From e7883877a98dfcae3f75f1c1a562120d89aed22a Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 09 Feb 2012 08:33:16 -0500
Subject: [PATCH] Fixed session fixation vulnerability (issue 62)

---
 src/com/gitblit/wicket/pages/EditRepositoryPage.java |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/EditRepositoryPage.java b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
index 0f3a0bb..0361da3 100644
--- a/src/com/gitblit/wicket/pages/EditRepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
@@ -26,6 +26,7 @@
 import java.util.Set;
 
 import org.apache.wicket.PageParameters;
+import org.apache.wicket.behavior.SimpleAttributeModifier;
 import org.apache.wicket.extensions.markup.html.form.palette.Palette;
 import org.apache.wicket.markup.html.form.Button;
 import org.apache.wicket.markup.html.form.CheckBox;
@@ -47,6 +48,7 @@
 import com.gitblit.Keys;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.StringUtils;
 import com.gitblit.wicket.GitBlitWebSession;
 import com.gitblit.wicket.WicketUtils;
@@ -116,7 +118,7 @@
 				new ChoiceRenderer<String>("", ""), 5, false);
 
 		// pre-receive palette
-		if (repositoryModel.preReceiveScripts != null) {
+		if (!ArrayUtils.isEmpty(repositoryModel.preReceiveScripts)) {
 			preReceiveScripts.addAll(repositoryModel.preReceiveScripts);
 		}
 		final Palette<String> preReceivePalette = new Palette<String>("preReceiveScripts",
@@ -125,7 +127,7 @@
 				new ChoiceRenderer<String>("", ""), 12, true);
 
 		// post-receive palette
-		if (repositoryModel.postReceiveScripts != null) {
+		if (!ArrayUtils.isEmpty(repositoryModel.postReceiveScripts)) {
 			postReceiveScripts.addAll(repositoryModel.postReceiveScripts);
 		}
 		final Palette<String> postReceivePalette = new Palette<String>("postReceiveScripts",
@@ -260,6 +262,9 @@
 			}
 		};
 
+		// do not let the browser pre-populate these fields
+		form.add(new SimpleAttributeModifier("autocomplete", "off"));
+
 		// field names reflective match RepositoryModel fields
 		form.add(new TextField<String>("name").setEnabled(isCreate || isAdmin));
 		form.add(new TextField<String>("description"));
@@ -270,6 +275,13 @@
 		form.add(new CheckBox("isFrozen"));
 		// TODO enable origin definition
 		form.add(new TextField<String>("origin").setEnabled(false/* isCreate */));
+		
+		// allow relinking HEAD to a branch or tag other than master on edit repository
+		List<String> availableRefs = new ArrayList<String>();
+		if (!ArrayUtils.isEmpty(repositoryModel.availableRefs)) {
+			availableRefs.addAll(repositoryModel.availableRefs);
+		}
+		form.add(new DropDownChoice<String>("HEAD", availableRefs).setEnabled(!isCreate));
 
 		// federation strategies - remove ORIGIN choice if this repository has
 		// no origin.
@@ -286,7 +298,7 @@
 		form.add(new CheckBox("showReadme"));
 		form.add(new CheckBox("skipSizeCalculation"));
 		form.add(new CheckBox("skipSummaryMetrics"));
-		mailingLists = new Model<String>(repositoryModel.mailingLists == null ? ""
+		mailingLists = new Model<String>(ArrayUtils.isEmpty(repositoryModel.mailingLists) ? ""
 				: StringUtils.flattenStrings(repositoryModel.mailingLists, " "));
 		form.add(new TextField<String>("mailingLists", mailingLists));
 		form.add(usersPalette);

--
Gitblit v1.9.1