From 69876f1772be2d892ecf418949b7a0ba9e40363a Mon Sep 17 00:00:00 2001 From: fzs Date: Sat, 1 Feb 2020 09:46:15 +0000 Subject: Prepare 1.9.0 release --- build.moxie | 6 +++--- releases.moxie | 14 +++++++------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/build.moxie b/build.moxie index d95db89a..d55ec25b 100644 --- a/build.moxie +++ b/build.moxie @@ -10,12 +10,12 @@ name: Gitblit description: pure Java Git solution groupId: com.gitblit artifactId: gitblit -version: 1.9.0-SNAPSHOT +version: 1.9.0 inceptionYear: 2011 # Current stable release -releaseVersion: 1.8.0 -releaseDate: 2016-06-22 +releaseVersion: 1.9.0 +releaseDate: 2020-02-01 # Project urls url: 'http://gitblit.com' diff --git a/releases.moxie b/releases.moxie index 9776f0a9..cddc1ec7 100644 --- a/releases.moxie +++ b/releases.moxie @@ -1,10 +1,10 @@ # -# ${project.version} release +# 1.9.0 release # r30: { - title: ${project.name} ${project.version} released - id: ${project.version} - date: ${project.buildDate} + title: Gitblit 1.9.0 released + id: 1.9.0 + date: 2020-02-01 note: '' Gitblit uses Servlet 3.0 and thus drops support for Tomcat 6. Run on Tomcat 6 at your own risk. @@ -1949,6 +1949,6 @@ r1: { - James Moger } -snapshot: &r30 -release: &r29 -releases: &r[1..29] +snapshot: ~ +release: &r30 +releases: &r[1..30] -- cgit v1.2.3 From db20a9b68513f8a1e7621ba0e5b0d601f585508d Mon Sep 17 00:00:00 2001 From: fzs Date: Sat, 1 Feb 2020 09:51:13 +0000 Subject: Reset build identifiers for next point release cycle --- build.moxie | 2 +- releases.moxie | 20 +++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/build.moxie b/build.moxie index d55ec25b..56b68226 100644 --- a/build.moxie +++ b/build.moxie @@ -10,7 +10,7 @@ name: Gitblit description: pure Java Git solution groupId: com.gitblit artifactId: gitblit -version: 1.9.0 +version: 1.9.1-SNAPSHOT inceptionYear: 2011 # Current stable release diff --git a/releases.moxie b/releases.moxie index cddc1ec7..0b5afadd 100644 --- a/releases.moxie +++ b/releases.moxie @@ -1,3 +1,21 @@ +# +# ${project.version} release +# +r31: { + title: ${project.name} ${project.version} released + id: ${project.version} + date: ${project.buildDate} + note: ~ + html: ~ + text: ~ + security: ~ + fixes: ~ + changes: ~ + additions: ~ + dependencyChanges: ~ + contributors: ~ +} + # # 1.9.0 release # @@ -1949,6 +1967,6 @@ r1: { - James Moger } -snapshot: ~ +snapshot: &r31 release: &r30 releases: &r[1..30] -- cgit v1.2.3 From d9eddcbea47010060d3cb0978c961630f0d7c50e Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sun, 2 Feb 2020 12:18:56 +0100 Subject: Fix download link in README file. --- README.markdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.markdown b/README.markdown index a40ccdf6..af76c2df 100644 --- a/README.markdown +++ b/README.markdown @@ -5,7 +5,7 @@ Gitblit is an open source, pure Java Git solution for managing, viewing, and ser More information about Gitblit can be found [here](http://gitblit.com). - + License ------- -- cgit v1.2.3 From fffdda5a20b5fc3e4c6a4c11443109c1232c7e39 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Wed, 1 Apr 2020 13:31:59 +0200 Subject: Switch Eclipse repositories to HTTPS. The Eclipse maven repositories changed to only allow HTTPS and not serve HTTP anymore. HTTP will redirect to HTTPS, which moxie does not handle well and fails. So the registered Eclipse repositories are changed to 'https://' transport. Fixes #1334 --- build.moxie | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.moxie b/build.moxie index 56b68226..fd7b1309 100644 --- a/build.moxie +++ b/build.moxie @@ -96,8 +96,8 @@ dependencyDirectory: ext registeredRepositories: - { id: central, url: 'https://repo1.maven.org/maven2' } - { id: mavencentral, url: 'https://repo1.maven.org/maven2' } -- { id: eclipse, url: 'http://repo.eclipse.org/content/groups/releases' } -- { id: eclipse-snapshots, url: 'http://repo.eclipse.org/content/groups/snapshots' } +- { id: eclipse, url: 