From b76107bb240c54ba4d4c8e1d2badd412e5c473fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 04 Nov 2014 17:23:50 -0500
Subject: [PATCH] Whitelist the "target" link attribute in the XSS filter

---
 src/main/java/com/gitblit/transport/ssh/git/Receive.java |   12 +++++++++---
 1 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/gitblit/transport/ssh/git/Receive.java b/src/main/java/com/gitblit/transport/ssh/git/Receive.java
index 4089f1d..3e7469f 100644
--- a/src/main/java/com/gitblit/transport/ssh/git/Receive.java
+++ b/src/main/java/com/gitblit/transport/ssh/git/Receive.java
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2009 The Android Open Source Project
  * Copyright 2014 gitblit.com.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,14 +18,19 @@
 
 import org.eclipse.jgit.transport.ReceivePack;
 
-import com.gitblit.transport.ssh.CommandMetaData;
+import com.gitblit.transport.ssh.SshKey;
+import com.gitblit.transport.ssh.commands.CommandMetaData;
 
-@CommandMetaData(name = "git-receive-pack", description = "Receives pushes from a client")
+@CommandMetaData(name = "git-receive-pack", description = "Receives pushes from a client", hidden = true)
 public class Receive extends BaseGitCommand {
 	@Override
 	protected void runImpl() throws Failure {
+		SshKey key = getContext().getClient().getKey();
+		if (key != null && !key.canPush()) {
+			throw new Failure(1, "Sorry, your SSH public key is not allowed to push changes!");
+		}
 		try {
-			ReceivePack rp = receivePackFactory.create(ctx.getClient(), repo);
+			ReceivePack rp = receivePackFactory.create(getContext().getClient(), repo);
 			rp.receive(in, out, null);
 		} catch (Exception e) {
 			throw new Failure(1, "fatal: Cannot receive pack: ", e);

--
Gitblit v1.9.1