summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/com/gitblit/GitBlitServer.java38
-rw-r--r--src/com/gitblit/build/Build.java6
-rw-r--r--src/com/gitblit/wicket/pages/BasePage.java5
-rw-r--r--src/com/gitblit/wicket/pages/ChangePasswordPage.html4
-rw-r--r--src/com/gitblit/wicket/pages/ChangePasswordPage.java2
-rw-r--r--src/com/gitblit/wicket/pages/EditRepositoryPage.html2
-rw-r--r--src/com/gitblit/wicket/pages/EditTeamPage.html2
-rw-r--r--src/com/gitblit/wicket/pages/EditUserPage.html2
-rw-r--r--src/com/gitblit/wicket/pages/RootPage.java5
-rw-r--r--src/com/gitblit/wicket/pages/SendProposalPage.html2
10 files changed, 57 insertions, 11 deletions
diff --git a/src/com/gitblit/GitBlitServer.java b/src/com/gitblit/GitBlitServer.java
index fd9135fd..3f996fcc 100644
--- a/src/com/gitblit/GitBlitServer.java
+++ b/src/com/gitblit/GitBlitServer.java
@@ -30,6 +30,7 @@ import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.List;
+import org.eclipse.jetty.ajp.Ajp13SocketConnector;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.bio.SocketConnector;
@@ -203,6 +204,21 @@ public class GitBlitServer {
}
}
+ // conditionally configure the ajp connector
+ if (params.ajpPort > 0) {
+ Connector ajpConnector = createAJPConnector(params.ajpPort);
+ String bindInterface = settings.getString(Keys.server.ajpBindInterface, null);
+ if (!StringUtils.isEmpty(bindInterface)) {
+ logger.warn(MessageFormat.format("Binding connector on port {0,number,0} to {1}",
+ params.ajpPort, bindInterface));
+ ajpConnector.setHost(bindInterface);
+ }
+ if (params.ajpPort < 1024 && !isWindows()) {
+ logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+ }
+ connectors.add(ajpConnector);
+ }
+
// tempDir is where the embedded Gitblit web application is expanded and
// where Jetty creates any necessary temporary files
File tempDir = new File(params.temp);
@@ -298,9 +314,6 @@ public class GitBlitServer {
connector.setPort(port);
connector.setMaxIdleTime(30000);
- if (port < 1024 && !isWindows()) {
- logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
- }
return connector;
}
@@ -354,6 +367,22 @@ public class GitBlitServer {
connector.setMaxIdleTime(30000);
return connector;
}
+
+ /**
+ * Creates an ajp connector.
+ *
+ * @param port
+ * @return an ajp connector
+ */
+ private static Connector createAJPConnector(int port) {
+ logger.info("Setting up AJP Connector on port " + port);
+ Ajp13SocketConnector ajp = new Ajp13SocketConnector();
+ ajp.setPort(port);
+ if (port < 1024 && !isWindows()) {
+ logger.warn("Gitblit needs to run with ROOT permissions for ports < 1024!");
+ }
+ return ajp;
+ }
/**
* Tests to see if the operating system is Windows.
@@ -461,6 +490,9 @@ public class GitBlitServer {
@Parameter(names = "--httpsPort", description = "HTTPS port to serve. (port <= 0 will disable this connector)")
public Integer securePort = FILESETTINGS.getInteger(Keys.server.httpsPort, 443);
+ @Parameter(names = "--ajpPort", description = "AJP port to serve. (port <= 0 will disable this connector)")
+ public Integer ajpPort = FILESETTINGS.getInteger(Keys.server.ajpPort, 0);
+
@Parameter(names = "--storePassword", description = "Password for SSL (https) keystore.")