'https://repo.eclipse.org/content/groups/releases' } +- { id: eclipse-snapshots, url: 'https://repo.eclipse.org/content/groups/snapshots' } - { id: gitblit, url: 'http://gitblit.github.io/gitblit-maven' } # Source all dependencies from the following repositories in the specified order -- cgit v1.2.3 From 8b18ac309bc36c8a16a3d26f088cb168635930d3 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sat, 7 Mar 2020 12:01:08 +0100 Subject: docu: Fix typo --- src/site/rpc.mkd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/site/rpc.mkd b/src/site/rpc.mkd index e51fbaae..ac963a87 100644 --- a/src/site/rpc.mkd +++ b/src/site/rpc.mkd @@ -8,7 +8,7 @@ Gitblit optionally allows a remote client to administer the Gitblit server. Thi web.enableRpcManagement=false web.enableRpcAdministration=false -**https** is strongly recommended because passwords are insecurely transmitted form your browser/rpc client using Basic authentication! +**https** is strongly recommended because passwords are insecurely transmitted from your browser/rpc client using Basic authentication! The Gitblit JSON RPC mechanism, like the Gitblit JGit servlet, syndication/feed servlet, etc, supports request-based authentication. Making an *admin* request will trigger Gitblit's basic authentication mechanism. Listing of repositories, generally, will not trigger this authentication mechanism unless *web.authenticateViewPages=true*. That means its possible to allow anonymous enumeration of repositories that are not *view restricted* or *clone restricted*. Of course, if credentials are provided then all private repositories that are available to the user account will be enumerated in the JSON response. -- cgit v1.2.3 From e47647b00d566d64d311042981e6b1798f683e4a Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sat, 4 Apr 2020 19:25:27 +0200 Subject: 🦟 fix: Password hash upgrade kills existing passwords MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The upgrade of a MD5 stored password hash to a PBKDF password hash destroys the stored password. The has check zeroes out the password that is tested, so that the new hash is built over the zeroed out value. This fix prevents that an also adds a check to the test. Fixes #1335 --- .../com/gitblit/manager/AuthenticationManager.java | 43 +++++++++++++--------- .../gitblit/tests/AuthenticationManagerTest.java | 16 ++++++-- 2 files changed, 38 insertions(+), 21 deletions(-) diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index 83ca4b70..4f3f4f85 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -18,10 +18,7 @@ package com.gitblit.manager; import java.nio.charset.Charset; import java.security.Principal; import java.text.MessageFormat; -import java.util.ArrayList; -import java.util.HashMap; -import java.util.List; -import java.util.Map; +import java.util.*; import java.util.concurrent.TimeUnit; import javax.servlet.http.Cookie; @@ -520,21 +517,33 @@ public class AuthenticationManager implements IAuthenticationManager { protected UserModel authenticateLocal(UserModel user, char [] password) { UserModel returnedUser = null; - PasswordHash pwdHash = PasswordHash.instanceFor(user.password); - if (pwdHash != null) { - if (pwdHash.matches(user.password, password, user.username)) { + // Create a copy of the password that we can use to rehash to upgrade to a more secure hashing method. + // This is done to be independent from the implementation of the PasswordHash, which might already clear out + // the password it gets passed in. This looks a bit stupid, as we could simply clean up the mess, but this + // falls under "better safe than sorry". + char[] pwdToUpgrade = Arrays.copyOf(password, password.length); + try { + PasswordHash pwdHash = PasswordHash.instanceFor(user.password); + if (pwdHash != null) { + if (pwdHash.matches(user.password, password, user.username)) { + returnedUser = user; + } + } else if (user.password.equals(new String(password))) { + // plain-text password returnedUser = user; } - } else if (user.password.equals(new String(password))) { - // plain-text password - returnedUser = user; - } - - // validate user - returnedUser = validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); - - // try to upgrade the stored password hash to a stronger hash, if necessary - upgradeStoredPassword(returnedUser, password, pwdHash); + + // validate user + returnedUser = validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); + + // try to upgrade the stored password hash to a stronger hash, if necessary + upgradeStoredPassword(returnedUser, pwdToUpgrade, pwdHash); + } + finally { + // Now we make sure that the password is zeroed out in any case. + Arrays.fill(password, Character.MIN_VALUE); + Arrays.fill(pwdToUpgrade, Character.MIN_VALUE); + } return returnedUser; } diff --git a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java index 45009856..1c6de3b2 100644 --- a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java +++ b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java @@ -671,14 +671,18 @@ public class AuthenticationManagerTest extends GitblitUnitTest { public void testAuthenticateUpgradePlaintext() throws Exception { IAuthenticationManager auth = newAuthenticationManager(); + String password = "topsecret"; UserModel user = new UserModel("sunnyjim"); - user.password = "password"; + user.password = password; users.updateUserModel(user); - assertNotNull(auth.authenticate(user.username, user.password.toCharArray(), null)); + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); // validate that plaintext password was automatically updated to hashed one assertTrue(user.password.startsWith(PasswordHash.getDefaultType().name() + ":")); + + // validate that the password is still valid and the user can log in + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); } @@ -686,14 +690,18 @@ public class AuthenticationManagerTest extends GitblitUnitTest { public void testAuthenticateUpgradeMD5() throws Exception { IAuthenticationManager auth = newAuthenticationManager(); + String password = "secretAndHashed"; UserModel user = new UserModel("sunnyjim"); - user.password = "MD5:5F4DCC3B5AA765D61D8327DEB882CF99"; + user.password = "MD5:BD95A1CFD00868B59B3564112D1E5847"; users.updateUserModel(user); - assertNotNull(auth.authenticate(user.username, "password".toCharArray(), null)); + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); // validate that MD5 password was automatically updated to hashed one assertTrue(user.password.startsWith(PasswordHash.getDefaultType().name() + ":")); + + // validate that the password is still valid and the user can log in + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); } -- cgit v1.2.3 From 803d4171bf24e82612c526d65de77aa580c8a62f Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sat, 4 Apr 2020 19:43:35 +0200 Subject: Delete password from memory in AuthenticationManager Zero out the password to remove it from memory after use. This is only a first step, implementing it for one method: `AuthenticationManager.authenticate(String, char[], String)`. --- .../com/gitblit/manager/AuthenticationManager.java | 42 ++++++----- src/main/java/com/gitblit/utils/StringUtils.java | 15 ++++ .../gitblit/tests/AuthenticationManagerTest.java | 84 +++++++++++++++++++--- .../java/com/gitblit/tests/StringUtilsTest.java | 15 +++- 4 files changed, 125 insertions(+), 31 deletions(-) diff --git a/src/main/java/com/gitblit/manager/AuthenticationManager.java b/src/main/java/com/gitblit/manager/AuthenticationManager.java index 4f3f4f85..68c83dae 100644 --- a/src/main/java/com/gitblit/manager/AuthenticationManager.java +++ b/src/main/java/com/gitblit/manager/AuthenticationManager.java @@ -452,7 +452,6 @@ public class AuthenticationManager implements IAuthenticationManager { /** * Authenticate a user based on a username and password. * - * @see IUserService.authenticate(String, char[]) * @param username * @param password * @return