Merge branch 'master' into release

Author: flaix

README.markdown

@@ -5,7 +5,7 @@ Gitblit is an open source, pure Java Git solution for managing, viewing, and ser
 
 More information about Gitblit can be found [here](http://gitblit.com).
 
-<a href='https://github.com/fzs/gitblit/releases/latest'><img src='https://img.shields.io/badge/dynamic/json?color=9cf&label=Download&query=%24.name&url=https%3A%2F%2Fapi.github.com%2Frepos%2Ffzs%2Fgitblit%2Freleases%2Flatest'></a>
+<a href='https://github.com/gitblit/gitblit/releases/latest'><img src='https://img.shields.io/badge/dynamic/json?color=9cf&label=Download&query=%24.name&url=https%3A%2F%2Fapi.github.com%2Frepos%2Fgitblit%2Fgitblit%2Freleases%2Flatest'></a>
 
 License
 -------

build.moxie

@@ -10,12 +10,12 @@ name: Gitblit
 description: pure Java Git solution
 groupId: com.gitblit
 artifactId: gitblit
-version: 1.9.0-SNAPSHOT
+version: 1.9.1-SNAPSHOT
 inceptionYear: 2011
 
 # Current stable release
-releaseVersion: 1.8.0
-releaseDate: 2016-06-22
+releaseVersion: 1.9.0
+releaseDate: 2020-02-01
 
 # Project urls
 url: 'http://gitblit.com'
@@ -96,8 +96,8 @@ dependencyDirectory: ext
 registeredRepositories:
 - { id: central, url: 'https://repo1.maven.org/maven2' }
 - { id: mavencentral, url: 'https://repo1.maven.org/maven2' }
-- { id: eclipse, url: 'http://repo.eclipse.org/content/groups/releases' }
-- { id: eclipse-snapshots, url: 'http://repo.eclipse.org/content/groups/snapshots' }
+- { id: eclipse, url: 'https://repo.eclipse.org/content/groups/releases' }
+- { id: eclipse-snapshots, url: 'https://repo.eclipse.org/content/groups/snapshots' }
 - { id: gitblit, url: 'http://gitblit.github.io/gitblit-maven' }
 
 # Source all dependencies from the following repositories in the specified order

releases.moxie

@@ -1,10 +1,50 @@
 #
 # ${project.version} release
 #
-r30: {
+r31: {
     title: ${project.name} ${project.version} released
     id: ${project.version}
     date: ${project.buildDate}
+    note: ''
+          When you have Gitblit installed as a service under Linux or Windows, you may need to edit your service script/definition. The command line to start Gitblit needs to be different, the classpath and class are speficied now.
+
+          See notes for release 1.9.0.
+          ''
+    html: ~
+    text: ''
+          !! IMPORTANT BUG FIX FOR PASSWORD HASH UPGRADE !!
+          
+          There is a severe bug in version 1.9.0, which can lock users out from their accounts.
+          When updating from a previous version to 1.9.0, existing stored passwords are rehashed
+          with a more secure password hash mechanism when a user first logs in after the update.
+          This happens when the password hashing mechanism was left at default and not specifically
+          set in the configuration. An error in the implementation will destroy the stored password
+          instead and the user can no longer log in.
+
+          Only certain circumstances will lead to this wrong behaviour. It will most likely
+          affect users of the Gitblit Docker container. If you did not encounter any problems,
+          update to 1.9.1 to be on the safe side. If you were hit by this bug, we are deeply sorry.
+          There is no way to fix the affected accounts other than to set a new password.
+
+          This is fixed in 1.9.1. Updates of existing installations should be made to 1.9.1, not 1.9.0.
+          ''
+    security: ~
+    fixes:
+      - Fixed broken password hash upgrade destroying existing stored passwords on update.
+      - Fixed Linux service scripts to use `-cp` parameter instead of `-jar`.
+    changes: ~
+    additions: ~
+    dependencyChanges: ~
+    contributors: ~
+}
+
+#
+# 1.9.0 release
+#
+r30: {
+    title: Gitblit 1.9.0 released
+    id: 1.9.0
+    date: 2020-02-01
     note: ''
           Gitblit uses Servlet 3.0 and thus drops support for Tomcat 6. Run on Tomcat 6 at your own risk. 
 
