From b76107bb240c54ba4d4c8e1d2badd412e5c473fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:23:50 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter

---
 src/main/java/com/gitblit/auth/RedmineAuthProvider.java |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
index 7e957ec..ae4f28e 100644
--- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -19,7 +19,7 @@
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 
-import org.apache.wicket.util.io.IOUtils;
+import org.apache.commons.io.IOUtils;
 
 import com.gitblit.Constants;
 import com.gitblit.Constants.AccountType;
@@ -153,15 +153,16 @@
         if (!url.endsWith("/")) {
         	url = url.concat("/");
         }
+        String apiUrl = url + "users/current.json";
+        
         HttpURLConnection http;
         if (username == null) {
         	// apikey authentication
         	String apiKey = String.valueOf(password);
-        	String apiUrl = url + "users/current.json?key=" + apiKey;
         	http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, null, null);
+            http.addRequestProperty("X-Redmine-API-Key", apiKey);
         } else {
         	// username/password BASIC authentication
-        	String apiUrl = url + "users/current.json";
         	http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, username, password);
         }
         http.setRequestMethod("GET");

--
Gitblit v1.9.1