From d40adc7553bc900328afa918f45b6d9e9c3087fb Mon Sep 17 00:00:00 2001 From: James Moger Date: Mon, 24 Oct 2011 08:20:35 -0400 Subject: [PATCH] Fixed security hole when cloning repository with TortoiseGit (issue 28) --- docs/00_index.mkd | 3 ++- docs/01_features.mkd | 7 ++++--- docs/02_rpc.mkd | 4 ++++ docs/04_releases.mkd | 3 ++- src/com/gitblit/AccessRestrictionFilter.java | 1 - src/com/gitblit/GitFilter.java | 2 ++ tests/com/gitblit/tests/GitServletTest.java | 19 ++++++++++++++++++- 7 files changed, 32 insertions(+), 7 deletions(-) diff --git a/docs/00_index.mkd b/docs/00_index.mkd index 86272690..12edae5d 100644 --- a/docs/00_index.mkd +++ b/docs/00_index.mkd @@ -29,6 +29,7 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit]   *released %BUILDDATE%* +- **security**: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28) - improved: updated ui with Twitter's Bootstrap CSS toolkit **New:** *web.loginMessage = gitblit* - improved: repositories list performance by caching repository sizes (issue 27) @@ -45,7 +46,7 @@ Gitblit requires a Java 6 Runtime Environment (JRE) or a Java 6 Development Kit - fixed: collision on rename for repositories and users - fixed: Gitblit can now browse the Linux kernel repository (issue 25) - fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23) -- fixed: Set the RSS content type for Firefox 4 (issue 22) +- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) - fixed: Null pointer exception if did not set federation strategy (issue 20) - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later - added: IUserService.setup(IStoredSettings) for custom user service implementations diff --git a/docs/01_features.mkd b/docs/01_features.mkd index 93647101..5f15aaea 100644 --- a/docs/01_features.mkd +++ b/docs/01_features.mkd @@ -9,11 +9,12 @@ - ![freeze](cold_16x16.png) Freeze repository (i.e. deny push, make read-only) - Ability to federate with one or more other Gitblit instances - JSON RPC interface +- Java/Swing Gitblit Manager tool - Gitweb inspired web UI -- Administrators may create, edit, rename, or delete repositories through the web UI -- Administrators may create, edit, rename, or delete users through the web UI +- Administrators may create, edit, rename, or delete repositories through the web UI or RPC interface +- Administrators may create, edit, rename, or delete users through the web UI or RPC interface - Repository Owners may edit repositories through the web UI -- Git-notes support +- Git-notes display support - Branch metrics (uses Google Charts) - HEAD and Branch RSS feeds - Blame annotations view diff --git a/docs/02_rpc.mkd b/docs/02_rpc.mkd index 94739ca3..0150d168 100644 --- a/docs/02_rpc.mkd +++ b/docs/02_rpc.mkd @@ -84,6 +84,7 @@ Currently this project is in the planning stage. ], "isFederated": false, "skipSizeCalculation": false, + "skipSummaryMetrics": false, "size": "102 KB" }, "https://localhost/git/libraries/smack.git": { @@ -102,6 +103,7 @@ Currently this project is in the planning stage. "federationSets": [], "isFederated": false, "skipSizeCalculation": false, + "skipSummaryMetrics": false, "size": "4.8 MB" } } @@ -131,6 +133,8 @@ The original repository name is specified in the *name* url parameter. The new "libraries" ], "isFederated": false, + "skipSizeCalculation": false, + "skipSummaryMetrics": false, "size": "102 KB" } diff --git a/docs/04_releases.mkd b/docs/04_releases.mkd index e844322b..68e09084 100644 --- a/docs/04_releases.mkd +++ b/docs/04_releases.mkd @@ -3,6 +3,7 @@ ### Current Release **%VERSION%** ([go](http://code.google.com/p/gitblit/downloads/detail?name=%GO%)|[war](http://code.google.com/p/gitblit/downloads/detail?name=%WAR%)|[fedclient](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%)|[manager](http://code.google.com/p/gitblit/downloads/detail?name=%MANAGER%)) based on [%JGIT%][jgit]   *released %BUILDDATE%* +- **security**: fixed security hole when cloning clone-restricted repository with TortoiseGit (issue 28) - improved: updated ui with Twitter's Bootstrap CSS toolkit **New:** *web.loginMessage = gitblit* - improved: repositories list performance by caching repository sizes (issue 27) @@ -19,7 +20,7 @@ - fixed: collision on rename for repositories and users - fixed: Gitblit can now browse the Linux kernel repository (issue 25) - fixed: Gitblit now runs on Servlet 3.0 webservers (e.g. Tomcat 7, Jetty 8) (issue 23) -- fixed: Set the RSS content type for Firefox 4 (issue 22) +- fixed: Set the RSS content type of syndication feeds for Firefox 4 (issue 22) - fixed: Null pointer exception if did not set federation strategy (issue 20) - fixed: Gitblit GO allows SSL renegotiation if running on Java 1.6.0_22 or later - added: IUserService.setup(IStoredSettings) for custom user service implementations diff --git a/src/com/gitblit/AccessRestrictionFilter.java b/src/com/gitblit/AccessRestrictionFilter.java index 27e2a18a..a8d50b8c 100644 --- a/src/com/gitblit/AccessRestrictionFilter.java +++ b/src/com/gitblit/AccessRestrictionFilter.java @@ -25,7 +25,6 @@ import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import com.gitblit.AuthenticationFilter.AuthenticatedRequest; import com.gitblit.models.RepositoryModel; import com.gitblit.models.UserModel; import com.gitblit.utils.StringUtils; diff --git a/src/com/gitblit/GitFilter.java b/src/com/gitblit/GitFilter.java index 83e7ac83..8127ffae 100644 --- a/src/com/gitblit/GitFilter.java +++ b/src/com/gitblit/GitFilter.java @@ -75,6 +75,8 @@ public class GitFilter extends AccessRestrictionFilter { return gitReceivePack; } else if (suffix.contains("?service=git-upload-pack")) { return gitUploadPack; + } else { + return gitUploadPack; } } return null; diff --git a/tests/com/gitblit/tests/GitServletTest.java b/tests/com/gitblit/tests/GitServletTest.java index 0ede7cab..6a839742 100644 --- a/tests/com/gitblit/tests/GitServletTest.java +++ b/tests/com/gitblit/tests/GitServletTest.java @@ -12,6 +12,7 @@ import junit.framework.TestCase; import org.eclipse.jgit.api.CloneCommand; import org.eclipse.jgit.api.Git; +import org.eclipse.jgit.transport.UsernamePasswordCredentialsProvider; import org.eclipse.jgit.util.FileUtils; import com.gitblit.GitBlitServer; @@ -50,7 +51,9 @@ public class GitServletTest extends TestCase { } public void testClone() throws Exception { - FileUtils.delete(folder, FileUtils.RECURSIVE); + if (folder.exists()) { + FileUtils.delete(folder, FileUtils.RECURSIVE); + } CloneCommand clone = Git.cloneRepository(); clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/ticgit.git", port)); clone.setDirectory(folder); @@ -71,4 +74,18 @@ public class GitServletTest extends TestCase { git.push().setPushAll().call(); git.getRepository().close(); } + + public void testBogusLoginClone() throws Exception { + File folder = new File(GitBlitSuite.REPOSITORIES, "working/gitblit"); + if (folder.exists()) { + FileUtils.delete(folder, FileUtils.RECURSIVE); + } + CloneCommand clone = Git.cloneRepository(); + clone.setURI(MessageFormat.format("http://localhost:{0,number,#}/git/gitblit.git", port)); + clone.setDirectory(folder); + clone.setBare(false); + clone.setCloneAllBranches(true); + clone.setCredentialsProvider(new UsernamePasswordCredentialsProvider("bogus", "bogus")); + clone.call(); + } } -- 2.39.5