summaryrefslogtreecommitdiffstats
path: root/src/main
Commit message (Collapse)AuthorAgeFilesLines
* pages: Fix link for GitExtension, which moved to GithubFlorian Zschocke2022-04-0913-13/+13
|
* fix: Fix StoredUserConfig not escaping control charactersFlorian Zschocke2022-03-131-3/+42
| | | | | | | | | | | | | | | | | The `StoredUserConfig` only escaped the escape character, i.e. backslash. But it does not escape control characters like tab or newline. This introduces a vulnerability where an attacker can create new entries in their user account and create new accounts. In addition, other characters are also not properly handled. Field values with a comment character need to be quoted. This only happens for the `#` character and only when the value starts with it. Also the quote is note escaped in values. This change completely rewrites the `escape` method of `StoredUserConfig`. It takes care of properly escaping characters that need escaping for the git configuration file format. This fixes #1410
* fix: Fix StoredUserConfig handling null subsectionsFlorian Zschocke2022-03-131-2/+7
| | | | | | | | | | Te `StoredUserConfig` did not handle sections without a subsection. When the subsection did not exist, i.e. was `null`, then the subsection name would be set to the string "null". This is not how the config file format works. It should create a `[SECTIONNAME]` entry instead. This fix handles a `null` subsection correctly, by handling it as a section without a subsection.
* Update japanese translationTakehide Morimoto2022-01-156-170/+1271
|
* Detect and report if running in containerFlorian Zschocke2021-12-102-0/+76
| | | | | | | To help with analysis, try to detect if the instance is running inside a container. Some containers are detected, but this is probably not exhaustive. At least a Docker container should be detectable. Report in the runtime manager to the log if a container was detected.
* run: Put variables in quotes in shell scriptsFlorian Zschocke2021-12-093-4/+4
|
* pages: Fix repo-relative reference links in markdown docsFlorian Zschocke2021-12-061-14/+39
| | | | | | | | As with explicit links, also for reference links in markdown documents which point to repository-relative files the links are broken. They do not take the path to the repository into account. This fix is related to commit b23269 which fixed issue #1358 for explicit links.
* bug: Fix double encoding links in Markdown/Wiki pagesFlorian Zschocke2021-12-041-5/+0
| | | | | | | | | | | | | When parsing Markdown or Wiki pages, links get URL encoded. This happened twice for links to other documents. Once explicitly and once by Wicket when it creates a `urlFor` the page. That results in multi-byte characters getting percent escaped, and then the percent character again getting percent escaped. The explicit encoding looks like a forgotten left over, so it gets removed from the code. The Wicket encoding is smarter anyways, knowing what is path and what is parameter. This fixes #864.
* Fixes external links broken in markdown rendering (#1392)TomaszSzt2021-11-181-0/+16
| | | | | * This commit fixes what was broken in commit https://github.com/gitblit/gitblit/commit/b23269acc0f460f583311c679d751925b8402563 due to #1358 issue
* Fix NPETom2021-11-031-7/+3
| | | | | | | | Although it seems strange to have a RefModel with a referenced object but a null Ref, Gitblit uses such RefModels for instance in JGitUtils.getNotesOnCommit(). Be careful to do something sensible when that Ref is null.
