| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
| |
It was still pointing to Google Code.
This closes #1408
|
| | |
|
| |
|
|
|
|
| |
The link to the nightly docker images points to the actual image layer,
which is removed when a new nightly is pushed.
Instead, we should point to the images page, filtering on the tag 'nightly'.
|
| | |
|
| |\
| |
| | |
Fix vulnerability in config user service backend
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The `StoredUserConfig` only escaped the escape character, i.e. backslash.
But it does not escape control characters like tab or newline. This
introduces a vulnerability where an attacker can create new entries
in their user account and create new accounts.
In addition, other characters are also not properly handled. Field values
with a comment character need to be quoted. This only happens for the
`#` character and only when the value starts with it. Also the quote
is note escaped in values.
This change completely rewrites the `escape` method of `StoredUserConfig`.
It takes care of properly escaping characters that need escaping for the
git configuration file format.
This fixes #1410
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Te `StoredUserConfig` did not handle sections without a subsection.
When the subsection did not exist, i.e. was `null`, then the subsection
name would be set to the string "null". This is not how the config file
format works. It should create a `[SECTIONNAME]` entry instead.
This fix handles a `null` subsection correctly, by handling it as a
section without a subsection.
|
| |/
|
|
|
| |
Add unit tests for exploiting the email address or display name
in the config user service by using newlines in the values.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Since Bintray seized operation, the packages for versions 1.4.0 - 1.8.0
have been uploaded to Cloudsmith. Adjust the links appropriately.
An attribution is added to comply with Cloudsmith's OSS hosting policy.
|
| |
|
|
|
|
|
|
|
| |
To determine what the release version is to be, use a simple grep over
the moxie.build file and cut off the `-SNAPSHOT` part. The moxie
tag command doesn't do anything else, either. But the problem is that
when using the moxie tag command on the release branch, where the
version has already been set to a release version, it would create
a second release version, like so: 1.9.2-1.
|
| |
|
|
|
|
|
|
|
|
|
| |
When creating a release draft and uploading assets, provision for the case
that a draft release already exists. In that case, instead of creating a
release, the existing release (changelog) is edited and the assets are
deleted before the new built ones are uploaded.
This commit also introduces the `${gh.repo}` property in build.xml,
so that the Github project could be chosen dynamically. Not really needed,
to be honest, but, yeah, whatever.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Refactor the creation of the release process script, from
`release.template` into a `macrodef`.
Add a new target `releaseScript`, so that the release script can be
created after the `tagRelease` target was run.
This is helpful if the `tagRelease` target is run by a different,
earlier process than the actual release creation process.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
To help with analysis, try to detect if the instance is running inside
a container. Some containers are detected, but this is probably not
exhaustive. At least a Docker container should be detectable.
Report in the runtime manager to the log if a container was detected.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
As with explicit links, also for reference links in markdown documents
which point to repository-relative files the links are broken. They do
not take the path to the repository into account.
This fix is related to commit b23269 which fixed issue #1358
for explicit links.
|
| |\
| |
| |
| | |
Merge fix for issue #864.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When parsing Markdown or Wiki pages, links get URL encoded. This happened
twice for links to other documents. Once explicitly and once by Wicket
when it creates a `urlFor` the page. That results in multi-byte
characters getting percent escaped, and then the percent character again
getting percent escaped.
The explicit encoding looks like a forgotten left over, so it gets
removed from the code. The Wicket encoding is smarter anyways, knowing
what is path and what is parameter.
This fixes #864.
|
| |/ |
|
| |
|
|
| |
This closes #1390
|
| |
|
|
| |
And, link to the contributing guidelines from the Readme.
|
| | |
|
| |
|
|
|
|
|
| |
Update the URL to the Gitblit docker image to point to the
`gitblit/gitblit` repository, which I now consider the official
Docker repository.
Also link to the Docker images on the main page.
|
| |
|
|
|
| |
Ohloh got acquired by Synopsis and is nor Open Hub.
Change the Ohloh link in the links menu to point to Open Hub.
|
| | |
|
| |
|
|
|
| |
* This commit fixes what was broken in commit
https://github.com/gitblit/gitblit/commit/b23269acc0f460f583311c679d751925b8402563
due to #1358 issue
|
| |
|
|
|
|
|
|
| |
Although it seems strange to have a RefModel with a referenced object
but a null Ref, Gitblit uses such RefModels for instance in
JGitUtils.getNotesOnCommit().
