From d6b70ab47bc5be26a9671dfd3a0a3dd9fa044eb4 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 20 Oct 2014 16:17:39 -0400
Subject: [PATCH] Prepare 1.6.1 release
---
src/main/java/com/gitblit/wicket/pages/RootPage.java | 28 ++++++++++++++++++++--------
1 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/src/main/java/com/gitblit/wicket/pages/RootPage.java b/src/main/java/com/gitblit/wicket/pages/RootPage.java
index a2f3a49..c4d4dd1 100644
--- a/src/main/java/com/gitblit/wicket/pages/RootPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/RootPage.java
@@ -31,6 +31,9 @@
import java.util.concurrent.atomic.AtomicInteger;
import java.util.regex.Pattern;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
import org.apache.wicket.MarkupContainer;
import org.apache.wicket.PageParameters;
import org.apache.wicket.behavior.HeaderContributor;
@@ -46,9 +49,11 @@
import org.apache.wicket.markup.repeater.data.ListDataProvider;
import org.apache.wicket.model.IModel;
import org.apache.wicket.model.Model;
+import org.apache.wicket.protocol.http.WebRequest;
import org.apache.wicket.protocol.http.WebResponse;
import com.gitblit.Constants;
+import com.gitblit.Constants.AuthenticationType;
import com.gitblit.Keys;
import com.gitblit.extensions.NavLinkExtension;
import com.gitblit.extensions.UserMenuExtension;
@@ -261,28 +266,33 @@
private void loginUser(UserModel user) {
if (user != null) {
+ HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
+ HttpServletResponse response = ((WebResponse) getResponse()).getHttpServletResponse();
+
// Set the user into the session
GitBlitWebSession session = GitBlitWebSession.get();
+
// issue 62: fix session fixation vulnerability
session.replaceSession();
session.setUser(user);
+ request = ((WebRequest) getRequest()).getHttpServletRequest();
+ response = ((WebResponse) getResponse()).getHttpServletResponse();
+ request.getSession().setAttribute(Constants.AUTHENTICATION_TYPE, AuthenticationType.CREDENTIALS);
+
// Set Cookie
- if (app().settings().getBoolean(Keys.web.allowCookieAuthentication, false)) {
- WebResponse response = (WebResponse) getRequestCycle().getResponse();
- app().authentication().setCookie(response.getHttpServletResponse(), user);
- }
+ app().authentication().setCookie(request, response, user);
if (!session.continueRequest()) {
PageParameters params = getPageParameters();
if (params == null) {
// redirect to this page
- setResponsePage(getClass());
+ redirectTo(getClass());
} else {
// Strip username and password and redirect to this page
params.remove("username");
params.remove("password");
- setResponsePage(getClass(), params);
+ redirectTo(getClass(), params);
}
}
}
@@ -596,7 +606,9 @@
GitBlitWebSession session = GitBlitWebSession.get();
UserModel user = session.getUser();
boolean editCredentials = app().authentication().supportsCredentialChanges(user);
- boolean standardLogin = session.authenticationType.isStandard();
+ HttpServletRequest request = ((WebRequest) getRequest()).getHttpServletRequest();
+ AuthenticationType authenticationType = (AuthenticationType) request.getSession().getAttribute(Constants.AUTHENTICATION_TYPE);
+ boolean standardLogin = authenticationType.isStandard();
if (app().settings().getBoolean(Keys.web.allowGravatar, true)) {
add(new GravatarImage("username", user, "navbarGravatar", 20, false));
@@ -607,7 +619,7 @@
List<MenuItem> standardItems = new ArrayList<MenuItem>();
standardItems.add(new MenuDivider());
if (user.canAdmin() || user.canCreate()) {
- standardItems.add(new PageLinkMenuItem("gb.newRepository", EditRepositoryPage.class));
+ standardItems.add(new PageLinkMenuItem("gb.newRepository", app().getNewRepositoryPage()));
}
standardItems.add(new PageLinkMenuItem("gb.myProfile", UserPage.class,
WicketUtils.newUsernameParameter(user.username)));
--
Gitblit v1.9.1