githubFork/gitblit.git - Solinfo Gitblit

New file
			@@ -0,0 +1,135 @@
			/*
			* Copyright 2012 PD Inc / gitblit.com.
			*
			* Licensed under the Apache License, Version 2.0 (the "License");
			* you may not use this file except in compliance with the License.
			* You may obtain a copy of the License at
			*
			* http://www.apache.org/licenses/LICENSE-2.0
			*
			* Unless required by applicable law or agreed to in writing, software
			* distributed under the License is distributed on an "AS IS" BASIS,
			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
			* See the License for the specific language governing permissions and
			* limitations under the License.
			*/
			package com.gitblit.utils;

			import java.io.CharConversionException;
			import java.lang.reflect.InvocationTargetException;
			import java.lang.reflect.Method;

			import org.slf4j.Logger;
			import org.slf4j.LoggerFactory;

			import com.gitblit.GitBlit;
			import com.gitblit.Keys;

			/**
			* This is the support class for all container specific code.
			*
			* @author jpyeron
			*/
			public class ContainerUtils
			{
			private static Logger LOGGER = LoggerFactory.getLogger(ContainerUtils.class);

			/**
			* The support class for managing and evaluating the environment with
			* regards to CVE-2007-0405.
			*
			* @see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
			* @author jpyeron
			*/
			public static class CVE_2007_0450
			{
			/**
			* This method will test for know issues in certain containers where %2F
			* is blocked from use in URLs. It will emit a warning to the logger if
			* the configuration of Tomcat causes the URL processing to fail on %2F.
			*/
			public static void test()
			{
			if (GitBlit.getBoolean(Keys.web.mountParameters, true)
			&& ((GitBlit.getChar(Keys.web.forwardSlashCharacter, '/')) == '/' \|\| (GitBlit.getChar(
			Keys.web.forwardSlashCharacter, '/')) == '\\'))
			{
			try
			{
			if (GitBlit.isGO())
			;
			else if (logCVE_2007_0450Tomcat())
			;
			// else if (logCVE_2007_0450xxx());
			else
			{
			LOGGER.info("Unknown container, cannot check for CVE-2007-0450 aplicability");
			}
			}
			catch (Throwable t)
			{
			LOGGER.warn("Failure in checking for CVE-2007-0450 aplicability", t);
			}
			}

			}

			/**
			* This method will test for know issues in certain versions of Tomcat,
			* JBOSS, glassfish, and other embedded uses of Tomcat where %2F is
			* blocked from use in certain URL s. It will emit a warning to the
			* logger if the configuration of Tomcat causes the URL processing to
			* fail on %2F.
			*
			* @return true if it recognizes Tomcat, false if it does not recognize
			* Tomcat
			*/
			private static boolean logCVE_2007_0450Tomcat()
			{
			try
			{
			byte[] test = "http://server.domain:8080/context/servlet/param%2fparam".getBytes();

			// ByteChunk mb=new ByteChunk();
			Class<?> cByteChunk = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
			Object mb = cByteChunk.newInstance();

			// mb.setBytes(test, 0, test.length);
			Method mByteChunck_setBytes = cByteChunk.getMethod("setBytes", byte[].class, int.class, int.class);
			mByteChunck_setBytes.invoke(mb, test, (int) 0, test.length);

			// UDecoder ud=new UDecoder();
			Class<?> cUDecoder = Class.forName("org.apache.tomcat.util.buf.UDecoder");
			Object ud = cUDecoder.newInstance();

			// ud.convert(mb,false);
			Method mUDecoder_convert = cUDecoder.getMethod("convert", cByteChunk, boolean.class);

			try
			{
			mUDecoder_convert.invoke(ud, mb, false);
			}
			catch (InvocationTargetException e)
			{
			if (e.getTargetException() != null && e.getTargetException() instanceof CharConversionException)
			{
			LOGGER.warn("You are using a Tomcat based system and the current settings regarding CVE-2007-0450 will prevent certain fetures from working. Please see http://gitblit.com/faq.html and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450");
			return true;
			}
			throw e;
			}
			}
			catch (Throwable t)
			{
			// The apache url decoder internals are different, this is not a
			// Tomcat matching the failure pattern for CVE-2007-0450
			if (t instanceof ClassNotFoundException \|\| t instanceof NoSuchMethodException
			\|\| t instanceof IllegalArgumentException)
			return false;
			LOGGER.debug("This is a tomcat, but the test operation failed somehow", t);
			}
			return true;
			}
			}

			}

	docs/04_releases.mkd	1 ●●●●● patch \| view \| raw \| blame \| history
	src/com/gitblit/GitBlit.java	3 ●●●●● patch \| view \| raw \| blame \| history
	src/com/gitblit/utils/ContainerUtils.java	135 ●●●●● patch \| view \| raw \| blame \| history

			@@ -11,6 +11,7 @@

			#### changes

			- Emit a warning in the log file if running on a Tomcat-based servlet container which is unfriendly to %2F forward-slash url encoding AND Gitblit is configured to mount parameters with %2F forward-slash url encoding (Github/jpyeron, issue 126)
			- LDAP admin attribute setting is now consistent with LDAP teams setting and admin teams list.
			If realm.ldap.maintainTeams==true AND realm.ldap.admins is not empty, then User.canAdmin() is controlled by LDAP administrative team membership. Otherwise, User.canAdmin() is controlled by Gitblit.

			@@ -88,6 +88,7 @@
			import com.gitblit.models.UserModel;
			import com.gitblit.utils.ArrayUtils;
			import com.gitblit.utils.ByteFormat;
			import com.gitblit.utils.ContainerUtils;
			import com.gitblit.utils.DeepCopier;
			import com.gitblit.utils.FederationUtils;
			import com.gitblit.utils.JGitUtils;
			@@ -2214,6 +2215,8 @@
			} catch (IllegalArgumentException e) {
			logger.error("Failed to configure JGit parameters!", e);
			}

			ContainerUtils.CVE_2007_0450.test();
			}

			private void logTimezone(String type, TimeZone zone) {