Be careful to do something sensible when that Ref is null.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
JGit commit objects are a recursive data structure; they have links to
their parent commits. Serializing a JGit commit will try to recursively
serialize all reachable ancestors as faras they have been loaded. If
that ancestor chain is too long, a StackOverflowError is thrown during
Wicket's page serialization if a page has a reference to sucha JGit
commit.
Fixed by making sure that pages o not contain references to JGit
commits. Use the (existing) wrapper object RepositoryCommit instead.
* RepositoryCommit has a transient reference to the JGit commit and
reads the commit from the repository upon de-serialization.
* RefModel is a similar case (JGit tags/branches may also have links
to the commits they point to). Solved a bit differently by making it
a pure data object by transferring the interesting data from the JGit
object in the constructor.
* Change DataViews instantiated with RevCommit to use RepositoryCommit
instead.
* Change inner anonymous DataViews to ensure they do not have a
synthesized field referencing the "allRefs" map. Such a synthesized
field would also get serialized, and then serialize JGit commits
again.
Finally, remove non-transient logger instances in Wicket classes. Those
might lead to NotSerializableException.
These StackOverflowErrors have been reported in several places since
2014:
* https://groups.google.com/forum/#!topic/gitblit/GH1d8WSlR6Q
* https://bugs.chromium.org/p/gerrit/issues/detail?id=3316
* https://groups.google.com/d/msg/repo-discuss/Kcl0JIGNiGk/0DjH4mO8hA8J
* https://groups.google.com/d/msg/repo-discuss/0_P6A3fjTec/2kcpVPIUAQAJ
* https://github.com/gitblit/gitblit/issues/1011
* https://github.com/tomaswolf/gerrit-gitblit-plugin/issues/21
|
| |\
| |
| |
| |
| |
| |
| |
| | |
Merge the edited PR #1343 from @vhot2076. This merge only includes the
russian translation.
I could not reproduce the layout error, so a new PR with more information
should be created if the problem still exists. This merge closes #1343
|
| | | |
|
| |/ |
|
| |\
| |
| | |
raw: URL encode the links to raw view of files
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far links to raw view were not encoded. The browser did some encoding
of spaces on its own, which the servlet would unescape, since it uses
the `HttpServletRequest.getPathInfo` method. That decodes the path
before returning it.
A problem arises when a bracket is in the file (or folder) name. The
brackets are the characters that are not allowed in the path, according
to the `URI.parse` method. (Which is a bit harsh, because brackets
actually are only reserved for the host part since IPv6.) That means
that the decoding fails when a bracket character is encountered.
This went unnoticed since the failed decoding will return the path
as it got it. But once there is a space in the file name, which the
browser helpfully encoded for us, the failed decoding will now leave the
encoded space in there. And that will result in a path that does not
exist, e.g. `file%20[a]`.
To be on the safe side, we simply encode the path in the links that we
generate, so that it complies with the rules that are used in `getPathInfo`.
This fixes #1375.
|
| |\
| |
| | |
Fix incorrect display of "days ago" on activity page
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The `daysAgo` method seemed to want to normalize on a calendar day? I
can't really tell what it was trying to do, but the problem is that it
does not take into account any time shift due to time zones so it never
really worked outside of GMT.
So instead a new `calendarDaysAgo` method is added (because I am unsure
on what the `daysAgo` method is trying to do. It can probably be removed).
The new method cleanly calculates difference in calendar days because it
normalizes the two given time stamps on the same time zone.
The `timeAgo` method now used the new method. This fixes #1248.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For some reason the `TimeUtilsTest` class is, like almost all tests, in
the `com.gitblit.tests` package. But this way all methods in classes
which we might predominately need for tests have to be public.
So move the unit test class `TimeUtilsTest` to the same package as the
class it is testing, i.e. `com.gitblit.utils.TimeUtils`.
This way we ca set the new added methods which get the current time
passed in to be at least not public.
|
| |/
|
|
|
|
|
|
|
| |
Add tests for `timeAgo` to analyse issue #1248.
The tests are dependent on when they run as they time functions use the
current date and time. To make them testable in a reproducible way, we
need the ability to pass in what we think is "now". So add overloaded
methods that take a `now` parameter so that we can pass in the current
time.
|
| |\
| |
| | |
Fix mirrored http(s) with a username and password
|
| | |
| |
| |
| | |
This fixes #1059
|
| |\ \
| |/
|/| |
Fix resource bundle
|
| | | |
|
| | |
| |
| |
| |
| | |
Double escaped backslashes, wrongly escaped unicode codes, broken escaped
newlines.
|