a user object or null @@ -471,34 +470,39 @@ public class AuthenticationManager implements IAuthenticationManager { } String usernameDecoded = StringUtils.decodeUsername(username); - String pw = new String(password); - if (StringUtils.isEmpty(pw)) { + if (StringUtils.isEmpty(password)) { // can not authenticate empty password return null; } UserModel user = userManager.getUserModel(usernameDecoded); - // try local authentication - if (user != null && user.isLocalAccount()) { - UserModel returnedUser = authenticateLocal(user, password); - if (returnedUser != null) { - // user authenticated - return returnedUser; - } - } else { - // try registered external authentication providers - for (AuthenticationProvider provider : authenticationProviders) { - if (provider instanceof UsernamePasswordAuthenticationProvider) { - UserModel returnedUser = provider.authenticate(usernameDecoded, password); - if (returnedUser != null) { - // user authenticated - returnedUser.accountType = provider.getAccountType(); - return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); + try { + // try local authentication + if (user != null && user.isLocalAccount()) { + UserModel returnedUser = authenticateLocal(user, password); + if (returnedUser != null) { + // user authenticated + return returnedUser; + } + } else { + // try registered external authentication providers + for (AuthenticationProvider provider : authenticationProviders) { + if (provider instanceof UsernamePasswordAuthenticationProvider) { + UserModel returnedUser = provider.authenticate(usernameDecoded, password); + if (returnedUser != null) { + // user authenticated + returnedUser.accountType = provider.getAccountType(); + return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS); + } } } } } + finally { + // Zero out password array to delete password from memory + Arrays.fill(password, Character.MIN_VALUE); + } // could not authenticate locally or with a provider logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", username, diff --git a/src/main/java/com/gitblit/utils/StringUtils.java b/src/main/java/com/gitblit/utils/StringUtils.java index b192c80b..442acbbf 100644 --- a/src/main/java/com/gitblit/utils/StringUtils.java +++ b/src/main/java/com/gitblit/utils/StringUtils.java @@ -56,6 +56,21 @@ public class StringUtils { return value == null || value.trim().length() == 0; } + /** + * Returns true if the character array represents an empty String. + * An empty character sequence is defined as a sequence that + * either has no characters at all, or no characters above + * '\u0020' (space). + * + * @param value + * @return true if value is null or represents an empty String + */ + public static boolean isEmpty(char[] value) { + if (value == null || value.length == 0) return true; + for ( char c : value) if (c > '\u0020') return false; + return true; + } + /** * Replaces carriage returns and line feeds with html line breaks. * diff --git a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java index 1c6de3b2..81d68895 100644 --- a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java +++ b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java @@ -19,13 +19,7 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.security.Principal; -import java.util.Collection; -import java.util.Collections; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.List; -import java.util.Locale; -import java.util.Map; +import java.util.