Skip to content

Fixing user cookie issue #1063 #1116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Dec 13, 2016
Merged

Fixing user cookie issue #1063 #1116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b453703
removing duplicated code for cookie genaration and adding random byte…
Aug 15, 2016
4365c8f
removing unecessary user cookie code
Aug 15, 2016
a1fc7e7
changing Math.random to SecureRandom
Dec 11, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/ConfigUserService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -898,7 +898,7 @@ protected synchronized void read() {
user.countryCode = config.getString(USER, username, COUNTRYCODE);
user.cookie = config.getString(USER, username, COOKIE);
if (StringUtils.isEmpty(user.cookie) && !StringUtils.isEmpty(user.password)) {
user.cookie = StringUtils.getSHA1(user.username + user.password);
user.cookie = user.createCookie();
}

// preferences
Expand Down
6 changes: 3 additions & 3 deletions src/main/java/com/gitblit/auth/AuthenticationProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,10 +78,10 @@ public String getServiceName() {

public abstract AuthenticationType getAuthenticationType();

protected void setCookie(UserModel user, char [] password) {
protected void setCookie(UserModel user) {
// create a user cookie
if (StringUtils.isEmpty(user.cookie) && !ArrayUtils.isEmpty(password)) {
user.cookie = StringUtils.getSHA1(user.username + new String(password));
if (StringUtils.isEmpty(user.cookie)) {
user.cookie = user.createCookie();
}
}

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/auth/HtpasswdAuthProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ else if (supportPlaintextPwd() && storedPwd.equals(passwd)){
}

// create a user cookie
setCookie(user, password);
setCookie(user);

// Set user attributes, hide password from backing user service.
user.password = Constants.EXTERNAL_ACCOUNT;
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/auth/LdapAuthProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,7 +360,7 @@ public UserModel authenticate(String username, char[] password) {
}

// create a user cookie
setCookie(user, password);
setCookie(user);

if (!supportsTeamMembershipChanges()) {
getTeamsFromLdap(ldapConnection, simpleUsername, loggingInUser, user);
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/auth/PAMAuthProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ public UserModel authenticate(String username, char[] password) {
}

// create a user cookie
setCookie(user, password);
setCookie(user);

// update user attributes from UnixUser
user.accountType = getAccountType();
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/auth/RedmineAuthProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ public UserModel authenticate(String username, char[] password) {
}

// create a user cookie
setCookie(user, password);
setCookie(user);

// update user attributes from Redmine
user.accountType = getAccountType();
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/auth/SalesforceAuthProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ public UserModel authenticate(String username, char[] password) {
user = new UserModel(simpleUsername);
}

setCookie(user, password);
setCookie(user);
setUserAttributes(user, info);

updateUser(user);
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/auth/WindowsAuthProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ public UserModel authenticate(String username, char[] password) {
}

// create a user cookie
setCookie(user, password);
setCookie(user);

// update user attributes from Windows identity
user.accountType = getAccountType();
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/client/EditUserDialog.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,7 +330,7 @@ private boolean validateFields() {
}

// change the cookie
user.cookie = StringUtils.getSHA1(user.username + password);
user.cookie = user.createCookie();

String type = settings.get(Keys.realm.passwordStorage).getString("md5");
if (type.equalsIgnoreCase("md5")) {
Expand Down
8 changes: 8 additions & 0 deletions src/main/java/com/gitblit/models/UserModel.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

import java.io.Serializable;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
Expand Down Expand Up @@ -660,4 +661,11 @@ public boolean isMyPersonalRepository(String repository) {
String projectPath = StringUtils.getFirstPathElement(repository);
return !StringUtils.isEmpty(projectPath) && projectPath.equalsIgnoreCase(getPersonalPath());
}

public String createCookie() {
SecureRandom random = new SecureRandom();
byte[] values = new byte[20];
random.nextBytes(values);
return StringUtils.getSHA1(String.valueOf(values));
}
}
2 changes: 1 addition & 1 deletion src/main/java/com/gitblit/wicket/pages/EditUserPage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ protected void onSubmit() {
}

// change the cookie
userModel.cookie = StringUtils.getSHA1(userModel.username + password);
userModel.cookie = userModel.createCookie();

// Optionally store the password MD5 digest.
String type = app().settings().getString(Keys.realm.passwordStorage, "md5");
Expand Down