From d40adc7553bc900328afa918f45b6d9e9c3087fb Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 24 Oct 2011 08:20:35 -0400
Subject: [PATCH] Fixed security hole when cloning repository with TortoiseGit (issue 28)

---
 src/com/gitblit/GitFilter.java               |    2 ++
 docs/01_features.mkd                         |    7 ++++---
 docs/02_rpc.mkd                              |    4 ++++
 docs/04_releases.mkd                         |    3 ++-
 docs/00_index.mkd                            |    3 ++-
 src/com/gitblit/AccessRestrictionFilter.java |    1 -
 tests/com/gitblit/tests/GitServletTest.java  |   19 ++++++++++++++++++-
 7 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/docs/00_index.mkd b/docs/00_index.mkd
index 8627269..12edae5 100644
--- a/docs/00_index.mkd
+++ b/docs/00_index.mkd
@@ -29,6 +29,7 @@
 
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*
 
+- **security**: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28)
 - improved: updated ui with Twitter's Bootstrap CSS toolkit  
     **New:** *web.loginMessage = gitblit*
 - improved: repositories list performance by caching repository sizes (issue 27)
@@ -45,7 +46,7 @@
 - fixed: collision on rename for repositories and users
 - fixed: Gitblit can now browse the Linux kernel repository (issue 25)
 - fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23)
-- fixed: Set the RSS content type for Firefox 4 (issue 22)
+- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)
 - fixed: Null pointer exception if did not set federation strategy (issue 20)
 - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
 - added: IUserService.setup(IStoredSettings) for custom user service implementations
diff --git a/docs/01_features.mkd b/docs/01_features.mkd
index 9364710..5f15aae 100644
--- a/docs/01_features.mkd
+++ b/docs/01_features.mkd
@@ -9,11 +9,12 @@
     - ![freeze](cold_16x16.png) Freeze repository (i.e. deny push, make read-only)
 - Ability to federate with one or more other Gitblit instances
 - JSON RPC interface
+- Java/Swing Gitblit Manager tool 
 - Gitweb inspired web UI
-- Administrators may create, edit, rename, or delete repositories through the web UI
-- Administrators may create, edit, rename, or delete users through the web UI
+- Administrators may create, edit, rename, or delete repositories through the web UI or RPC interface
+- Administrators may create, edit, rename, or delete users through the web UI or RPC interface
 - Repository Owners may edit repositories through the web UI
-- Git-notes support
+- Git-notes display support
 - Branch metrics (uses Google Charts)
 - HEAD and Branch RSS feeds
 - Blame annotations view
diff --git a/docs/02_rpc.mkd b/docs/02_rpc.mkd
index 94739ca..0150d16 100644
--- a/docs/02_rpc.mkd
+++ b/docs/02_rpc.mkd
@@ -84,6 +84,7 @@
     ],
     "isFederated": false,
     "skipSizeCalculation": false,
+    "skipSummaryMetrics": false,
     "size": "102 KB"
   },
   "https://localhost/git/libraries/smack.git": {
@@ -102,6 +103,7 @@
     "federationSets": [],
     "isFederated": false,
     "skipSizeCalculation": false,
+    "skipSummaryMetrics": false,
     "size": "4.8 MB"
   }
 }
@@ -131,6 +133,8 @@
       "libraries"
     ],
     "isFederated": false,
+    "skipSizeCalculation": false,
+    "skipSummaryMetrics": false,
     "size": "102 KB"
 }
 </pre>
diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd
index e844322..68e0908 100644
--- a/docs/04_releases.mkd
+++ b/docs/04_releases.mkd
@@ -3,6 +3,7 @@
 ### Current Release
 **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit] &nbsp; *released %BUILDDATE%*
 
+- **security**: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28)
 - improved: updated ui with Twitter's Bootstrap CSS toolkit  
     **New:** *web.loginMessage = gitblit*
 - improved: repositories list performance by caching repository sizes (issue 27)
@@ -19,7 +20,7 @@
 - fixed: collision on rename for repositories and users
 - fixed: Gitblit can now browse the Linux kernel repository (issue 25)
 - fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23)
-- fixed: Set the RSS content type for Firefox 4 (issue 22)
+- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22)
 - fixed: Null pointer exception if did not set federation strategy (issue 20)
 - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later
 - added: IUserService.setup(IStoredSettings) for custom user service implementations
diff --git a/src/com/gitblit/AccessRestrictionFilter.java b/src/com/gitblit/AccessRestrictionFilter.java
index 27e2a18..a8d50b8 100644
--- a/src/com/gitblit/AccessRestrictionFilter.java
+++ b/src/com/gitblit/AccessRestrictionFilter.java
@@ -25,7 +25,6 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import com.gitblit.AuthenticationFilter.AuthenticatedRequest;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
 import com.gitblit.utils.StringUtils;
diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java
index 83e7ac8..8127ffa 100644
--- a/src/com/gitblit/GitFilter.java
+++ b/src/com/gitblit/GitFilter.java
@@ -75,6 +75,8 @@
 				return gitReceivePack;
 			} else if (suffix.contains("?service=git-upload-pack")) {
 				return gitUploadPack;
+			} else {
+				return gitUploadPack;
 			}
 		}
 		return null;
diff --git a/tests/com/gitblit/tests/GitServletTest.java b/tests/com/gitblit/tests/GitServletTest.java
index 0ede7ca..6a83974 100644
--- a/tests/com/gitblit/tests/GitServletTest.java
+++ b/tests/com/gitblit/tests/GitServletTest.java
@@ -12,6 +12,7 @@
 
 import org.eclipse.jgit.api.CloneCommand;
 import org.eclipse.jgit.api.Git;
+import org.eclipse.jgit.transport.UsernamePasswordCredentialsProvider;
 import org.eclipse.jgit.util.FileUtils;
 
 import com.gitblit.GitBlitServer;
@@ -50,7 +51,9 @@
 	}
 
 	public void testClone() throws Exception {
-		FileUtils.delete(folder, FileUtils.RECURSIVE);
+		if (folder.exists()) {
+			FileUtils.delete(folder, FileUtils.RECURSIVE);
+		}
 		CloneCommand clone = Git.cloneRepository();
 		clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/ticgit.git", port));
 		clone.setDirectory(folder);
@@ -71,4 +74,18 @@
 		git.push().setPushAll().call();
 		git.getRepository().close();
 	}
+		
+	public void testBogusLoginClone() throws Exception {
+		File folder = new File(GitBlitSuite.REPOSITORIES, "working/gitblit");
+		if (folder.exists()) {
+			FileUtils.delete(folder, FileUtils.RECURSIVE);
+		}
+		CloneCommand clone = Git.cloneRepository();
+		clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/gitblit.git", port));
+		clone.setDirectory(folder);
+		clone.setBare(false);
+		clone.setCloneAllBranches(true);
+		clone.setCredentialsProvider(new UsernamePasswordCredentialsProvider("bogus", "bogus"));
+		clone.call();
+	}
 }

--
Gitblit v1.9.1