From e7883877a98dfcae3f75f1c1a562120d89aed22a Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 09 Feb 2012 08:33:16 -0500
Subject: [PATCH] Fixed session fixation vulnerability (issue 62)

---
 src/com/gitblit/wicket/pages/EditRepositoryPage.java |   32 +++++++++++++++++++++++---------
 1 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/EditRepositoryPage.java b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
index 69d2119..0361da3 100644
--- a/src/com/gitblit/wicket/pages/EditRepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
@@ -26,6 +26,7 @@
 import java.util.Set;
 
 import org.apache.wicket.PageParameters;
+import org.apache.wicket.behavior.SimpleAttributeModifier;
 import org.apache.wicket.extensions.markup.html.form.palette.Palette;
 import org.apache.wicket.markup.html.form.Button;
 import org.apache.wicket.markup.html.form.CheckBox;
@@ -47,6 +48,7 @@
 import com.gitblit.Keys;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.StringUtils;
 import com.gitblit.wicket.GitBlitWebSession;
 import com.gitblit.wicket.WicketUtils;
@@ -116,22 +118,22 @@
 				new ChoiceRenderer<String>("", ""), 5, false);
 
 		// pre-receive palette
-		if (repositoryModel.preReceiveScripts != null) {
+		if (!ArrayUtils.isEmpty(repositoryModel.preReceiveScripts)) {
 			preReceiveScripts.addAll(repositoryModel.preReceiveScripts);
 		}
 		final Palette<String> preReceivePalette = new Palette<String>("preReceiveScripts",
 				new ListModel<String>(preReceiveScripts), new CollectionModel<String>(GitBlit
-						.self().getAvailableScripts()), new ChoiceRenderer<String>("", ""), 12,
-				true);
+						.self().getPreReceiveScriptsUnused(repositoryModel)),
+				new ChoiceRenderer<String>("", ""), 12, true);
 
 		// post-receive palette
-		if (repositoryModel.postReceiveScripts != null) {
+		if (!ArrayUtils.isEmpty(repositoryModel.postReceiveScripts)) {
 			postReceiveScripts.addAll(repositoryModel.postReceiveScripts);
 		}
 		final Palette<String> postReceivePalette = new Palette<String>("postReceiveScripts",
 				new ListModel<String>(postReceiveScripts), new CollectionModel<String>(GitBlit
-						.self().getAvailableScripts()), new ChoiceRenderer<String>("", ""), 12,
-				true);
+						.self().getPostReceiveScriptsUnused(repositoryModel)),
+				new ChoiceRenderer<String>("", ""), 12, true);
 
 		CompoundPropertyModel<RepositoryModel> model = new CompoundPropertyModel<RepositoryModel>(
 				repositoryModel);
@@ -260,6 +262,9 @@
 			}
 		};
 
+		// do not let the browser pre-populate these fields
+		form.add(new SimpleAttributeModifier("autocomplete", "off"));
+
 		// field names reflective match RepositoryModel fields
 		form.add(new TextField<String>("name").setEnabled(isCreate || isAdmin));
 		form.add(new TextField<String>("description"));
@@ -270,6 +275,13 @@
 		form.add(new CheckBox("isFrozen"));
 		// TODO enable origin definition
 		form.add(new TextField<String>("origin").setEnabled(false/* isCreate */));
+		
+		// allow relinking HEAD to a branch or tag other than master on edit repository
+		List<String> availableRefs = new ArrayList<String>();
+		if (!ArrayUtils.isEmpty(repositoryModel.availableRefs)) {
+			availableRefs.addAll(repositoryModel.availableRefs);
+		}
+		form.add(new DropDownChoice<String>("HEAD", availableRefs).setEnabled(!isCreate));
 
 		// federation strategies - remove ORIGIN choice if this repository has
 		// no origin.
@@ -286,16 +298,18 @@
 		form.add(new CheckBox("showReadme"));
 		form.add(new CheckBox("skipSizeCalculation"));
 		form.add(new CheckBox("skipSummaryMetrics"));
-		mailingLists = new Model<String>(repositoryModel.mailingLists == null ? ""
+		mailingLists = new Model<String>(ArrayUtils.isEmpty(repositoryModel.mailingLists) ? ""
 				: StringUtils.flattenStrings(repositoryModel.mailingLists, " "));
 		form.add(new TextField<String>("mailingLists", mailingLists));
 		form.add(usersPalette);
 		form.add(teamsPalette);
 		form.add(federationSetsPalette);
 		form.add(preReceivePalette);
-		form.add(new BulletListPanel("inheritedPreReceive", "inherited", GitBlit.self().getInheritedPreReceiveScripts(repositoryModel)));
+		form.add(new BulletListPanel("inheritedPreReceive", "inherited", GitBlit.self()
+				.getPreReceiveScriptsInherited(repositoryModel)));
 		form.add(postReceivePalette);
-		form.add(new BulletListPanel("inheritedPostReceive", "inherited", GitBlit.self().getInheritedPostReceiveScripts(repositoryModel)));
+		form.add(new BulletListPanel("inheritedPostReceive", "inherited", GitBlit.self()
+				.getPostReceiveScriptsInherited(repositoryModel)));
 
 		form.add(new Button("save"));
 		Button cancel = new Button("cancel") {

--
Gitblit v1.9.1