*; import javax.servlet.AsyncContext; import javax.servlet.DispatcherType; @@ -654,16 +648,84 @@ public class AuthenticationManagerTest extends GitblitUnitTest { public void testAuthenticate() throws Exception { IAuthenticationManager auth = newAuthenticationManager(); + + String password = "pass word"; UserModel user = new UserModel("sunnyjim"); - user.password = "password"; + user.password = password; users.updateUserModel(user); - assertNotNull(auth.authenticate(user.username, user.password.toCharArray(), null)); + char[] pwd = password.toCharArray(); + assertNotNull(auth.authenticate(user.username, pwd, null)); + + // validate that the passed in password has been zeroed out in memory + char[] zeroes = new char[pwd.length]; + Arrays.fill(zeroes, Character.MIN_VALUE); + assertArrayEquals(zeroes, pwd); + } + + + @Test + public void testAuthenticateDisabledUser() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; user.disabled = true; + users.updateUserModel(user); + + assertNull(auth.authenticate(user.username, password.toCharArray(), null)); + + user.disabled = false; + users.updateUserModel(user); + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); + } + + + @Test + public void testAuthenticateEmptyPassword() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; + users.updateUserModel(user); + + assertNull(auth.authenticate(user.username, "".toCharArray(), null)); + assertNull(auth.authenticate(user.username, " ".toCharArray(), null)); + assertNull(auth.authenticate(user.username, new char[]{' ', '\u0010', '\u0015'}, null)); + } + + + + @Test + public void testAuthenticateWrongPassword() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; users.updateUserModel(user); - assertNull(auth.authenticate(user.username, user.password.toCharArray(), null)); - users.deleteUserModel(user); + + assertNull(auth.authenticate(user.username, "helloworld".toCharArray(), null)); + } + + + @Test + public void testAuthenticateNoSuchUser() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; + users.updateUserModel(user); + + assertNull(auth.authenticate("rainyjoe", password.toCharArray(), null)); } diff --git a/src/test/java/com/gitblit/tests/StringUtilsTest.java b/src/test/java/com/gitblit/tests/StringUtilsTest.java index 7176b88c..3dae66f4 100644 --- a/src/test/java/com/gitblit/tests/StringUtilsTest.java +++ b/src/test/java/com/gitblit/tests/StringUtilsTest.java @@ -26,12 +26,25 @@ public class StringUtilsTest extends GitblitUnitTest { @Test public void testIsEmpty() throws Exception { - assertTrue(StringUtils.isEmpty(null)); + assertTrue(StringUtils.isEmpty((String)null)); assertTrue(StringUtils.isEmpty("")); assertTrue(StringUtils.isEmpty(" ")); assertFalse(StringUtils.isEmpty("A")); } + @Test + public void testIsEmptyCharArray() throws Exception { + assertTrue(StringUtils.isEmpty((char[])null)); + assertTrue(StringUtils.isEmpty(new char[0])); + assertTrue(StringUtils.isEmpty(new char[]{ ' ' })); + assertTrue(StringUtils.isEmpty(new char[]{ ' '})); + assertTrue(StringUtils.isEmpty(new char[]{ ' ', ' ' })); + assertTrue(StringUtils.isEmpty(new char[]{ ' ', ' ', ' ' })); + assertFalse(StringUtils.isEmpty(new char[]{ '\u0020', 'f' })); + assertFalse(StringUtils.isEmpty(new char[]{ '\u0148', '\u0020' })); + assertFalse(StringUtils.isEmpty(new char[]{ 'A' })); + } + @Test public void testBreakLinesForHtml() throws Exception { String input = "this\nis\r\na\rtest\r\n\r\nof\n\nline\r\rbreaking"; -- cgit v1.2.3 From 6804cde82ccba5a0765432caa91fb95df01b2026 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sat, 4 Apr 2020 20:29:12 +0200 Subject: Change tests in shell scripts to be more compatible with Bourne shell This is needed for the scripts to work in Alpine Linux, which comes with a Bourne shell. --- src/main/distrib/linux/migrate-tickets.sh | 2 +- src/main/distrib/linux/reindex-tickets.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/distrib/linux/migrate-tickets.sh b/src/main/distrib/linux/migrate-tickets.sh index f521528e..ce746bf9 100644 --- a/src/main/distrib/linux/migrate-tickets.sh +++ b/src/main/distrib/linux/migrate-tickets.sh @@ -8,7 +8,7 @@ # # -------------------------------------------------------------------------- -if [[ -z $1 || -z $2 ]]; then +if [ -z $1 ] || [ -z $2 ]; then echo "Please specify the output ticket service and your baseFolder!"; echo ""; echo "usage:"; diff --git a/src/main/distrib/linux/reindex-tickets.sh b/src/main/distrib/linux/reindex-tickets.sh index 8261b819..6985d606 