From b4a63aad7f56486c164a15ae2477bcd251b0bb1b Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 18 Mar 2014 21:10:48 -0400
Subject: [PATCH] Fix authentication security hole with external providers

---
 src/main/java/com/gitblit/manager/GitblitManager.java |   79 ++++++++++++++++++++++++++++++---------
 1 files changed, 60 insertions(+), 19 deletions(-)

diff --git a/src/main/java/com/gitblit/manager/GitblitManager.java b/src/main/java/com/gitblit/manager/GitblitManager.java
index 9d096dd..b6c2b47 100644
--- a/src/main/java/com/gitblit/manager/GitblitManager.java
+++ b/src/main/java/com/gitblit/manager/GitblitManager.java
@@ -33,7 +33,12 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.eclipse.jgit.api.CloneCommand;
+import org.eclipse.jgit.api.FetchCommand;
+import org.eclipse.jgit.api.Git;
+import org.eclipse.jgit.lib.Ref;
 import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.transport.RefSpec;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -50,6 +55,7 @@
 import com.gitblit.models.FederationSet;
 import com.gitblit.models.ForkModel;
 import com.gitblit.models.GitClientApplication;
+import com.gitblit.models.Mailing;
 import com.gitblit.models.Metric;
 import com.gitblit.models.ProjectModel;
 import com.gitblit.models.RegistrantAccessPermission;
@@ -61,9 +67,9 @@
 import com.gitblit.models.SettingModel;
 import com.gitblit.models.TeamModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.tickets.ITicketService;
 import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.HttpUtils;
-import com.gitblit.utils.JGitUtils;
 import com.gitblit.utils.JsonUtils;
 import com.gitblit.utils.ObjectCache;
 import com.gitblit.utils.StringUtils;
@@ -157,7 +163,33 @@
 
 		// clone the repository
 		try {
-			JGitUtils.cloneRepository(repositoryManager.getRepositoriesFolder(), cloneName, fromUrl, true, null);
+			Repository canonical = getRepository(repository.name);
+			File folder = new File(repositoryManager.getRepositoriesFolder(), cloneName);
+			CloneCommand clone = new CloneCommand();
+			clone.setBare(true);
+
+			// fetch branches with exclusions
+			Collection<Ref> branches = canonical.getRefDatabase().getRefs(Constants.R_HEADS).values();
+			List<String> branchesToClone = new ArrayList<String>();
+			for (Ref branch : branches) {
+				String name = branch.getName();
+				if (name.startsWith(Constants.R_TICKET)) {
+					// exclude ticket branches
+					continue;
+				}
+				branchesToClone.add(name);
+			}
+			clone.setBranchesToClone(branchesToClone);
+			clone.setURI(fromUrl);
+			clone.setDirectory(folder);
+			Git git = clone.call();
+
+			// fetch tags
+			FetchCommand fetch  = git.fetch();
+			fetch.setRefSpecs(new RefSpec("+refs/tags/*:refs/tags/*"));
+			fetch.call();
+
+			git.getRepository().close();
 		} catch (Exception e) {
 			throw new GitBlitException(e);
 		}
@@ -482,6 +514,15 @@
 		}
 	}
 
+	/**
+	 * Throws an exception if trying to get a ticket service.
+	 *
+	 */
+	@Override
+	public ITicketService getTicketService() {
+		throw new RuntimeException("This class does not have a ticket service!");
+	}
+
 	/*
 	 * ISTOREDSETTINGS
 	 *
@@ -584,28 +625,13 @@
 	}
 
 	@Override
-	public void sendMail(String subject, String message, String... toAddresses) {
-		notificationManager.sendMail(subject, message, toAddresses);
-	}
-
-	@Override
 	public void sendHtmlMail(String subject, String message, Collection<String> toAddresses) {
 		notificationManager.sendHtmlMail(subject, message, toAddresses);
 	}
 
 	@Override
-	public void sendHtmlMail(String subject, String message, String... toAddresses) {
-		notificationManager.sendHtmlMail(subject, message, toAddresses);
-	}
-
-	@Override
-	public void sendHtmlMail(String from, String subject, String message, Collection<String> toAddresses) {
-		notificationManager.sendHtmlMail(from, subject, message, toAddresses);
-	}
-
-	@Override
-	public void sendHtmlMail(String from, String subject, String message, String... toAddresses) {
-		notificationManager.sendHtmlMail(from, subject, message, toAddresses);
+	public void send(Mailing mail) {
+		notificationManager.send(mail);
 	}
 
 	/*
@@ -1113,4 +1139,19 @@
 	public boolean deletePendingFederationProposal(FederationProposal proposal) {
 		return federationManager.deletePendingFederationProposal(proposal);
 	}
+
+	@Override
+	public void closeAll() {
+		repositoryManager.closeAll();
+	}
+
+	@Override
+	public void close(String repository) {
+		repositoryManager.close(repository);
+	}
+
+	@Override
+	public boolean isIdle(Repository repository) {
+		return repositoryManager.isIdle(repository);
+	}
 }

--
Gitblit v1.9.1