@@ -18,7 +58,8 @@ r30: {
 
           When the `realm.ldap.bindpattern` property is set, GitBlit will only bind as the user to LDAP, not to a manager account or anonymously.
 
-          Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in. 
+          Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in.
+          !! THIS IS BROKEN IN 1.9.0. DO NOT UPDATE TO 1.9.0. USE 1.9.1 INSTEAD !!
           ''
     html: ~
     text: ''
@@ -1949,6 +1990,6 @@ r1: {
 	- James Moger
 }
 
-snapshot: &r30
-release: &r29
-releases: &r[1..29]
+snapshot: &r31
+release: &r30
+releases: &r[1..30]

src/main/distrib/linux/authority.sh

@@ -1,2 +1,2 @@
 #!/bin/bash
-java -cp gitblit.jar:ext/* com.gitblit.authority.GitblitAuthority --baseFolder data
+java -cp "gitblit.jar:ext/*" com.gitblit.authority.GitblitAuthority --baseFolder data

src/main/distrib/linux/install-service-fedora.sh

@@ -18,16 +18,16 @@ After=network.target
 [Service]
 User=gitblit
 Group=gitblit
-Environment="ARGS=-server -Xmx1024M -Djava.awt.headless=true -jar"
+Environment="ARGS=-server -Xmx1024M -Djava.awt.headless=true -cp"
 EnvironmentFile=-/etc/sysconfig/gitblit
 WorkingDirectory=/opt/gitblit
-ExecStart=/usr/bin/java \$ARGS gitblit.jar --httpsPort \$GITBLIT_HTTPS_PORT --httpPort \$GITBLIT_HTTP_PORT --baseFolder \$GITBLIT_BASE_FOLDER --dailyLogFile
-ExecStop=/usr/bin/java \$ARGS gitblit.jar --baseFolder \$GITBLIT_BASE_FOLDER --stop
+ExecStart=/usr/bin/java \$ARGS gitblit.jar:ext/* com.gitblit.GitBlitServer --httpsPort \$GITBLIT_HTTPS_PORT --httpPort \$GITBLIT_HTTP_PORT --baseFolder \$GITBLIT_BASE_FOLDER --dailyLogFile
+ExecStop=/usr/bin/java \$ARGS gitblit.jar:ext/* com.gitblit.GitBlitServer --baseFolder \$GITBLIT_BASE_FOLDER --stop
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
 # Finally copy the files to the destination and register the systemd unit.
-sudo su -c "cp /tmp/gitblit.defaults /etc/sysconfig/gitblit && cp /tmp/gitblit.service /etc/systemd/system/"
-sudo su -c "systemctl daemon-reload && systemctl enable gitblit.service && systemctl start gitblit.service"
+sudo sh -c "cp /tmp/gitblit.defaults /etc/sysconfig/gitblit && cp /tmp/gitblit.service /etc/systemd/system/"
+sudo sh -c "systemctl daemon-reload && systemctl enable gitblit.service && systemctl start gitblit.service"

src/main/distrib/linux/migrate-tickets.sh

@@ -8,7 +8,7 @@
 #
 # --------------------------------------------------------------------------
 
-if [[ -z $1 || -z $2 ]]; then
+if [ -z $1 ] || [ -z $2 ]; then
     echo "Please specify the output ticket service and your baseFolder!";
     echo "";
     echo "usage:";
@@ -17,5 +17,5 @@ if [[ -z $1 || -z $2 ]]; then
     exit 1;
 fi
 
