From: James Moger Date: Thu, 9 Feb 2012 13:33:16 +0000 (-0500) Subject: Fixed session fixation vulnerability (issue 62) X-Git-Tag: v0.9.0~103 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=e7883877a98dfcae3f75f1c1a562120d89aed22a;p=gitblit.git Fixed session fixation vulnerability (issue 62) --- diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd index e1dcb400..2b64eaed 100644 --- a/docs/04_releases.mkd +++ b/docs/04_releases.mkd @@ -4,6 +4,10 @@ **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%) | [war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%) | [express](http://code.google.com/p/gitblit/downloads/detail?name=%EXPRESS%) | [fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%) | [manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%) | [api](http://code.google.com/p/gitblit/downloads/detail?name=%API%)) based on [%JGIT%][jgit]   *released %BUILDDATE%* +#### security + +- Fixed session fixation vulnerability where the session identifier was not reset during the login process (issue 62) + #### changes - block pushes to a repository with a working copy (i.e. non-bare repository) (issue-49) diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java index 80bff167..ca940071 100644 --- a/src/com/gitblit/wicket/pages/BasePage.java +++ b/src/com/gitblit/wicket/pages/BasePage.java @@ -80,7 +80,10 @@ public abstract class BasePage extends WebPage { // Login the user if (user != null) { // Set the user into the session - GitBlitWebSession.get().setUser(user); + GitBlitWebSession session = GitBlitWebSession.get(); + // issue 62: fix session fixation vulnerability + session.replaceSession(); + session.setUser(user); // Set Cookie WebResponse response = (WebResponse) getRequestCycle().getResponse(); diff --git a/src/com/gitblit/wicket/pages/RootPage.java b/src/com/gitblit/wicket/pages/RootPage.java index cbf9cfe1..bad0140b 100644 --- a/src/com/gitblit/wicket/pages/RootPage.java +++ b/src/com/gitblit/wicket/pages/RootPage.java @@ -195,7 +195,10 @@ public abstract class RootPage extends BasePage { private void loginUser(UserModel user) { if (user != null) { // Set the user into the session - GitBlitWebSession.get().setUser(user); + GitBlitWebSession session = GitBlitWebSession.get(); + // issue 62: fix session fixation vulnerability + session.replaceSession(); + session.setUser(user); // Set Cookie if (GitBlit.getBoolean(Keys.web.allowCookieAuthentication, false)) {