From b76107bb240c54ba4d4c8e1d2badd412e5c473fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:23:50 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter
---
src/main/java/com/gitblit/servlet/GitblitContext.java | 119 ++++++++++++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 96 insertions(+), 23 deletions(-)
diff --git a/src/main/java/com/gitblit/servlet/GitblitContext.java b/src/main/java/com/gitblit/servlet/GitblitContext.java
index 682b590..e5c59bd 100644
--- a/src/main/java/com/gitblit/servlet/GitblitContext.java
+++ b/src/main/java/com/gitblit/servlet/GitblitContext.java
@@ -38,15 +38,18 @@
import com.gitblit.Keys;
import com.gitblit.WebXmlSettings;
import com.gitblit.dagger.DaggerContext;
+import com.gitblit.extensions.LifeCycleListener;
import com.gitblit.manager.IAuthenticationManager;
import com.gitblit.manager.IFederationManager;
import com.gitblit.manager.IGitblit;
import com.gitblit.manager.IManager;
import com.gitblit.manager.INotificationManager;
+import com.gitblit.manager.IPluginManager;
import com.gitblit.manager.IProjectManager;
import com.gitblit.manager.IRepositoryManager;
import com.gitblit.manager.IRuntimeManager;
import com.gitblit.manager.IUserManager;
+import com.gitblit.transport.ssh.IPublicKeyManager;
import com.gitblit.utils.ContainerUtils;
import com.gitblit.utils.StringUtils;
@@ -77,9 +80,7 @@
* Construct a Gitblit WAR/Express context.
*/
public GitblitContext() {
- this.goSettings = null;
- this.goBaseFolder = null;
- gitblit = this;
+ this(null, null);
}
/**
@@ -149,7 +150,11 @@
String contextRealPath = context.getRealPath("/");
File contextFolder = (contextRealPath != null) ? new File(contextRealPath) : null;
- if (!StringUtils.isEmpty(System.getenv("OPENSHIFT_DATA_DIR"))) {
+ // if the base folder dosen't match the default assume they don't want to use express,
+ // this allows for other containers to customise the basefolder per context.
+ String defaultBase = Constants.contextFolder$ + "/WEB-INF/data";
+ String base = getBaseFolderPath(defaultBase);
+ if (!StringUtils.isEmpty(System.getenv("OPENSHIFT_DATA_DIR")) && defaultBase.equals(base)) {
// RedHat OpenShift
baseFolder = configureExpress(context, webxmlSettings, contextFolder, runtimeSettings);
} else {
@@ -170,23 +175,75 @@
runtime.start();
managers.add(runtime);
+ // create the plugin manager instance but do not start it
+ loadManager(injector, IPluginManager.class);
+
// start all other managers
startManager(injector, INotificationManager.class);
startManager(injector, IUserManager.class);
startManager(injector, IAuthenticationManager.class);
+ startManager(injector, IPublicKeyManager.class);
startManager(injector, IRepositoryManager.class);
startManager(injector, IProjectManager.class);
startManager(injector, IFederationManager.class);
startManager(injector, IGitblit.class);
+ // start the plugin manager last so that plugins can depend on
+ // deterministic access to all other managers in their start() methods
+ startManager(injector, IPluginManager.class);
+
logger.info("");
logger.info("All managers started.");
logger.info("");
+
+ IPluginManager pluginManager = injector.get(IPluginManager.class);
+ for (LifeCycleListener listener : pluginManager.getExtensions(LifeCycleListener.class)) {
+ try {
+ listener.onStartup();
+ } catch (Throwable t) {
+ logger.error(null, t);
+ }
+ }
+ }
+
+ private String lookupBaseFolderFromJndi() {
+ try {
+ // try to lookup JNDI env-entry for the baseFolder
+ InitialContext ic = new InitialContext();
+ Context env = (Context) ic.lookup("java:comp/env");
+ return (String) env.lookup("baseFolder");
+ } catch (NamingException n) {
+ logger.error("Failed to get JNDI env-entry: " + n.getExplanation());
+ }
+ return null;
+ }
+
+ protected String getBaseFolderPath(String defaultBaseFolder) {
+ // try a system property or a JNDI property
+ String specifiedBaseFolder = System.getProperty("GITBLIT_HOME", lookupBaseFolderFromJndi());
+
+ if (!StringUtils.isEmpty(System.getenv("GITBLIT_HOME"))) {