-java -cp gitblit.jar:./ext/* com.gitblit.MigrateTickets $1 --baseFolder $2
+java -cp "gitblit.jar:ext/*" com.gitblit.MigrateTickets $1 --baseFolder $2
 

src/main/distrib/linux/reindex-tickets.sh

@@ -11,7 +11,7 @@
 #
 # --------------------------------------------------------------------------
 
-if [[ -z $1 ]]; then
+if [ -z $1 ] ; then
     echo "Please specify your baseFolder!";
     echo "";
     echo "usage:";
@@ -20,5 +20,5 @@ if [[ -z $1 ]]; then
     exit 1;
 fi
 
-java -cp gitblit.jar:./ext/* com.gitblit.ReindexTickets --baseFolder $1
+java -cp "gitblit.jar:ext/*" com.gitblit.ReindexTickets --baseFolder $1
 

src/main/distrib/linux/service-centos.sh

@@ -11,7 +11,7 @@ GITBLIT_HTTP_PORT=0
 GITBLIT_HTTPS_PORT=8443
 GITBLIT_LOG=/var/log/gitblit.log
 source ${GITBLIT_PATH}/java-proxy-config.sh
-JAVA="java -server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -jar"
+JAVA="java -server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -cp"
 
 RETVAL=0
 
@@ -21,7 +21,7 @@ case "$1" in
       then
       echo $"Starting gitblit server"
       cd $GITBLIT_PATH
-      $JAVA $GITBLIT_PATH/gitblit.jar --httpsPort $GITBLIT_HTTPS_PORT --httpPort $GITBLIT_HTTP_PORT --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile &
+      $JAVA "$GITBLIT_PATH/gitblit.jar:$GITBLIT_PATH/ext/*" com.gitblit.GitBlitServer --httpsPort $GITBLIT_HTTPS_PORT --httpPort $GITBLIT_HTTP_PORT --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile &
       echo "."
       exit $RETVAL
     fi
@@ -32,7 +32,7 @@ case "$1" in
       then
       echo $"Stopping gitblit server"
       cd $GITBLIT_PATH
-      $JAVA $GITBLIT_PATH/gitblit.jar --baseFolder $GITBLIT_BASE_FOLDER --stop > /dev/null &
+      $JAVA "$GITBLIT_PATH/gitblit.jar:$GITBLIT_PATH/ext/*" com.gitblit.GitBlitServer --baseFolder $GITBLIT_BASE_FOLDER --stop > /dev/null &
       echo "."
       exit $RETVAL
     fi

src/main/distrib/linux/service-ubuntu.sh

@@ -19,7 +19,7 @@ GITBLIT_PATH=/opt/gitblit
 GITBLIT_BASE_FOLDER=/opt/gitblit/data
 GITBLIT_USER="gitblit"
 source ${GITBLIT_PATH}/java-proxy-config.sh
-ARGS="-server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -jar gitblit.jar --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile"
+ARGS="-server -Xmx1024M ${JAVA_PROXY_CONFIG} -Djava.awt.headless=true -cp gitblit.jar:ext/* com.gitblit.GitBlitServer --baseFolder $GITBLIT_BASE_FOLDER --dailyLogFile"
 
 RETVAL=0
 

src/main/java/com/gitblit/manager/AuthenticationManager.java

@@ -18,10 +18,7 @@
 import java.nio.charset.Charset;
 import java.security.Principal;
 import java.text.MessageFormat;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.concurrent.TimeUnit;
 
 import javax.servlet.http.Cookie;
@@ -455,7 +452,6 @@ protected void flagRequest(HttpServletRequest httpRequest, AuthenticationType au
 	/**
 	 * Authenticate a user based on a username and password.
 	 *
-	 * @see IUserService.authenticate(String, char[])
 	 * @param username
 	 * @param password
 	 * @return a user object or null
@@ -474,34 +470,39 @@ public UserModel authenticate(String username, char[] password, String remoteIP)
 		}
 
