search

davideuler / gitblit

Automatically exported from code.google.com/p/gitblit
Apache License 2.0
0 stars 0 forks source link

Security problem, there is possible to get a content of commits if known repositories name. Not needed authorized user, access is free! #545

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. You can try it with fully secured repository in gitblit, that required 
authentication for VIEW too.
    http://<gitblit_url:8080|8443>/patch/<repo_name>.git
    Will show content of last commit to gitblit for repo_name.
    The problem is google scan and save commits through gitblit.

2.   example of free access, actually access to repo allowed ONLY for 
authorized users, but if you open the link, you can see all content of last 
commit:

     https://bgate.mellanox.com:8443/patch/ompi.git

What is the expected output? What do you see instead?
   From 429c4b3ad7e07caf5fa20d2ed0ec6ccffc3b2cd4 Mon Sep 17 00:00:00 2001
   From: Ralph Castain <rhc@open-mpi-git-mirror.example.com>
   Date: Wed, 01 Oct 2014 01:27:03 +0300
   Subject: [PATCH] Cover the remaining code paths for Java apps to     define class path
............. and more

What version of the product are you using? On what operating system?
Gitblit v1.6.2

Please provide any additional information below.

Original issue reported on code.google.com by adm1...@gmail.com on 13 Jan 2015 at 7:13

GoogleCodeExporter commented 9 years ago 
Thanks for discovering this.  I'll get it patched soon.

Original comment by James.Mo...@gmail.com on 15 Jan 2015 at 4:15

GoogleCodeExporter commented 9 years ago 
Fix pushed.

Original comment by James.Mo...@gmail.com on 26 Feb 2015 at 4:17