+ // try an environment variable
+ specifiedBaseFolder = System.getenv("GITBLIT_HOME");
+ }
+
+ if (!StringUtils.isEmpty(specifiedBaseFolder)) {
+ // use specified base folder path
+ return specifiedBaseFolder;
+ }
+
+ // use default base folder path
+ return defaultBaseFolder;
+ }
+
+ protected <X extends IManager> X loadManager(ObjectGraph injector, Class<X> clazz) {
+ X x = injector.get(clazz);
+ return x;
}
protected <X extends IManager> X startManager(ObjectGraph injector, Class<X> clazz) {
+ X x = loadManager(injector, clazz);
logManager(clazz);
- X x = injector.get(clazz);
x.start();
managers.add(x);
return x;
@@ -204,6 +261,16 @@
@Override
protected void destroyContext(ServletContext context) {
logger.info("Gitblit context destroyed by servlet container.");
+
+ IPluginManager pluginManager = getManager(IPluginManager.class);
+ for (LifeCycleListener listener : pluginManager.getExtensions(LifeCycleListener.class)) {
+ try {
+ listener.onShutdown();
+ } catch (Throwable t) {
+ logger.error(null, t);
+ }
+ }
+
for (IManager manager : managers) {
logger.debug("stopping {}", manager.getClass().getSimpleName());
manager.stop();
@@ -256,9 +323,9 @@
logger.debug("configuring Gitblit WAR");
logger.info("WAR contextFolder is " + ((contextFolder != null) ? contextFolder.getAbsolutePath() : "<empty>"));
- String path = webxmlSettings.getString(Constants.baseFolder, Constants.contextFolder$ + "/WEB-INF/data");
+ String webXmlPath = webxmlSettings.getString(Constants.baseFolder, Constants.contextFolder$ + "/WEB-INF/data");
- if (path.contains(Constants.contextFolder$) && contextFolder == null) {
+ if (webXmlPath.contains(Constants.contextFolder$) && contextFolder == null) {
// warn about null contextFolder (issue-199)
logger.error("");
logger.error(MessageFormat.format("\"{0}\" depends on \"{1}\" but \"{2}\" is returning NULL for \"{1}\"!",
@@ -268,25 +335,15 @@
logger.error("");
}
- try {
- // try to lookup JNDI env-entry for the baseFolder
- InitialContext ic = new InitialContext();
- Context env = (Context) ic.lookup("java:comp/env");
- String val = (String) env.lookup("baseFolder");
- if (!StringUtils.isEmpty(val)) {
- path = val;
- }
- } catch (NamingException n) {
- logger.error("Failed to get JNDI env-entry: " + n.getExplanation());
- }
+ String baseFolderPath = getBaseFolderPath(webXmlPath);
- File base = com.gitblit.utils.FileUtils.resolveParameter(Constants.contextFolder$, contextFolder, path);
- base.mkdirs();
+ File baseFolder = com.gitblit.utils.FileUtils.resolveParameter(Constants.contextFolder$, contextFolder, baseFolderPath);
+ baseFolder.mkdirs();
// try to extract the data folder resource to the baseFolder
- File localSettings = new File(base, "gitblit.properties");
+ File localSettings = new File(baseFolder, "gitblit.properties");
if (!localSettings.exists()) {
- extractResources(context, "/WEB-INF/data/", base);
+ extractResources(context, "/WEB-INF/data/", baseFolder);
}
// delegate all config to baseFolder/gitblit.properties file
@@ -298,7 +355,7 @@
// the target file for runtimeSettings is set to "localSettings".
runtimeSettings.merge(fileSettings);
- return base;
+ return baseFolder;
}
/**
@@ -338,6 +395,22 @@
}
}
+ // Copy the included gitignore files to the configured gitignore folder
+ String gitignorePath = webxmlSettings.getString(Keys.git.gitignoreFolder, "gitignore");
+ File localGitignores = com.gitblit.utils.FileUtils.resolveParameter(Constants.baseFolder$, base, gitignorePath);
+ if (!localGitignores.exists()) {
+ File warGitignores = new File(contextFolder, "/WEB-INF/data/gitignore");
+ if (!warGitignores.equals(localGitignores)) {
+ try {
+ com.gitblit.utils.FileUtils.copy(localGitignores, warGitignores.listFiles());
+ } catch (IOException e) {
+ logger.error(MessageFormat.format(
+ "Failed to copy included .gitignore files from {0} to {1}",
+ warGitignores, localGitignores));
+ }
+ }
+ }
+
// merge the WebXmlSettings into the runtime settings (for backwards-compatibilty)
runtimeSettings.merge(webxmlSettings);
--
Gitblit v1.9.1