100644 --- a/src/main/distrib/linux/reindex-tickets.sh +++ b/src/main/distrib/linux/reindex-tickets.sh @@ -11,7 +11,7 @@ # # -------------------------------------------------------------------------- -if [[ -z $1 ]]; then +if [ -z $1 ] ; then echo "Please specify your baseFolder!"; echo ""; echo "usage:"; -- cgit v1.2.3 From 275d353f59074f78cfec5786e5989637a5606834 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sat, 4 Apr 2020 21:34:30 +0200 Subject: 🏃run: Use quotes around class path in scripts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While most systems will not need the class path passed to the JVM with the `-cp` parameter to be in quotes, apparently some exist where that will not work without the quotes, e.g. FreeBSD. So always use quotes for the class path in all scripts. Issue #1333 --- src/main/distrib/linux/authority.sh | 2 +- src/main/distrib/linux/migrate-tickets.sh | 2 +- src/main/distrib/linux/reindex-tickets.sh | 2 +- src/site/federation.mkd | 2 +- src/site/setup_go.mkd | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/main/distrib/linux/authority.sh b/src/main/distrib/linux/authority.sh index 740f51a8..c5c6c687 100644 --- a/src/main/distrib/linux/authority.sh +++ b/src/main/distrib/linux/authority.sh @@ -1,2 +1,2 @@ #!/bin/bash -java -cp gitblit.jar:ext/* com.gitblit.authority.GitblitAuthority --baseFolder data +java -cp "gitblit.jar:ext/*" com.gitblit.authority.GitblitAuthority --baseFolder data diff --git a/src/main/distrib/linux/migrate-tickets.sh b/src/main/distrib/linux/migrate-tickets.sh index ce746bf9..4f360918 100644 --- a/src/main/distrib/linux/migrate-tickets.sh +++ b/src/main/distrib/linux/migrate-tickets.sh @@ -17,5 +17,5 @@ if [ -z $1 ] || [ -z $2 ]; then exit 1; fi -java -cp gitblit.jar:./ext/* com.gitblit.MigrateTickets $1 --baseFolder $2 +java -cp "gitblit.jar:ext/*" com.gitblit.MigrateTickets $1 --baseFolder $2 diff --git a/src/main/distrib/linux/reindex-tickets.sh b/src/main/distrib/linux/reindex-tickets.sh index 6985d606..42239ea1 100644 --- a/src/main/distrib/linux/reindex-tickets.sh +++ b/src/main/distrib/linux/reindex-tickets.sh @@ -20,5 +20,5 @@ if [ -z $1 ] ; then exit 1; fi -java -cp gitblit.jar:./ext/* com.gitblit.ReindexTickets --baseFolder $1 +java -cp "gitblit.jar:ext/*" com.gitblit.ReindexTickets --baseFolder $1 diff --git a/src/site/federation.mkd b/src/site/federation.mkd index 231a9f35..b802a087 100644 --- a/src/site/federation.mkd +++ b/src/site/federation.mkd @@ -335,6 +335,6 @@ Instead of using `federation.properties` you may directly specify a Gitblit inst java -cp fedclient.jar;"%CD%/ext/*" com.gitblit.FederationClient --url https://go.gitblit.com --mirror --bare --token 123456789 --repositoriesFolder c:/mymirror - java -cp fedclient.jar:ext/* com.gitblit.FederationClient --url https://go.gitblit.com --mirror --bare --token 123456789 + java -cp "fedclient.jar:ext/*" com.gitblit.FederationClient --url https://go.gitblit.com --mirror --bare --token 123456789 --repositoriesFolder /srv/mymirror --daemon --frequency "24 hours" diff --git a/src/site/setup_go.mkd b/src/site/setup_go.mkd index 20b4ba48..e0470f31 100644 --- a/src/site/setup_go.mkd +++ b/src/site/setup_go.mkd @@ -17,7 +17,7 @@ Open `data/gitblit.properties` in your favorite text editor and make sure to rev **NOTE:** You can only have **one** SSL certificate specified for a port. 4. exit the authority app 4. Windows: Execute `gitblit.cmd` or `java -cp gitblit.jar;"%CD%\ext\*" com.gitblit.GitBlitServer --baseFolder data` from a command-line - Linux/OSX: Execute `gitblit.sh` or `java -cp gitblit.jar;ext/* com.gitblit.GitBlitServer --baseFolder data` from a command-line + Linux/OSX: Execute `gitblit.sh` or `java -cp "gitblit.jar:ext/*"" com.gitblit.GitBlitServer --baseFolder data` from a command-line 5. Open your browser to or depending on your chosen configuration. 