From a75a1819f4c7fa5080ddb47545fe9012a842e5b3 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Wed, 20 Jul 2011 21:08:57 -0400
Subject: [PATCH] Misc fixes.

---
 src/com/gitblit/wicket/pages/EditRepositoryPage.java |   32 ++++++++++++++++++++++++++++++--
 1 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/EditRepositoryPage.java b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
index eb2a8e6..824f13d 100644
--- a/src/com/gitblit/wicket/pages/EditRepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
@@ -19,13 +19,13 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
 import org.apache.wicket.PageParameters;
 import org.apache.wicket.extensions.markup.html.form.palette.Palette;
+import org.apache.wicket.markup.html.form.Button;
 import org.apache.wicket.markup.html.form.CheckBox;
 import org.apache.wicket.markup.html.form.ChoiceRenderer;
 import org.apache.wicket.markup.html.form.DropDownChoice;
@@ -104,6 +104,22 @@
 
 					// automatically convert backslashes to forward slashes
 					repositoryModel.name = repositoryModel.name.replace('\\', '/');
+					// Automatically replace // with /
+					repositoryModel.name = repositoryModel.name.replace("//", "/");
+
+					// prohibit folder paths
+					if (repositoryModel.name.startsWith("/")) {
+						error("Leading root folder references (/) are prohibited.");
+						return;
+					}
+					if (repositoryModel.name.startsWith("../")) {
+						error("Relative folder references (../) are prohibited.");
+						return;
+					}
+					if (repositoryModel.name.contains("/../")) {
+						error("Relative folder references (../) are prohibited.");
+						return;
+					}
 
 					// confirm valid characters in repository name
 					char[] validChars = { '/', '.', '_', '-' };
@@ -128,7 +144,7 @@
 					}
 
 					// save the repository
-					GitBlit.self().editRepositoryModel(oldName, repositoryModel, isCreate);
+					GitBlit.self().updateRepositoryModel(oldName, repositoryModel, isCreate);
 
 					// save the repository access list
 					if (repositoryModel.accessRestriction.exceeds(AccessRestrictionType.NONE)) {
@@ -167,6 +183,18 @@
 		form.add(new CheckBox("showReadme"));
 		form.add(usersPalette);
 
+		form.add(new Button("save"));
+		Button cancel = new Button("cancel"){          
+			private static final long serialVersionUID = 1L;
+
+			@Override
+			public void onSubmit() {
+                setResponsePage(RepositoriesPage.class);
+            }
+        };
+        cancel.setDefaultFormProcessing(false);
+        form.add(cancel);
+        
 		add(form);
 	}
 

--
Gitblit v1.9.1