public String storePassword = FILESETTINGS.getString(Keys.server.storePassword, "");
diff --git a/src/com/gitblit/build/Build.java b/src/com/gitblit/build/Build.java
index ccb4265b..4e8190a7 100644
--- a/src/com/gitblit/build/Build.java
+++ b/src/com/gitblit/build/Build.java
@@ -73,6 +73,7 @@ public class Build {
public static void runtime() {
downloadFromApache(MavenObject.JCOMMANDER, BuildType.RUNTIME);
downloadFromApache(MavenObject.JETTY, BuildType.RUNTIME);
+ downloadFromApache(MavenObject.JETTY_AJP, BuildType.RUNTIME);
downloadFromApache(MavenObject.SERVLET, BuildType.RUNTIME);
downloadFromApache(MavenObject.SLF4JAPI, BuildType.RUNTIME);
downloadFromApache(MavenObject.SLF4LOG4J, BuildType.RUNTIME);
@@ -99,6 +100,7 @@ public class Build {
downloadFromApache(MavenObject.JUNIT, BuildType.RUNTIME);
downloadFromApache(MavenObject.JCOMMANDER, BuildType.COMPILETIME);
downloadFromApache(MavenObject.JETTY, BuildType.COMPILETIME);
+ downloadFromApache(MavenObject.JETTY_AJP, BuildType.COMPILETIME);
downloadFromApache(MavenObject.SERVLET, BuildType.COMPILETIME);
downloadFromApache(MavenObject.SLF4JAPI, BuildType.COMPILETIME);
downloadFromApache(MavenObject.SLF4LOG4J, BuildType.COMPILETIME);
@@ -389,6 +391,10 @@ public class Build {
"bc75f05dd4f7fa848720ac669b8b438ee4a6b146",
"dcd42f672e734521d1a6ccc0c2f9ecded1a1a281");
+ public static final MavenObject JETTY_AJP = new MavenObject("Jetty-AJP",
+ "org/eclipse/jetty", "jetty-ajp", "7.4.3.v20110701", 32000, 22000,
+ 97000, "ddeb533bcf29e9b95555a9c0f34c1de3ab14c430", "bc4798286d705ea972643b3a0b31f46a0c53f605", "");
+
public static final MavenObject SERVLET = new MavenObject("Servlet 3.0", "org/glassfish",
"javax.servlet", "3.0.1", 84000, 211000, 0,
"58f17c941cd0607bb5edcbcafc491d02265ac9a1",
diff --git a/src/com/gitblit/wicket/pages/BasePage.java b/src/com/gitblit/wicket/pages/BasePage.java
index 80bff167..ca940071 100644
--- a/src/com/gitblit/wicket/pages/BasePage.java
+++ b/src/com/gitblit/wicket/pages/BasePage.java
@@ -80,7 +80,10 @@ public abstract class BasePage extends WebPage {
// Login the user
if (user != null) {
// Set the user into the session
- GitBlitWebSession.get().setUser(user);
+ GitBlitWebSession session = GitBlitWebSession.get();
+ // issue 62: fix session fixation vulnerability
+ session.replaceSession();
+ session.setUser(user);
// Set Cookie
WebResponse response = (WebResponse) getRequestCycle().getResponse();
diff --git a/src/com/gitblit/wicket/pages/ChangePasswordPage.html b/src/com/gitblit/wicket/pages/ChangePasswordPage.html
index 938e0eca..e72ef1ed 100644
--- a/src/com/gitblit/wicket/pages/ChangePasswordPage.html
+++ b/src/com/gitblit/wicket/pages/ChangePasswordPage.html
@@ -19,8 +19,8 @@
<td class="edit"><input type="password" wicket:id="confirmPassword" size="30" tabindex="2" /></td>
</tr>
</table>
- <input class="btn" type="submit" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="3" />
- <input class="btn primary" type="submit" wicket:message="value:gb.save" wicket:id="save" tabindex="4" />
+ <input class="btn primary" type="submit" wicket:message="value:gb.save" wicket:id="save" tabindex="3" />
+ <input class="btn" type="submit" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="4" />
</center>
</form>
</div>
diff --git a/src/com/gitblit/wicket/pages/ChangePasswordPage.java b/src/com/gitblit/wicket/pages/ChangePasswordPage.java
index 2738a5fc..d7c774d9 100644
--- a/src/com/gitblit/wicket/pages/ChangePasswordPage.java
+++ b/src/com/gitblit/wicket/pages/ChangePasswordPage.java
@@ -120,6 +120,8 @@ public class ChangePasswordPage extends RootSubPage {
@Override
public void onSubmit() {
+ setRedirect(false);
+ error("Password change aborted.");
setResponsePage(RepositoriesPage.class);
}
};
diff --git a/src/com/gitblit/wicket/pages/EditRepositoryPage.html b/src/com/gitblit/wicket/pages/EditRepositoryPage.html
index 7c694ba1..124c82fb 100644
--- a/src/com/gitblit/wicket/pages/EditRepositoryPage.html
+++ b/src/com/gitblit/wicket/pages/EditRepositoryPage.html
@@ -34,7 +34,7 @@
<tr><td colspan="2"><h3><wicket:message key="gb.hookScripts"></wicket:message> &nbsp;<small><wicket:message key="gb.hookScriptsDescription"></wicket:message></small></h3></td></tr>
<tr><th style="vertical-align: top;"><wicket:message key="gb.preReceiveScripts"></wicket:message><p></p><span wicket:id="inheritedPreReceive"></span></th><td style="padding:2px;"><span wicket:id="preReceiveScripts"></span></td></tr>
<tr><th style="vertical-align: top;"><wicket:message key="gb.postReceiveScripts"></wicket:message><p></p><span wicket:id="inheritedPostReceive"></span></th><td style="padding:2px;"><span wicket:id="postReceiveScripts"></span></td></tr>
- <tr><td colspan='2'><div class="actions" "><input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="16" /> &nbsp; <input class="btn primary" type="submit" value="Save" wicket:message="value:gb.save" wicket:id="save" tabindex="16" /></div></td></tr>
