From 332e93c9e8b2ef756ac2b2ec1055262046f988fa Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 30 Mar 2012 20:01:03 -0400
Subject: [PATCH] Merge pull request #10 from jonnybbb/master

---
 src/com/gitblit/wicket/pages/BasePage.java |   43 +++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index d31979d..3852818 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -22,6 +22,7 @@
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.wicket.Application;
 import org.apache.wicket.MarkupContainer;
 import org.apache.wicket.PageParameters;
 import org.apache.wicket.RestartResponseAtInterceptPageException;
@@ -43,6 +44,7 @@
 import com.gitblit.Constants.FederationStrategy;
 import com.gitblit.GitBlit;
 import com.gitblit.Keys;
+import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
 import com.gitblit.wicket.GitBlitWebSession;
 import com.gitblit.wicket.WicketUtils;
@@ -63,6 +65,24 @@
 		logger = LoggerFactory.getLogger(getClass());
 		loginByCookie();
 	}
+	
+	@Override
+	protected void onBeforeRender() {
+		if (GitBlit.isDebugMode()) {
+			// strip Wicket tags in debug mode for jQuery DOM traversal
+			Application.get().getMarkupSettings().setStripWicketTags(true);
+		}
+		super.onBeforeRender();
+	}
+
+	@Override
+	protected void onAfterRender() {
+		if (GitBlit.isDebugMode()) {
+			// restore Wicket debug tags
+			Application.get().getMarkupSettings().setStripWicketTags(false);
+		}
+		super.onAfterRender();
+	}	
 
 	private void loginByCookie() {
 		if (!GitBlit.getBoolean(Keys.web.allowCookieAuthentication, false)) {
@@ -79,11 +99,15 @@
 		// Login the user
 		if (user != null) {
 			// Set the user into the session
-			GitBlitWebSession.get().setUser(user);
+			GitBlitWebSession session = GitBlitWebSession.get();
+			// issue 62: fix session fixation vulnerability
+			session.replaceSession();
+			session.setUser(user);
 
 			// Set Cookie
 			WebResponse response = (WebResponse) getRequestCycle().getResponse();
 			GitBlit.self().setCookie(response, user);
+			continueToOriginalDestination();
 		}
 	}
 
@@ -157,7 +181,7 @@
 
 	protected TimeZone getTimeZone() {
 		return GitBlit.getBoolean(Keys.web.useClientTimezone, false) ? GitBlitWebSession.get()
-				.getTimezone() : TimeZone.getDefault();
+				.getTimezone() : GitBlit.getTimezone();
 	}
 
 	protected String getServerName() {
@@ -165,6 +189,21 @@
 		HttpServletRequest req = servletWebRequest.getHttpServletRequest();
 		return req.getServerName();
 	}
+	
+	protected String getRepositoryUrl(RepositoryModel repository) {
+		StringBuilder sb = new StringBuilder();
+		sb.append(WicketUtils.getGitblitURL(getRequestCycle().getRequest()));
+		sb.append(Constants.GIT_PATH);
+		sb.append(repository.name);
+		
+		// inject username into repository url if authentication is required
+		if (repository.accessRestriction.exceeds(AccessRestrictionType.NONE)
+				&& GitBlitWebSession.get().isLoggedIn()) {
+			String username = GitBlitWebSession.get().getUser().username;
+			sb.insert(sb.indexOf("://") + 3, username + "@");
+		}
+		return sb.toString();
+	}
 
 	public void warn(String message, Throwable t) {
 		logger.warn(message, t);

--
Gitblit v1.9.1