From b453703aa83f9e3b1605190aed3356fec9d46155 Mon Sep 17 00:00:00 2001 From: Rodrigo Andrade Date: Mon, 15 Aug 2016 18:20:28 -0300 Subject: removing duplicated code for cookie genaration and adding random bytes to generate user cookies --- src/main/java/com/gitblit/ConfigUserService.java | 2 +- src/main/java/com/gitblit/auth/AuthenticationProvider.java | 2 +- src/main/java/com/gitblit/client/EditUserDialog.java | 2 +- src/main/java/com/gitblit/models/UserModel.java | 4 ++++ src/main/java/com/gitblit/wicket/pages/EditUserPage.java | 2 +- 5 files changed, 8 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/main/java/com/gitblit/ConfigUserService.java b/src/main/java/com/gitblit/ConfigUserService.java index 6d7230f7..025b1d8c 100644 --- a/src/main/java/com/gitblit/ConfigUserService.java +++ b/src/main/java/com/gitblit/ConfigUserService.java @@ -898,7 +898,7 @@ public class ConfigUserService implements IUserService { user.countryCode = config.getString(USER, username, COUNTRYCODE); user.cookie = config.getString(USER, username, COOKIE); if (StringUtils.isEmpty(user.cookie) && !StringUtils.isEmpty(user.password)) { - user.cookie = StringUtils.getSHA1(user.username + user.password); + user.cookie = user.createCookie(); } // preferences diff --git a/src/main/java/com/gitblit/auth/AuthenticationProvider.java b/src/main/java/com/gitblit/auth/AuthenticationProvider.java index 0bfe2351..6c098859 100644 --- a/src/main/java/com/gitblit/auth/AuthenticationProvider.java +++ b/src/main/java/com/gitblit/auth/AuthenticationProvider.java @@ -81,7 +81,7 @@ public abstract class AuthenticationProvider { protected void setCookie(UserModel user, char [] password) { // create a user cookie if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) { - user.cookie = StringUtils.getSHA1(user.username + new String(password)); + user.cookie = user.createCookie(); } } diff --git a/src/main/java/com/gitblit/client/EditUserDialog.java b/src/main/java/com/gitblit/client/EditUserDialog.java index 676916b2..4b01ff04 100644 --- a/src/main/java/com/gitblit/client/EditUserDialog.java +++ b/src/main/java/com/gitblit/client/EditUserDialog.java @@ -330,7 +330,7 @@ public class EditUserDialog extends JDialog { } // change the cookie - user.cookie = StringUtils.getSHA1(user.username + password); + user.cookie = user.createCookie(); String type = settings.get(Keys.realm.passwordStorage).getString("md5"); if (type.equalsIgnoreCase("md5")) { diff --git a/src/main/java/com/gitblit/models/UserModel.java b/src/main/java/com/gitblit/models/UserModel.java index e1522748..d411e504 100644 --- a/src/main/java/com/gitblit/models/UserModel.java +++ b/src/main/java/com/gitblit/models/UserModel.java @@ -660,4 +660,8 @@ public class UserModel implements Principal, Serializable, Comparable String projectPath = StringUtils.getFirstPathElement(repository); return !StringUtils.isEmpty(projectPath) && projectPath.equalsIgnoreCase(getPersonalPath()); } + + public String createCookie() { + return StringUtils.getSHA1(String.valueOf(Math.random())); + } } diff --git a/src/main/java/com/gitblit/wicket/pages/EditUserPage.java b/src/main/java/com/gitblit/wicket/pages/EditUserPage.java index 220bee3f..72dee6b6 100644 --- a/src/main/java/com/gitblit/wicket/pages/EditUserPage.java +++ b/src/main/java/com/gitblit/wicket/pages/EditUserPage.java @@ -156,7 +156,7 @@ public class EditUserPage extends RootSubPage { } // change the cookie - userModel.cookie = StringUtils.getSHA1(userModel.username + password); + userModel.cookie = userModel.createCookie(); // Optionally store the password MD5 digest. String type = app().settings().getString(Keys.realm.passwordStorage, "md5"); -- cgit v1.2.3