From 91780e2e17a8020872c8da2d8941114e098ef2a4 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 16 Feb 2012 07:39:48 -0500
Subject: [PATCH] Merge pull request #7 from plm/protect_refs_hook

---
 src/com/gitblit/wicket/pages/RootPage.java |   24 +++++++++++++++++-------
 1 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/RootPage.java b/src/com/gitblit/wicket/pages/RootPage.java
index 686fc72..bad0140 100644
--- a/src/com/gitblit/wicket/pages/RootPage.java
+++ b/src/com/gitblit/wicket/pages/RootPage.java
@@ -171,12 +171,19 @@
 
 	private PageParameters getRootPageParameters() {
 		if (reusePageParameters()) {
-			PageParameters params = getPageParameters();
-			if (params != null) {
+			PageParameters pp = getPageParameters();
+			if (pp != null) {
+				PageParameters params = new PageParameters(pp);
 				// remove named repository parameter
 				params.remove("r");
-			}
-			return params;
+
+				// remove days back parameter if it is the default value
+				if (params.containsKey("db")
+						&& params.getInt("db") == GitBlit.getInteger(Keys.web.activityDuration, 14)) {
+					params.remove("db");
+				}
+				return params;
+			}			
 		}
 		return null;
 	}
@@ -188,7 +195,10 @@
 	private void loginUser(UserModel user) {
 		if (user != null) {
 			// Set the user into the session
-			GitBlitWebSession.get().setUser(user);
+			GitBlitWebSession session = GitBlitWebSession.get();
+			// issue 62: fix session fixation vulnerability
+			session.replaceSession();
+			session.setUser(user);
 
 			// Set Cookie
 			if (GitBlit.getBoolean(Keys.web.allowCookieAuthentication, false)) {
@@ -262,7 +272,7 @@
 			if (addedExpression) {
 				filters.add(new DropDownMenuItem());
 			}
-		}		
+		}
 		return new ArrayList<DropDownMenuItem>(filters);
 	}
 
@@ -362,7 +372,7 @@
 		if (!hasParameter) {
 			models.addAll(availableModels);
 		}
-		
+
 		// time-filter the list
 		if (daysBack > 0) {
 			Calendar cal = Calendar.getInstance();

--
Gitblit v1.9.1