From b76107bb240c54ba4d4c8e1d2badd412e5c473fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:23:50 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter

---
 src/main/java/com/gitblit/servlet/AuthenticationFilter.java |   31 ++++++++++---------------------
 1 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/src/main/java/com/gitblit/servlet/AuthenticationFilter.java b/src/main/java/com/gitblit/servlet/AuthenticationFilter.java
index 54c7014..c21f869 100644
--- a/src/main/java/com/gitblit/servlet/AuthenticationFilter.java
+++ b/src/main/java/com/gitblit/servlet/AuthenticationFilter.java
@@ -21,7 +21,6 @@
 import java.util.HashMap;
 import java.util.Map;
 
-import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
@@ -36,10 +35,13 @@
 import org.slf4j.LoggerFactory;
 
 import com.gitblit.Constants;
+import com.gitblit.dagger.DaggerFilter;
 import com.gitblit.manager.IAuthenticationManager;
 import com.gitblit.models.UserModel;
 import com.gitblit.utils.DeepCopier;
 import com.gitblit.utils.StringUtils;
+
+import dagger.ObjectGraph;
 
 /**
  * The AuthenticationFilter is a servlet filter that preprocesses requests that
@@ -50,7 +52,7 @@
  * @author James Moger
  *
  */
-public abstract class AuthenticationFilter implements Filter {
+public abstract class AuthenticationFilter extends DaggerFilter {
 
 	protected static final String CHALLENGE = "Basic realm=\"" + Constants.NAME + "\"";
 
@@ -58,10 +60,11 @@
 
 	protected transient Logger logger = LoggerFactory.getLogger(getClass());
 
-	protected final IAuthenticationManager authenticationManager;
+	protected IAuthenticationManager authenticationManager;
 
-	protected AuthenticationFilter(IAuthenticationManager authenticationManager) {
-		this.authenticationManager = authenticationManager;
+	@Override
+	protected void inject(ObjectGraph dagger, FilterConfig filterConfig) {
+		this.authenticationManager = dagger.get(IAuthenticationManager.class);
 	}
 
 	/**
@@ -138,20 +141,6 @@
 	}
 
 	/**
-	 * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
-	 */
-	@Override
-	public void init(final FilterConfig config) throws ServletException {
-	}
-
-	/**
-	 * @see javax.servlet.Filter#destroy()
-	 */
-	@Override
-	public void destroy() {
-	}
-
-	/**
 	 * Wraps a standard HttpServletRequest and overrides user principal methods.
 	 */
 	public static class AuthenticatedRequest extends HttpServletRequestWrapper {
@@ -184,7 +173,7 @@
 			// Gitblit does not currently use actual roles in the traditional
 			// servlet container sense.  That is the reason this is marked
 			// deprecated, but I may want to revisit this.
-			return user.canAccessRepository(role);
+			return user.hasRepositoryPermission(role);
 		}
 
 		@Override
@@ -192,4 +181,4 @@
 			return user;
 		}
 	}
-}
\ No newline at end of file
+}

--
Gitblit v1.9.1