* Issue #1011: do not serialize JGit commit objectsTom2021-11-0313-97/+230
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | JGit commit objects are a recursive data structure; they have links to their parent commits. Serializing a JGit commit will try to recursively serialize all reachable ancestors as faras they have been loaded. If that ancestor chain is too long, a StackOverflowError is thrown during Wicket's page serialization if a page has a reference to sucha JGit commit. Fixed by making sure that pages o not contain references to JGit commits. Use the (existing) wrapper object RepositoryCommit instead. * RepositoryCommit has a transient reference to the JGit commit and reads the commit from the repository upon de-serialization. * RefModel is a similar case (JGit tags/branches may also have links to the commits they point to). Solved a bit differently by making it a pure data object by transferring the interesting data from the JGit object in the constructor. * Change DataViews instantiated with RevCommit to use RepositoryCommit instead. * Change inner anonymous DataViews to ensure they do not have a synthesized field referencing the "allRefs" map. Such a synthesized field would also get serialized, and then serialize JGit commits again. Finally, remove non-transient logger instances in Wicket classes. Those might lead to NotSerializableException. These StackOverflowErrors have been reported in several places since 2014: * https://groups.google.com/forum/#!topic/gitblit/GH1d8WSlR6Q * https://bugs.chromium.org/p/gerrit/issues/detail?id=3316 * https://groups.google.com/d/msg/repo-discuss/Kcl0JIGNiGk/0DjH4mO8hA8J * https://groups.google.com/d/msg/repo-discuss/0_P6A3fjTec/2kcpVPIUAQAJ * https://github.com/gitblit/gitblit/issues/1011 * https://github.com/tomaswolf/gerrit-gitblit-plugin/issues/21
* Add test for loading russian propertiesFlorian Zschocke2021-11-031-0/+3
|
* Adding Russian Translate Добавлен русский языкVladimir A2021-11-035-0/+854
|
* raw: URL encode the links to raw view of filesFlorian Zschocke2021-10-241-1/+3
| | | | | | | | | | | | | | | | | | | | | | So far links to raw view were not encoded. The browser did some encoding of spaces on its own, which the servlet would unescape, since it uses the `HttpServletRequest.getPathInfo` method. That decodes the path before returning it. A problem arises when a bracket is in the file (or folder) name. The brackets are the characters that are not allowed in the path, according to the `URI.parse` method. (Which is a bit harsh, because brackets actually are only reserved for the host part since IPv6.) That means that the decoding fails when a bracket character is encountered. This went unnoticed since the failed decoding will return the path as it got it. But once there is a space in the file name, which the browser helpfully encoded for us, the failed decoding will now leave the encoded space in there. And that will result in a path that does not exist, e.g. `file%20[a]`. To be on the safe side, we simply encode the path in the links that we generate, so that it complies with the rules that are used in `getPathInfo`. This fixes #1375.
* TimeUtils: Change daysAgo to calculate difference in calendar daysFlorian Zschocke2021-10-241-1/+52
| | | | | | | | | | | | | The `daysAgo` method seemed to want to normalize on a calendar day? I can't really tell what it was trying to do, but the problem is that it does not take into account any time shift due to time zones so it never really worked outside of GMT. So instead a new `calendarDaysAgo` method is added (because I am unsure on what the `daysAgo` method is trying to do. It can probably be removed). The new method cleanly calculates difference in calendar days because it normalizes the two given time stamps on the same time zone. The `timeAgo` method now used the new method. This fixes #1248.
* TimeUtils: Move unit test to same package as TimeUtils isFlorian Zschocke2021-10-231-5/+5
| | | | | | | | | | For some reason the `TimeUtilsTest` class is, like almost all tests, in the `com.gitblit.tests` package. But this way all methods in classes which we might predominately need for tests have to be public. So move the unit test class `TimeUtilsTest` to the same package as the class it is testing, i.e. `com.gitblit.utils.TimeUtils`. This way we ca set the new added methods which get the current time passed in to be at least not public.
* TimeUtils: Increase testability and add testsFlorian Zschocke2021-10-231-8/+32
| | | | | | | | | Add tests for `timeAgo` to analyse issue #1248. The tests are dependent on when they run as they time functions use the current date and time. To make them testable in a reproducible way, we need the ability to pass in what we think is "now". So add overloaded methods that take a `now` parameter so that we can pass in the current time.
* Merge pull request #1381 from edram/masterFlorian Zschocke2021-10-221-1/+9
|\ | | | | Fix mirrored http(s) with a username and password
| * Fix mirrored http(s) with a username and passwordedram2021-10-221-1/+9
| | | | | | | | This fixes #1059
* | Property bundle: Fix typo in "nl" language fileFlorian Zschocke2021-10-211-1/+1
| |
* | Property bundle: Fix various errors with escapesFlorian Zschocke2021-10-213-21/+21
| | | | | | | | | | Double escaped backslashes, wrongly escaped unicode codes, broken escaped newlines.
