From b76107bb240c54ba4d4c8e1d2badd412e5c473fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:23:50 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter

---
 src/main/java/com/gitblit/manager/RuntimeManager.java |   60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 files changed, 54 insertions(+), 6 deletions(-)

diff --git a/src/main/java/com/gitblit/manager/RuntimeManager.java b/src/main/java/com/gitblit/manager/RuntimeManager.java
index 52f4d67..219bf80 100644
--- a/src/main/java/com/gitblit/manager/RuntimeManager.java
+++ b/src/main/java/com/gitblit/manager/RuntimeManager.java
@@ -32,12 +32,15 @@
 import com.gitblit.models.ServerStatus;
 import com.gitblit.models.SettingModel;
 import com.gitblit.utils.StringUtils;
+import com.gitblit.utils.XssFilter;
 
 public class RuntimeManager implements IRuntimeManager {
 
 	private final Logger logger = LoggerFactory.getLogger(getClass());
 
 	private final IStoredSettings settings;
+
+	private final XssFilter xssFilter;
 
 	private final ServerStatus serverStatus;
 
@@ -47,14 +50,15 @@
 
 	private TimeZone timezone;
 
-	public RuntimeManager(IStoredSettings settings) {
-		this(settings, null);
+	public RuntimeManager(IStoredSettings settings, XssFilter xssFilter) {
+		this(settings, xssFilter, null);
 	}
 
-	public RuntimeManager(IStoredSettings settings, File baseFolder) {
+	public RuntimeManager(IStoredSettings settings, XssFilter xssFilter, File baseFolder) {
 		this.settings = settings;
 		this.settingsModel = new ServerSettings();
 		this.serverStatus = new ServerStatus();
+		this.xssFilter = xssFilter;
 		this.baseFolder = baseFolder == null ? new File("") : baseFolder;
 	}
 
@@ -119,9 +123,42 @@
 	 */
 	@Override
 	public boolean isServingRepositories() {
-		return settings.getBoolean(Keys.git.enableGitServlet, true)
-				|| (settings.getInteger(Keys.git.daemonPort, 0) > 0)
-				|| (settings.getInteger(Keys.git.sshPort, 0) > 0);
+		return isServingHTTP()
+				|| isServingGIT()
+				|| isServingSSH();
+	}
+
+	/**
+	 * Determine if this Gitblit instance is actively serving git repositories
+	 * over the HTTP protocol.
+	 *
+	 * @return true if Gitblit is serving repositories over the HTTP protocol
+	 */
+	@Override
+	public boolean isServingHTTP() {
+		return settings.getBoolean(Keys.git.enableGitServlet, true);
+	}
+
+	/**
+	 * Determine if this Gitblit instance is actively serving git repositories
+	 * over the Git Daemon protocol.
+	 *
+	 * @return true if Gitblit is serving repositories over the Git Daemon protocol
+	 */
+	@Override
+	public boolean isServingGIT() {
+		return settings.getInteger(Keys.git.daemonPort, 0) > 0;
+	}
+
+	/**
+	 * Determine if this Gitblit instance is actively serving git repositories
+	 * over the SSH protocol.
+	 *
+	 * @return true if Gitblit is serving repositories over the SSH protocol
+	 */
+	@Override
+	public boolean isServingSSH() {
+		return settings.getInteger(Keys.git.sshPort, 0) > 0;
 	}
 
 	/**
@@ -229,4 +266,15 @@
 		serverStatus.heapFree = Runtime.getRuntime().freeMemory();
 		return serverStatus;
 	}
+
+	/**
+	 * Returns the XSS filter.
+	 *
+	 * @return the XSS filter
+	 */
+	@Override
+	public XssFilter getXssFilter() {
+		return xssFilter;
+	}
+
 }

--
Gitblit v1.9.1