6. Enter the default administrator credentials: **admin / admin** and click the *Login* button **NOTE:** Make sure to change the administrator username and/or password!! -- cgit v1.2.3 From 12dea0049f08d1051e27be3e09b6681f7c47ee87 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sun, 5 Apr 2020 12:05:14 +0200 Subject: 🏃 run: Fix Linux service scripts to use classpath and class MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update the service scripts to use `-cp` and specify the GitBlitServer class, instead of the `-jar` parameter. Fixes #1333 --- src/main/distrib/linux/install-service-fedora.sh | 10 +++++----- src/main/distrib/linux/service-centos.sh | 6 +++--- src/main/distrib/linux/service-ubuntu.sh | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/main/distrib/linux/install-service-fedora.sh b/src/main/distrib/linux/install-service-fedora.sh index 4fb43c61..df17590f 100755 --- a/src/main/distrib/linux/install-service-fedora.sh +++ b/src/main/distrib/linux/install-service-fedora.sh @@ -18,16 +18,16 @@ After=network.target [Service] User=gitblit Group=gitblit -Environment="ARGS=-server -Xmx1024M -Djava.awt.headless=true -jar" +Environment="ARGS=-server -Xmx1024M -Djava.awt.headless=true -cp" EnvironmentFile=-/etc/sysconfig/gitblit WorkingDirectory=/opt/gitblit -ExecStart=/usr/bin/java \$ARGS gitblit.jar --httpsPort \$GITBLIT_HTTPS_PORT --httpPort \$GITBLIT_HTTP_PORT --baseFolder \$GITBLIT_BASE_FOLDER --dailyLogFile -ExecStop=/usr/bin/java \$ARGS gitblit.jar --baseFolder \$GITBLIT_BASE_FOLDER --stop +ExecStart=/usr/bin/java \$ARGS gitblit.jar:ext/* com.gitblit.GitBlitServer --httpsPort \$GITBLIT_HTTPS_PORT --httpPort \$GITBLIT_HTTP_PORT --baseFolder \$GITBLIT_BASE_FOLDER --dailyLogFile +ExecStop=/usr/bin/java \$ARGS gitblit.jar:ext/* com.gitblit.GitBlitServer --baseFolder \$GITBLIT_BASE_FOLDER --stop [Install] WantedBy=multi-user.target EOF # Finally copy the files to the destination and register the systemd unit. -sudo su -c "cp /tmp/gitblit.defaults /etc/sysconfig/gitblit && cp /tmp/gitblit.service /etc/systemd/system/" -sudo su -c "systemctl daemon-reload && systemctl enable gitblit.service && systemctl start gitblit.service" +sudo sh -c "cp /tmp/gitblit.defaults /etc/sysconfig/gitblit && cp /tmp/gitblit.service /etc/systemd/system/" +sudo sh -c "systemctl daemon-reload && systemctl enable gitblit.service && systemctl start gitblit.service" diff --git a/src/main/distrib/linux/service-centos.sh b/src/main/distrib/linux/service-centos.sh index 843f015a..a2645e7e 100644 --- a/src/main/distrib/linux/service-centos.sh +++ b/src/main/distrib/linux/service-centos.sh @@ -11,7 +11,7 @@ GITBLIT_HTTP_PORT=0 GITBLIT_HTTPS_PORT=8443 GITBLIT_LOG=/var/log/gitblit.log source ${GITBLIT_PATH}/java-proxy-config.sh -JAVA="java -server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -jar" +JAVA="java -server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -cp" RETVAL=0 @@ -21,7 +21,7 @@ case "$1" in then echo $"Starting gitblit server" cd $GITBLIT_PATH - $JAVA $GITBLIT_PATH/gitblit.jar --httpsPort $GITBLIT_HTTPS_PORT --httpPort $GITBLIT_HTTP_PORT --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile & + $JAVA "$GITBLIT_PATH/gitblit.jar:$GITBLIT_PATH/ext/*" com.gitblit.GitBlitServer --httpsPort $GITBLIT_HTTPS_PORT --httpPort $GITBLIT_HTTP_PORT --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile & echo "." exit $RETVAL fi @@ -32,7 +32,7 @@ case "$1" in then echo $"Stopping gitblit server" cd $GITBLIT_PATH - $JAVA $GITBLIT_PATH/gitblit.jar --baseFolder $GITBLIT_BASE_FOLDER --stop > /dev/null & + $JAVA "$GITBLIT_PATH/gitblit.jar:$GITBLIT_PATH/ext/*" com.gitblit.GitBlitServer --baseFolder $GITBLIT_BASE_FOLDER --stop > /dev/null & echo "." exit $RETVAL fi diff --git a/src/main/distrib/linux/service-ubuntu.sh b/src/main/distrib/linux/service-ubuntu.sh index 769e3072..461a678c 100644 --- a/src/main/distrib/linux/service-ubuntu.sh +++ b/src/main/distrib/linux/service-ubuntu.sh @@ -19,7 +19,7 @@ GITBLIT_PATH=/opt/gitblit GITBLIT_BASE_FOLDER=/opt/gitblit/data