitblit

			@@ -4,6 +4,10 @@

			%VERSION% ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%) \| [war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%) \| [express](http://code.google.com/p/gitblit/downloads/detail?name=%EXPRESS%) \| [fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%) \| [manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%) \| [api](http://code.google.com/p/gitblit/downloads/detail?name=%API%)) based on [%JGIT%][jgit]   released %BUILDDATE%

			#### security

			- Fixed session fixation vulnerability where the session identifier was not reset during the login process (issue 62)

			#### changes

			- block pushes to a repository with a working copy (i.e. non-bare repository) (issue-49)

			@@ -80,7 +80,10 @@
			// Login the user
			if (user != null) {
			// Set the user into the session
			GitBlitWebSession.get().setUser(user);
			GitBlitWebSession session = GitBlitWebSession.get();
			// issue 62: fix session fixation vulnerability
			session.replaceSession();
			session.setUser(user);

			// Set Cookie
			WebResponse response = (WebResponse) getRequestCycle().getResponse();

			@@ -195,7 +195,10 @@
			private void loginUser(UserModel user) {
			if (user != null) {
			// Set the user into the session
			GitBlitWebSession.get().setUser(user);
			GitBlitWebSession session = GitBlitWebSession.get();
			// issue 62: fix session fixation vulnerability
			session.replaceSession();
			session.setUser(user);

			// Set Cookie
			if (GitBlit.getBoolean(Keys.web.allowCookieAuthentication, false)) {

	docs/04_releases.mkd	4 ●●●●● patch \| view \| raw \| blame \| history
	src/com/gitblit/wicket/pages/BasePage.java	5 ●●●●● patch \| view \| raw \| blame \| history
	src/com/gitblit/wicket/pages/RootPage.java	5 ●●●●● patch \| view \| raw \| blame \| history