 		String usernameDecoded = StringUtils.decodeUsername(username);
-		String pw = new String(password);
-		if (StringUtils.isEmpty(pw)) {
+		if (StringUtils.isEmpty(password)) {
 			// can not authenticate empty password
 			return null;
 		}
 
 		UserModel user = userManager.getUserModel(usernameDecoded);
 
-		// try local authentication
-		if (user != null && user.isLocalAccount()) {
-			UserModel returnedUser = authenticateLocal(user, password);
-			if (returnedUser != null) {
-				// user authenticated
-				return returnedUser;
-			}
-		} else {
-			// try registered external authentication providers
-			for (AuthenticationProvider provider : authenticationProviders) {
-				if (provider instanceof UsernamePasswordAuthenticationProvider) {
-					UserModel returnedUser = provider.authenticate(usernameDecoded, password);
-					if (returnedUser != null) {
-						// user authenticated
-						returnedUser.accountType = provider.getAccountType();
-						return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS);
+		try {
+			// try local authentication
+			if (user != null && user.isLocalAccount()) {
+				UserModel returnedUser = authenticateLocal(user, password);
+				if (returnedUser != null) {
+					// user authenticated
+					return returnedUser;
+				}
+			} else {
+				// try registered external authentication providers
+				for (AuthenticationProvider provider : authenticationProviders) {
+					if (provider instanceof UsernamePasswordAuthenticationProvider) {
+						UserModel returnedUser = provider.authenticate(usernameDecoded, password);
+						if (returnedUser != null) {
+							// user authenticated
+							returnedUser.accountType = provider.getAccountType();
+							return validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS);
+						}
 					}
 				}
 			}
 		}
+		finally {
+			// Zero out password array to delete password from memory
+			Arrays.fill(password, Character.MIN_VALUE);
+		}
 
 		// could not authenticate locally or with a provider
 		logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", username, 
@@ -520,21 +521,33 @@ public UserModel authenticate(String username, char[] password, String remoteIP)
 	protected UserModel authenticateLocal(UserModel user, char [] password) {
 		UserModel returnedUser = null;
 
-		PasswordHash pwdHash = PasswordHash.instanceFor(user.password);
-		if (pwdHash != null) {
-			if (pwdHash.matches(user.password, password, user.username)) {
+		// Create a copy of the password that we can use to rehash to upgrade to a more secure hashing method.
+		// This is done to be independent from the implementation of the PasswordHash, which might already clear out
+		// the password it gets passed in. This looks a bit stupid, as we could simply clean up the mess, but this
+		// falls under "better safe than sorry".
+		char[] pwdToUpgrade = Arrays.copyOf(password, password.length);
+		try {
+			PasswordHash pwdHash = PasswordHash.instanceFor(user.password);
+			if (pwdHash != null) {
+				if (pwdHash.matches(user.password, password, user.username)) {
+					returnedUser = user;
+				}
+			} else if (user.password.equals(new String(password))) {
+				// plain-text password
 				returnedUser = user;
 			}
-		} else if (user.password.equals(new String(password))) {
-			// plain-text password
-			returnedUser = user;
-		} 
-		
-		// validate user
-		returnedUser = validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS);
-		
-		// try to upgrade the stored password hash to a stronger hash, if necessary
-		upgradeStoredPassword(returnedUser, password, pwdHash);
+
+			// validate user
+			returnedUser = validateAuthentication(returnedUser, AuthenticationType.CREDENTIALS);
+
+			// try to upgrade the stored password hash to a stronger hash, if necessary
+			upgradeStoredPassword(returnedUser, pwdToUpgrade, pwdHash);
+		}
+		finally {
+			// Now we make sure that the password is zeroed out in any case.
+			Arrays.fill(password, Character.MIN_VALUE);
+			Arrays.fill(pwdToUpgrade, Character.MIN_VALUE);
+		}
 
 		return returnedUser;
 	}