From e7883877a98dfcae3f75f1c1a562120d89aed22a Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 09 Feb 2012 08:33:16 -0500
Subject: [PATCH] Fixed session fixation vulnerability (issue 62)

---
 src/com/gitblit/wicket/pages/EditRepositoryPage.java |   51 +++++++++++++++++++++++++++++++++++++++------------
 1 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/EditRepositoryPage.java b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
index 492addc..0361da3 100644
--- a/src/com/gitblit/wicket/pages/EditRepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
@@ -19,11 +19,14 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.wicket.PageParameters;
+import org.apache.wicket.behavior.SimpleAttributeModifier;
 import org.apache.wicket.extensions.markup.html.form.palette.Palette;
 import org.apache.wicket.markup.html.form.Button;
 import org.apache.wicket.markup.html.form.CheckBox;
@@ -45,9 +48,11 @@
 import com.gitblit.Keys;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.StringUtils;
 import com.gitblit.wicket.GitBlitWebSession;
 import com.gitblit.wicket.WicketUtils;
+import com.gitblit.wicket.panels.BulletListPanel;
 
 public class EditRepositoryPage extends RootSubPage {
 
@@ -55,7 +60,7 @@
 
 	private boolean isAdmin;
 
-	private IModel<String> mailRecipients;
+	private IModel<String> mailingLists;
 
 	public EditRepositoryPage() {
 		// create constructor
@@ -113,20 +118,22 @@
 				new ChoiceRenderer<String>("", ""), 5, false);
 
 		// pre-receive palette
-		if (repositoryModel.preReceiveScripts != null) {
+		if (!ArrayUtils.isEmpty(repositoryModel.preReceiveScripts)) {
 			preReceiveScripts.addAll(repositoryModel.preReceiveScripts);
 		}
 		final Palette<String> preReceivePalette = new Palette<String>("preReceiveScripts",
 				new ListModel<String>(preReceiveScripts), new CollectionModel<String>(GitBlit
-						.self().getAvailableScripts()), new ChoiceRenderer<String>("", ""), 12, true);
+						.self().getPreReceiveScriptsUnused(repositoryModel)),
+				new ChoiceRenderer<String>("", ""), 12, true);
 
 		// post-receive palette
-		if (repositoryModel.postReceiveScripts != null) {
+		if (!ArrayUtils.isEmpty(repositoryModel.postReceiveScripts)) {
 			postReceiveScripts.addAll(repositoryModel.postReceiveScripts);
 		}
 		final Palette<String> postReceivePalette = new Palette<String>("postReceiveScripts",
 				new ListModel<String>(postReceiveScripts), new CollectionModel<String>(GitBlit
-						.self().getAvailableScripts()), new ChoiceRenderer<String>("", ""), 12, true);
+						.self().getPostReceiveScriptsUnused(repositoryModel)),
+				new ChoiceRenderer<String>("", ""), 12, true);
 
 		CompoundPropertyModel<RepositoryModel> model = new CompoundPropertyModel<RepositoryModel>(
 				repositoryModel);
@@ -191,11 +198,17 @@
 						}
 					}
 
-					// set mail recipients
-					String ml = mailRecipients.getObject();
+					// set mailing lists
+					String ml = mailingLists.getObject();
 					if (!StringUtils.isEmpty(ml)) {
-						List<String> list = StringUtils.getStringsFromValue(ml.trim(), " ");
-						repositoryModel.mailRecipients = list;
+						Set<String> list = new HashSet<String>();
+						for (String address : ml.split("(,|\\s)")) {
+							if (StringUtils.isEmpty(address)) {
+								continue;
+							}
+							list.add(address.toLowerCase());
+						}
+						repositoryModel.mailingLists = new ArrayList<String>(list);
 					}
 
 					// pre-receive scripts
@@ -249,6 +262,9 @@
 			}
 		};
 
+		// do not let the browser pre-populate these fields
+		form.add(new SimpleAttributeModifier("autocomplete", "off"));
+
 		// field names reflective match RepositoryModel fields
 		form.add(new TextField<String>("name").setEnabled(isCreate || isAdmin));
 		form.add(new TextField<String>("description"));
@@ -259,6 +275,13 @@
 		form.add(new CheckBox("isFrozen"));
 		// TODO enable origin definition
 		form.add(new TextField<String>("origin").setEnabled(false/* isCreate */));
+		
+		// allow relinking HEAD to a branch or tag other than master on edit repository
+		List<String> availableRefs = new ArrayList<String>();
+		if (!ArrayUtils.isEmpty(repositoryModel.availableRefs)) {
+			availableRefs.addAll(repositoryModel.availableRefs);
+		}
+		form.add(new DropDownChoice<String>("HEAD", availableRefs).setEnabled(!isCreate));
 
 		// federation strategies - remove ORIGIN choice if this repository has
 		// no origin.
@@ -275,14 +298,18 @@
 		form.add(new CheckBox("showReadme"));
 		form.add(new CheckBox("skipSizeCalculation"));
 		form.add(new CheckBox("skipSummaryMetrics"));
-		mailRecipients = new Model<String>(repositoryModel.mailRecipients == null ? ""
-				: StringUtils.flattenStrings(repositoryModel.mailRecipients, " "));
-		form.add(new TextField<String>("mailRecipients", mailRecipients));
+		mailingLists = new Model<String>(ArrayUtils.isEmpty(repositoryModel.mailingLists) ? ""
+				: StringUtils.flattenStrings(repositoryModel.mailingLists, " "));
+		form.add(new TextField<String>("mailingLists", mailingLists));
 		form.add(usersPalette);
 		form.add(teamsPalette);
 		form.add(federationSetsPalette);
 		form.add(preReceivePalette);
+		form.add(new BulletListPanel("inheritedPreReceive", "inherited", GitBlit.self()
+				.getPreReceiveScriptsInherited(repositoryModel)));
 		form.add(postReceivePalette);
+		form.add(new BulletListPanel("inheritedPostReceive", "inherited", GitBlit.self()
+				.getPostReceiveScriptsInherited(repositoryModel)));
 
 		form.add(new Button("save"));
 		Button cancel = new Button("cancel") {

--
Gitblit v1.9.1