+ <tr><td colspan='2'><div class="actions" "><input class="btn primary" type="submit" value="Save" wicket:message="value:gb.save" wicket:id="save" tabindex="16" /> &nbsp; <input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="17" /></div></td></tr>
</tbody>
</table>
</form>
diff --git a/src/com/gitblit/wicket/pages/EditTeamPage.html b/src/com/gitblit/wicket/pages/EditTeamPage.html
index 67e60969..0e613527 100644
--- a/src/com/gitblit/wicket/pages/EditTeamPage.html
+++ b/src/com/gitblit/wicket/pages/EditTeamPage.html
@@ -20,7 +20,7 @@
<tr><td colspan="2" style="padding-top:10px;"><h3><wicket:message key="gb.hookScripts"></wicket:message> &nbsp;<small><wicket:message key="gb.hookScriptsDescription"></wicket:message></small></h3></td></tr>
<tr><th style="vertical-align: top;"><wicket:message key="gb.preReceiveScripts"></wicket:message><p></p><span wicket:id="inheritedPreReceive"></span></th><td style="padding:2px;"><span wicket:id="preReceiveScripts"></span></td></tr>
<tr><th style="vertical-align: top;"><wicket:message key="gb.postReceiveScripts"></wicket:message><p></p><span wicket:id="inheritedPostReceive"></span></th><td style="padding:2px;"><span wicket:id="postReceiveScripts"></span></td></tr>
- <tr><td colspan='2'><div class="actions"><input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="3" /> &nbsp; <input class="btn primary" type="submit" value="Save" wicket:message="value:gb.save" wicket:id="save" tabindex="4" /></div></td></tr>
+ <tr><td colspan='2'><div class="actions"><input class="btn primary" type="submit" value="Save" wicket:message="value:gb.save" wicket:id="save" tabindex="3" /> &nbsp; <input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="4" /></div></td></tr>
</tbody>
</table>
</form>
diff --git a/src/com/gitblit/wicket/pages/EditUserPage.html b/src/com/gitblit/wicket/pages/EditUserPage.html
index 520bbc5d..94077c03 100644
--- a/src/com/gitblit/wicket/pages/EditUserPage.html
+++ b/src/com/gitblit/wicket/pages/EditUserPage.html
@@ -20,7 +20,7 @@
<tr><th style="vertical-align: top;"><wicket:message key="gb.teamMemberships"></wicket:message></th><td style="padding:2px;"><span wicket:id="teams"></span></td></tr>
<tr><td colspan="2"><hr></hr></td></tr>
<tr><th style="vertical-align: top;"><wicket:message key="gb.restrictedRepositories"></wicket:message></th><td style="padding:2px;"><span wicket:id="repositories"></span></td></tr>
- <tr><td colspan='2'><div class="actions"><input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="8" /> &nbsp; <input class="btn primary" type="submit" value="Save" wicket:message="value:gb.save" wicket:id="save" tabindex="9" /></div></td></tr>
+ <tr><td colspan='2'><div class="actions"><input class="btn primary" type="submit" value="Save" wicket:message="value:gb.save" wicket:id="save" tabindex="8" /> &nbsp; <input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" tabindex="9" /></div></td></tr>
</tbody>
</table>
</form>
diff --git a/src/com/gitblit/wicket/pages/RootPage.java b/src/com/gitblit/wicket/pages/RootPage.java
index cbf9cfe1..bad0140b 100644
--- a/src/com/gitblit/wicket/pages/RootPage.java
+++ b/src/com/gitblit/wicket/pages/RootPage.java
@@ -195,7 +195,10 @@ public abstract class RootPage extends BasePage {
private void loginUser(UserModel user) {
if (user != null) {
// Set the user into the session
- GitBlitWebSession.get().setUser(user);
+ GitBlitWebSession session = GitBlitWebSession.get();
+ // issue 62: fix session fixation vulnerability
+ session.replaceSession();
+ session.setUser(user);
// Set Cookie
if (GitBlit.getBoolean(Keys.web.allowCookieAuthentication, false)) {
diff --git a/src/com/gitblit/wicket/pages/SendProposalPage.html b/src/com/gitblit/wicket/pages/SendProposalPage.html
index 8a289068..75bcd3d5 100644
--- a/src/com/gitblit/wicket/pages/SendProposalPage.html
+++ b/src/com/gitblit/wicket/pages/SendProposalPage.html
@@ -14,7 +14,7 @@
<tr><th valign="top"><wicket:message key="gb.message">message</wicket:message></th><td class="edit"><input class="span8" type="text" wicket:id="message" size="80" /></td></tr>
<tr><th><wicket:message key="gb.type">type</wicket:message></th><td><span wicket:id="tokenType">[token type]</span></td></tr>
<tr><th><wicket:message key="gb.token">token</wicket:message></th><td><span class="sha1" wicket:id="token">[token]</span></td></tr>
- <tr><th></th><td class="editButton"><input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" /> <input class="btn primary" type="submit" value="propose" wicket:message="value:gb.sendProposal" wicket:id="save" /> </td></tr>
+ <tr><th></th><td class="editButton"><input class="btn primary" type="submit" value="propose" wicket:message="value:gb.sendProposal" wicket:id="save" /> &nbsp; <input class="btn" type="submit" value="Cancel" wicket:message="value:gb.cancel" wicket:id="cancel" /></td></tr>
</table>
</form>
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-16 20:52:07 +0000