From 91780e2e17a8020872c8da2d8941114e098ef2a4 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 16 Feb 2012 07:39:48 -0500
Subject: [PATCH] Merge pull request #7 from plm/protect_refs_hook
---
src/com/gitblit/wicket/pages/BasePage.java | 21 ++++++++++++++++++++-
1 files changed, 20 insertions(+), 1 deletions(-)
diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index f98e883..ca94007 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -43,6 +43,7 @@
import com.gitblit.Constants.FederationStrategy;
import com.gitblit.GitBlit;
import com.gitblit.Keys;
+import com.gitblit.models.RepositoryModel;
import com.gitblit.models.UserModel;
import com.gitblit.wicket.GitBlitWebSession;
import com.gitblit.wicket.WicketUtils;
@@ -79,7 +80,10 @@
// Login the user
if (user != null) {
// Set the user into the session
- GitBlitWebSession.get().setUser(user);
+ GitBlitWebSession session = GitBlitWebSession.get();
+ // issue 62: fix session fixation vulnerability
+ session.replaceSession();
+ session.setUser(user);
// Set Cookie
WebResponse response = (WebResponse) getRequestCycle().getResponse();
@@ -166,6 +170,21 @@
HttpServletRequest req = servletWebRequest.getHttpServletRequest();
return req.getServerName();
}
+
+ protected String getRepositoryUrl(RepositoryModel repository) {
+ StringBuilder sb = new StringBuilder();
+ sb.append(WicketUtils.getGitblitURL(getRequestCycle().getRequest()));
+ sb.append(Constants.GIT_PATH);
+ sb.append(repository.name);
+
+ // inject username into repository url if authentication is required
+ if (repository.accessRestriction.exceeds(AccessRestrictionType.NONE)
+ && GitBlitWebSession.get().isLoggedIn()) {
+ String username = GitBlitWebSession.get().getUser().username;
+ sb.insert(sb.indexOf("://") + 3, username + "@");
+ }
+ return sb.toString();
+ }
public void warn(String message, Throwable t) {
logger.warn(message, t);
--
Gitblit v1.9.1