From e7883877a98dfcae3f75f1c1a562120d89aed22a Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Thu, 09 Feb 2012 08:33:16 -0500
Subject: [PATCH] Fixed session fixation vulnerability (issue 62)

---
 src/com/gitblit/wicket/pages/EditRepositoryPage.java |  113 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 files changed, 108 insertions(+), 5 deletions(-)

diff --git a/src/com/gitblit/wicket/pages/EditRepositoryPage.java b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
index 7349ca5..0361da3 100644
--- a/src/com/gitblit/wicket/pages/EditRepositoryPage.java
+++ b/src/com/gitblit/wicket/pages/EditRepositoryPage.java
@@ -19,11 +19,14 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 
 import org.apache.wicket.PageParameters;
+import org.apache.wicket.behavior.SimpleAttributeModifier;
 import org.apache.wicket.extensions.markup.html.form.palette.Palette;
 import org.apache.wicket.markup.html.form.Button;
 import org.apache.wicket.markup.html.form.CheckBox;
@@ -33,6 +36,8 @@
 import org.apache.wicket.markup.html.form.IChoiceRenderer;
 import org.apache.wicket.markup.html.form.TextField;
 import org.apache.wicket.model.CompoundPropertyModel;
+import org.apache.wicket.model.IModel;
+import org.apache.wicket.model.Model;
 import org.apache.wicket.model.util.CollectionModel;
 import org.apache.wicket.model.util.ListModel;
 
@@ -43,15 +48,19 @@
 import com.gitblit.Keys;
 import com.gitblit.models.RepositoryModel;
 import com.gitblit.models.UserModel;
+import com.gitblit.utils.ArrayUtils;
 import com.gitblit.utils.StringUtils;
 import com.gitblit.wicket.GitBlitWebSession;
 import com.gitblit.wicket.WicketUtils;
+import com.gitblit.wicket.panels.BulletListPanel;
 
-public class EditRepositoryPage extends BasePage {
+public class EditRepositoryPage extends RootSubPage {
 
 	private final boolean isCreate;
 
 	private boolean isAdmin;
+
+	private IModel<String> mailingLists;
 
 	public EditRepositoryPage() {
 		// create constructor
@@ -75,12 +84,17 @@
 
 		List<String> federationSets = new ArrayList<String>();
 		List<String> repositoryUsers = new ArrayList<String>();
+		List<String> repositoryTeams = new ArrayList<String>();
+		List<String> preReceiveScripts = new ArrayList<String>();
+		List<String> postReceiveScripts = new ArrayList<String>();
+
 		if (isCreate) {
-			super.setupPage("", getString("gb.newRepository"));
+			super.setupPage(getString("gb.newRepository"), "");
 		} else {
-			super.setupPage("", getString("gb.edit"));
+			super.setupPage(getString("gb.edit"), repositoryModel.name);
 			if (repositoryModel.accessRestriction.exceeds(AccessRestrictionType.NONE)) {
 				repositoryUsers.addAll(GitBlit.self().getRepositoryUsers(repositoryModel));
+				repositoryTeams.addAll(GitBlit.self().getRepositoryTeams(repositoryModel));
 				Collections.sort(repositoryUsers);
 			}
 			federationSets.addAll(repositoryModel.federationSets);
@@ -92,11 +106,34 @@
 				repositoryUsers), new CollectionModel<String>(GitBlit.self().getAllUsernames()),
 				new ChoiceRenderer<String>("", ""), 10, false);
 
+		// teams palette
+		final Palette<String> teamsPalette = new Palette<String>("teams", new ListModel<String>(
+				repositoryTeams), new CollectionModel<String>(GitBlit.self().getAllTeamnames()),
+				new ChoiceRenderer<String>("", ""), 5, false);
+
 		// federation sets palette
 		List<String> sets = GitBlit.getStrings(Keys.federation.sets);
 		final Palette<String> federationSetsPalette = new Palette<String>("federationSets",
 				new ListModel<String>(federationSets), new CollectionModel<String>(sets),
-				new ChoiceRenderer<String>("", ""), 10, false);
+				new ChoiceRenderer<String>("", ""), 5, false);
+
+		// pre-receive palette
+		if (!ArrayUtils.isEmpty(repositoryModel.preReceiveScripts)) {
+			preReceiveScripts.addAll(repositoryModel.preReceiveScripts);
+		}
+		final Palette<String> preReceivePalette = new Palette<String>("preReceiveScripts",
+				new ListModel<String>(preReceiveScripts), new CollectionModel<String>(GitBlit
+						.self().getPreReceiveScriptsUnused(repositoryModel)),
+				new ChoiceRenderer<String>("", ""), 12, true);
+
+		// post-receive palette
+		if (!ArrayUtils.isEmpty(repositoryModel.postReceiveScripts)) {
+			postReceiveScripts.addAll(repositoryModel.postReceiveScripts);
+		}
+		final Palette<String> postReceivePalette = new Palette<String>("postReceiveScripts",
+				new ListModel<String>(postReceiveScripts), new CollectionModel<String>(GitBlit
+						.self().getPostReceiveScriptsUnused(repositoryModel)),
+				new ChoiceRenderer<String>("", ""), 12, true);
 