GITBLIT_USER="gitblit" source ${GITBLIT_PATH}/java-proxy-config.sh -ARGS="-server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -jar gitblit.jar --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile" +ARGS="-server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -cp gitblit.jar:ext/* com.gitblit.GitBlitServer --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile" RETVAL=0 -- cgit v1.2.3 From 34e77ddf09e58ea0a817d31ed74a6bce574bff97 Mon Sep 17 00:00:00 2001 From: Florian Zschocke Date: Sun, 5 Apr 2020 12:28:58 +0200 Subject: 📖docs: Add update of service scripts in upgrade GO documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also: release notes. --- releases.moxie | 31 +++++++++++++++++++++++++++---- src/site/upgrade_go.mkd | 22 ++++++++++++++++++++++ 2 files changed, 49 insertions(+), 4 deletions(-) diff --git a/releases.moxie b/releases.moxie index 0b5afadd..b73038de 100644 --- a/releases.moxie +++ b/releases.moxie @@ -5,11 +5,33 @@ r31: { title: ${project.name} ${project.version} released id: ${project.version} date: ${project.buildDate} - note: ~ + note: '' + When you have Gitblit installed as a service under Linux or Windows, you may need to edit your service script/definition. The command line to start Gitblit needs to be different, the classpath and class are speficied now. + + See notes for release 1.9.0. + '' html: ~ - text: ~ + text: '' + !! IMPORTANT BUG FIX FOR PASSWORD HASH UPGRADE !! + + There is a severe bug in version 1.9.0, which can lock users out from their accounts. + When updating from a previous version to 1.9.0, existing stored passwords are rehashed + with a more secure password hash mechanism when a user first logs in after the update. + This happens when the password hashing mechanism was left at default and not specifically + set in the configuration. An error in the implementation will destroy the stored password + instead and the user can no longer log in. + + Only certain circumstances will lead to this wrong behaviour. It will most likely + affect users of the Gitblit Docker container. If you did not encounter any problems, + update to 1.9.1 to be on the safe side. If you were hit by this bug, we are deeply sorry. + There is no way to fix the affected accounts other than to set a new password. + + This is fixed in 1.9.1. Updates of existing installations should be made to 1.9.1, not 1.9.0. + '' security: ~ - fixes: ~ + fixes: + - Fixed broken password hash upgrade destroying existing stored passwords on update. + - Fixed Linux service scripts to use `-cp` parameter instead of `-jar`. changes: ~ additions: ~ dependencyChanges: ~ @@ -36,7 +58,8 @@ r30: { When the `realm.ldap.bindpattern` property is set, GitBlit will only bind as the user to LDAP, not to a manager account or anonymously. - Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in. + Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in. + !! THIS IS BROKEN IN 1.9.0. DO NOT UPDATE TO 1.9.0. USE 1.9.1 INSTEAD !! '' html: ~ text: '' diff --git a/src/site/upgrade_go.mkd b/src/site/upgrade_go.mkd index a0092588..4bc2272f 100644 --- a/src/site/upgrade_go.mkd +++ b/src/site/upgrade_go.mkd @@ -1,3 +1,25 @@ +## Upgrading Gitblit GO (1.9.1+) + +The command line to start Gitblit has changed from + +``` +java -jar gitblit.jar --baseFolder data +``` + +to + +``` +java -cp "gitblit.jar:ext/*" com.gitblit.GitBlitServer --baseFolder data +``` + +or on Windows to + +``` +java -cp gitblit.jar;"%CD%\ext\*" com.gitblit.GitBlitServer --baseFolder data +``` + +The class path and main class need to be specified now. If you have installed Gitblit as a service you will need to adjust the service scripts or definitions accordingly. + ## Upgrading Gitblit GO (1.7.0+) The default `gitblit.properties` file has been split into two files: `gitblit.properties`, which is the recommended file for setting your configuration, and `defaults.properties` which are Gitblit's default settings. -- cgit v1.2.3