* | Property bundle: Fix incorrect property keysFlorian Zschocke2021-10-218-12/+10
| | | | | | | | | | | | | | Some property keys had typos. There is a `gb.ticketStatus` and a `gb.ticketState`. Neither is used anywhere in the code, but only the former is defined in the default file. So only use `gb.ticketStatus`.
* | Escape non-ASCII characters in the GitBlitWebApp_pt_BR.properties fileFlorian Zschocke2021-10-211-220/+219
| | | | | | | | If keeps acting up when trying to stage parts of it. I hope this fixes that.
* | fix: Remove trailing spaces from property bundle filesFlorian Zschocke2021-10-2114-83/+83
| |
* | fix: Remove duplicate property keys from properties filesFlorian Zschocke2021-10-2114-27/+12
|/ | | | | | | | | | Some property keys were duplicated, mostly `status`, `permission` and `comment`. The problem with `gb.comment` is, that it is used in two different locations in two different meanings. One as a verb, the second as a noun. Which makes no difference in English, but other languages. The solution is that the second key is renamed to `gb.sshKeyComment`. The code is adjusted accordingly.
* Add a unit test to check if the resource bundle can be loadedFlorian Zschocke2021-10-2014-6/+50
| | | | | | | | | To prevent that we have a resource file in a resource bundle broken and not loading undiscovered for years, add a unit test that will load the resource properties file for each of the languages. In order to check if the file was loaded and the bundle mechanism didn't fall back on the default, a new property key is added to each language file, solely for the purpose to be checked in the unit test.
* Fix a wrong unicode escape in the Norsk language properties fileFlorian Zschocke2021-10-201-1/+1
| | | | This fixes #834
* Fix output of migrate-/reindex-tickets bash scriptsFlorian Zschocke2021-07-212-10/+10
| | | | | | | | Fix the output of the help texts in the reindex-tickets and reindex-tickets bash scripts. For one the double quotes are unnecessary and get printed out, too. Secondly, an empty line needs a `echo.`. A simple `echo` will prin the state of the echo setting, i.e. `Echo is enabled (1)` or something similar.
* Set local variable visibility in batch scriptsFlorian Zschocke2021-07-213-1/+9
| | | | | | | | | Use SETLOCAL in batch scripts to restrict the visibility of variables that are set in the script to the script execution. Otherwise the variables will also be set in the calling shell. That is not a problem when a script is executed by double clicking it in Windows Explorer. But now that the scripts are changed so that they can be called on the command line from other folders, they should also no clutter the calling environment.
* Adjust remaining CMD scripts to use Gitblit home path.Florian Zschocke2021-07-213-2/+11
| | | | | Use the path of the script for the Gitblit home path in the remaining batch scripts, too, to make it possible to call them from any other folder.
* Add this into the install/uninstall and reindex of the service tooZwixx2021-07-213-9/+13
|
* Use full path to Gitblit directory in batch scriptsZwixx2021-07-212-2/+9
| | | | | | | | In order to call the Windows batch scripts on the command line from a different folder, the path to the files in the Gitblit directory needs to be explicitly stated in the Java command. Otherwise the JAR files or data directory are not found as they would be searched in the current directory.
* Fix: Make CPU hog fix Java 7 compatibleFlorian Zschocke2021-07-141-7/+22
| | | | | | | | The last fix for the stored config merged from Curly060 used Java8-isms. In order to be able to include this fix in the next release, which will be for 1.9, I have converted this to be compatible with Java 7. Also, a file header was added to place it under APL.
* bugfix: fix CPU hog bug in config saveIngo Lafrenz2021-07-052-1/+173
|
* Update zh_CN translationYMNNs2021-05-031-269/+310
| | | Updated simplified Chinese translation and added missing entries. This translation is now 100% completed.