 		CompoundPropertyModel<RepositoryModel> model = new CompoundPropertyModel<RepositoryModel>(
 				repositoryModel);
@@ -146,6 +183,12 @@
 						return;
 					}
 
+					// confirm federation strategy selection
+					if (repositoryModel.federationStrategy == null) {
+						error("Please select federation strategy!");
+						return;
+					}
+
 					// save federation set preferences
 					if (repositoryModel.federationStrategy.exceeds(FederationStrategy.EXCLUDE)) {
 						repositoryModel.federationSets.clear();
@@ -155,11 +198,41 @@
 						}
 					}
 
+					// set mailing lists
+					String ml = mailingLists.getObject();
+					if (!StringUtils.isEmpty(ml)) {
+						Set<String> list = new HashSet<String>();
+						for (String address : ml.split("(,|\\s)")) {
+							if (StringUtils.isEmpty(address)) {
+								continue;
+							}
+							list.add(address.toLowerCase());
+						}
+						repositoryModel.mailingLists = new ArrayList<String>(list);
+					}
+
+					// pre-receive scripts
+					List<String> preReceiveScripts = new ArrayList<String>();
+					Iterator<String> pres = preReceivePalette.getSelectedChoices();
+					while (pres.hasNext()) {
+						preReceiveScripts.add(pres.next());
+					}
+					repositoryModel.preReceiveScripts = preReceiveScripts;
+
+					// post-receive scripts
+					List<String> postReceiveScripts = new ArrayList<String>();
+					Iterator<String> post = postReceivePalette.getSelectedChoices();
+					while (post.hasNext()) {
+						postReceiveScripts.add(post.next());
+					}
+					repositoryModel.postReceiveScripts = postReceiveScripts;
+
 					// save the repository
 					GitBlit.self().updateRepositoryModel(oldName, repositoryModel, isCreate);
 
-					// save the repository access list
+					// repository access
 					if (repositoryModel.accessRestriction.exceeds(AccessRestrictionType.NONE)) {
+						// save the user access list
 						Iterator<String> users = usersPalette.getSelectedChoices();
 						List<String> repositoryUsers = new ArrayList<String>();
 						while (users.hasNext()) {
@@ -171,6 +244,14 @@
 							repositoryUsers.add(repositoryModel.owner);
 						}
 						GitBlit.self().setRepositoryUsers(repositoryModel, repositoryUsers);
+
+						// save the team access list
+						Iterator<String> teams = teamsPalette.getSelectedChoices();
+						List<String> repositoryTeams = new ArrayList<String>();
+						while (teams.hasNext()) {
+							repositoryTeams.add(teams.next());
+						}
+						GitBlit.self().setRepositoryTeams(repositoryModel, repositoryTeams);
 					}
 				} catch (GitBlitException e) {
 					error(e.getMessage());
@@ -180,6 +261,9 @@
 				setResponsePage(RepositoriesPage.class);
 			}
 		};
+
+		// do not let the browser pre-populate these fields
+		form.add(new SimpleAttributeModifier("autocomplete", "off"));
 
 		// field names reflective match RepositoryModel fields
 		form.add(new TextField<String>("name").setEnabled(isCreate || isAdmin));
@@ -191,6 +275,13 @@
 		form.add(new CheckBox("isFrozen"));
 		// TODO enable origin definition
 		form.add(new TextField<String>("origin").setEnabled(false/* isCreate */));
+		
+		// allow relinking HEAD to a branch or tag other than master on edit repository
+		List<String> availableRefs = new ArrayList<String>();
+		if (!ArrayUtils.isEmpty(repositoryModel.availableRefs)) {
+			availableRefs.addAll(repositoryModel.availableRefs);
+		}
+		form.add(new DropDownChoice<String>("HEAD", availableRefs).setEnabled(!isCreate));
 
 		// federation strategies - remove ORIGIN choice if this repository has
 		// no origin.
@@ -205,8 +296,20 @@
 		form.add(new CheckBox("useDocs"));
 		form.add(new CheckBox("showRemoteBranches"));
 		form.add(new CheckBox("showReadme"));
+		form.add(new CheckBox("skipSizeCalculation"));
+		form.add(new CheckBox("skipSummaryMetrics"));
+		mailingLists = new Model<String>(ArrayUtils.isEmpty(repositoryModel.mailingLists) ? ""
+				: StringUtils.flattenStrings(repositoryModel.mailingLists, " "));
+		form.add(new TextField<String>("mailingLists", mailingLists));
 		form.add(usersPalette);
+		form.add(teamsPalette);
 		form.add(federationSetsPalette);
+		form.add(preReceivePalette);
+		form.add(new BulletListPanel("inheritedPreReceive", "inherited", GitBlit.self()
+				.getPreReceiveScriptsInherited(repositoryModel)));
+		form.add(postReceivePalette);
+		form.add(new BulletListPanel("inheritedPostReceive", "inherited", GitBlit.self()
+				.getPostReceiveScriptsInherited(repositoryModel)));
 
 		form.add(new Button("save"));
 		Button cancel = new Button("cancel") {

--
Gitblit v1.9.1