From b4a63aad7f56486c164a15ae2477bcd251b0bb1b Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 18 Mar 2014 21:10:48 -0400
Subject: [PATCH] Fix authentication security hole with external providers

---
 src/main/java/com/gitblit/manager/GitblitManager.java |   59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 57 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/gitblit/manager/GitblitManager.java b/src/main/java/com/gitblit/manager/GitblitManager.java
index 08d6408..b6c2b47 100644
--- a/src/main/java/com/gitblit/manager/GitblitManager.java
+++ b/src/main/java/com/gitblit/manager/GitblitManager.java
@@ -33,7 +33,12 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.eclipse.jgit.api.CloneCommand;
+import org.eclipse.jgit.api.FetchCommand;
+import org.eclipse.jgit.api.Git;
+import org.eclipse.jgit.lib.Ref;
 import org.eclipse.jgit.lib.Repository;
+import org.eclipse.jgit.transport.RefSpec;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -62,9 +67,9 @@
 import com.gitblit.models.SettingModel;
 import com.gitblit.models.TeamModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.tickets.ITicketService;
 import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.HttpUtils;
-import com.gitblit.utils.JGitUtils;
 import com.gitblit.utils.JsonUtils;
 import com.gitblit.utils.ObjectCache;
 import com.gitblit.utils.StringUtils;
@@ -158,7 +163,33 @@
 
 		// clone the repository
 		try {
-			JGitUtils.cloneRepository(repositoryManager.getRepositoriesFolder(), cloneName, fromUrl, true, null);
+			Repository canonical = getRepository(repository.name);
+			File folder = new File(repositoryManager.getRepositoriesFolder(), cloneName);
+			CloneCommand clone = new CloneCommand();
+			clone.setBare(true);
+
+			// fetch branches with exclusions
+			Collection<Ref> branches = canonical.getRefDatabase().getRefs(Constants.R_HEADS).values();
+			List<String> branchesToClone = new ArrayList<String>();
+			for (Ref branch : branches) {
+				String name = branch.getName();
+				if (name.startsWith(Constants.R_TICKET)) {
+					// exclude ticket branches
+					continue;
+				}
+				branchesToClone.add(name);
+			}
+			clone.setBranchesToClone(branchesToClone);
+			clone.setURI(fromUrl);
+			clone.setDirectory(folder);
+			Git git = clone.call();
+
+			// fetch tags
+			FetchCommand fetch  = git.fetch();
+			fetch.setRefSpecs(new RefSpec("+refs/tags/*:refs/tags/*"));
+			fetch.call();
+
+			git.getRepository().close();
 		} catch (Exception e) {
 			throw new GitBlitException(e);
 		}
@@ -481,6 +512,15 @@
 		} catch (IOException e) {
 			logger.error("Failed to load resource copy of gitblit.properties");
 		}
+	}
+
+	/**
+	 * Throws an exception if trying to get a ticket service.
+	 *
+	 */
+	@Override
+	public ITicketService getTicketService() {
+		throw new RuntimeException("This class does not have a ticket service!");
 	}
 
 	/*
@@ -1099,4 +1139,19 @@
 	public boolean deletePendingFederationProposal(FederationProposal proposal) {
 		return federationManager.deletePendingFederationProposal(proposal);
 	}
+
+	@Override
+	public void closeAll() {
+		repositoryManager.closeAll();
+	}
+
+	@Override
+	public void close(String repository) {
+		repositoryManager.close(repository);
+	}
+
+	@Override
+	public boolean isIdle(Repository repository) {
+		return repositoryManager.isIdle(repository);
+	}
 }

--
Gitblit v1.9.1