* fix: Also parse exp links in MD pagesFlorian Zschocke2020-11-161-0/+8
| | | | | | Add a link parser also for `ExpLinks` because we need to escape paths to files in subfolders. This closes #1358
* raw: Fix raw links to branches with a slash in their nameFlorian Zschocke2020-11-101-6/+11
| | | | | | | | | When a branch has a slash in the name, the raw servlet was not able to find the path under that branch. This is due to the replacement of the forward slash character for URLs. It was not taken into account when comparing the branch name later. This fixes #1290 and its duplicates #1234 and #813.
* raw: Fix getPath with trailing slash that was escapedFlorian Zschocke2020-11-101-3/+7
| | | | | | | | | While this may be an unlikely scenario, let's still prevent this. When a link was created for a path that ends in a trailing slash, that trailing slash would be replaced with the `forwardSlashCharacter`. But in getPath that final slash would be transformed back *after* the check to chop off trailing slashes. This is now switched so that such a trailing slash is also chopped off.
* raw: Fix getPath with lead-ins or missing trailing slashes after the branch.Florian Zschocke2020-11-091-1/+14
|
* raw: Refactor RawServlet:getBranch and :getPath parametersFlorian Zschocke2020-11-092-15/+42
| | | | | | | | | | | Refactor the `getBranch` and `getPath` methods to take a String as second parameter, which is the already sanitised path info. Don't get the path info from a passed in request anymore. The methods are only ever called from within `processRequest`, which already does some checks on the path info, like removing a leading slash character. So no need to do that every time again the methods and passing a request for that.
* raw: Fix exceptions when no path info is given to raw servletFlorian Zschocke2020-11-091-1/+4
|
* raw: Strip leading and trailing slash from repo and path names for linkFlorian Zschocke2020-11-091-0/+9
| | | | | | When creating a link for raw display, a trailing slash is stripped from the end of the base URL. Also do this for the repository, as well as stripping leading slashes from the repository and the path values.
* Add service scripts for FreeBSDDavid Hofmann2020-08-042-0/+51
|
* 🏃 run: Fix Linux service scripts to use classpath and classFlorian Zschocke2020-04-053-9/+9
| | | | | | | Update the service scripts to use `-cp` and specify the GitBlitServer class, instead of the `-jar` parameter. Fixes #1333
* 🏃run: Use quotes around class path in scriptsFlorian Zschocke2020-04-053-3/+3
| | | | | | | | | While most systems will not need the class path passed to the JVM with the `-cp` parameter to be in quotes, apparently some exist where that will not work without the quotes, e.g. FreeBSD. So always use quotes for the class path in all scripts. Issue #1333
* Change tests in shell scripts to be more compatible with Bourne shellFlorian Zschocke2020-04-052-2/+2
| | | | | This is needed for the scripts to work in Alpine Linux, which comes with a Bourne shell.
* Delete password from memory in AuthenticationManagerFlorian Zschocke2020-04-052-19/+38
| | | | | | Zero out the password to remove it from memory after use. This is only a first step, implementing it for one method: `AuthenticationManager.authenticate(String, char[], String)`.
* 🦟 fix: Password hash upgrade kills existing passwordsFlorian Zschocke2020-04-051-17/+26
| | | | | | | | | | The upgrade of a MD5 stored password hash to a PBKDF password hash destroys the stored password. The has check zeroes out the password that is tested, so that the new hash is built over the zeroed out value. This fix prevents that an also adds a check to the test. Fixes #1335
* Fix user preferences selecting the wrong preferred locale.Florian Zschocke2019-11-112-46/+28
| | | | | | | | | | | Due to a wrong comparison, when loading the preferred locale in the user preferences page, in cases like `zh_CN` or `de_DE` the wrong locale would be chosen. As with too many things, the code is duplicated on the `UserPage` and the `EditUserPage`. And they differ. So extract the choosing of the preferred language for display into a method in the (more up-to-date) `UserPage` and call that from the `EditUserPage`.
* Guard docs pages against bad URLsFlorian Zschocke2019-11-112-0/+9
| | | | | | | | If, for example, an external site links to a docs page or a specific doc page, and the branch that link points to is no longer existing, an internal error happens due to a NPE. The NPE is guarded against and a No Docs page is returned.