From 0e44acbb2fec928a1606dc60f427a148fff405c9 Mon Sep 17 00:00:00 2001
From: Mohamed Ragab <moragab@gmail.com>
Date: Wed, 02 May 2012 11:15:01 -0400
Subject: [PATCH] Added a script to facilitate setting the proxy host and port and no proxy hosts, and then it concatenates all the java system properties for setting the java proxy configurations and puts the resulting string in an environment variable JAVA_PROXY_CONFIG, modified the scirpts gitblit,  gitblit-ubuntu, and gitblit-centos to source the java-proxy-config.sh script and then include the resulting java proxy configuration in the java command

---
 src/com/gitblit/wicket/pages/BasePage.java |   32 ++++++++++++++++++++++++++++----
 1 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index 80bff16..94ed633 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -22,6 +22,7 @@
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.wicket.Application;
 import org.apache.wicket.MarkupContainer;
 import org.apache.wicket.PageParameters;
 import org.apache.wicket.RestartResponseAtInterceptPageException;
@@ -64,6 +65,24 @@
 		logger = LoggerFactory.getLogger(getClass());
 		loginByCookie();
 	}
+	
+	@Override
+	protected void onBeforeRender() {
+		if (GitBlit.isDebugMode()) {
+			// strip Wicket tags in debug mode for jQuery DOM traversal
+			Application.get().getMarkupSettings().setStripWicketTags(true);
+		}
+		super.onBeforeRender();
+	}
+
+	@Override
+	protected void onAfterRender() {
+		if (GitBlit.isDebugMode()) {
+			// restore Wicket debug tags
+			Application.get().getMarkupSettings().setStripWicketTags(false);
+		}
+		super.onAfterRender();
+	}	
 
 	private void loginByCookie() {
 		if (!GitBlit.getBoolean(Keys.web.allowCookieAuthentication, false)) {
@@ -80,7 +99,10 @@
 		// Login the user
 		if (user != null) {
 			// Set the user into the session
-			GitBlitWebSession.get().setUser(user);
+			GitBlitWebSession session = GitBlitWebSession.get();
+			// issue 62: fix session fixation vulnerability
+			session.replaceSession();
+			session.setUser(user);
 
 			// Set Cookie
 			WebResponse response = (WebResponse) getRequestCycle().getResponse();
@@ -159,7 +181,7 @@
 
 	protected TimeZone getTimeZone() {
 		return GitBlit.getBoolean(Keys.web.useClientTimezone, false) ? GitBlitWebSession.get()
-				.getTimezone() : TimeZone.getDefault();
+				.getTimezone() : GitBlit.getTimezone();
 	}
 
 	protected String getServerName() {
@@ -232,9 +254,11 @@
 				add(new Label("username", GitBlitWebSession.get().getUser().toString() + ":"));
 				add(new LinkPanel("loginLink", null, markupProvider.getString("gb.logout"),
 						LogoutPage.class));
+				boolean editCredentials = GitBlit.self().supportsCredentialChanges();
 				// quick and dirty hack for showing a separator
-				add(new Label("separator", "|"));
-				add(new BookmarkablePageLink<Void>("changePasswordLink", ChangePasswordPage.class));
+				add(new Label("separator", "|").setVisible(editCredentials));
+				add(new BookmarkablePageLink<Void>("changePasswordLink", 
+						ChangePasswordPage.class).setVisible(editCredentials));
 			} else {
 				// login
 				add(new Label("username").setVisible(false));

--
Gitblit v1.9.1