Comments (10)
Uh oh. I will take a look at this very soon - maybe today.
Reported by James.Moger
on 2011-10-23 13:46:55
- Status changed:
Accepted
- Labels added: Priority-Critical, Milestone-0.7.0
- Labels removed: Priority-Medium
from gitblit.
Reported by James.Moger
on 2011-10-23 13:47:11
from gitblit.
My test setup is a little different than your setup....
* I always test on Jetty 7 (GO build) and occasionally Tomcat 6 (and Tomcat 7 in master).
* Gitblit 0.6.0 is servlet-api 2.5, not servlet-api 3.0 (Jetty 8). The next release
is servlet-api 3.0 ready (Tomcat 6/Tomcat7/Jetty 8).
* I don't have TortoiseGit, but I don't *think* that should be an issue since the reported
error is server-side.
My preliminary result is that I can not reproduce your finding with 0.6.0 or the current
master branch. I have tried cloning a repository at each restriction level with a
unit test. It did surprise me to see that an empty repository is created locally,
though even though the clone failed.
Things you could do to help me diagnose the issue further:
1. Don't test on Jetty 8 since that is servlet 3.0 and may change/break authentication
(like trying to run Gitblit 0.6.0 on Tomcat 7).
2. Set "web.debugMode=true" in web.xml - this will add some logging to the AccessRestrictionFilter
class. Confirm the received credentials in the log. The log will say something like
when you try to clone:
INFO ARF: ticgit.git/info/refs?service=git-upload-pack (401)
INFO AUTH: Challenge Basic realm="Gitblit"
INFO AUTH: invalid credentials (bogus:bogus)
INFO ARF: ticgit.git/info/refs?service=git-upload-pack (401)
INFO AUTH: Challenge Basic realm="Gitblit"
3. If TortoiseGit still succeeds and the credentials are the bogus ones, confirm that
the cloned repository actually has commits in it and is not just empty.
If all those are true, then perhaps TortoiseGit is falling back to the "dumb" http
protocol in which case I will have to review that some more because I did not think
that I was serving the "dumb" style.
Reported by James.Moger
on 2011-10-23 14:58:22
from gitblit.
I did not yet change back to an old Jetty version (but as I said, I used Jetty 6 at
first and had the same behaviour).
The repositories I cloned are not empty, the debug logs look like this:
INFO | jvm 1 | 2011/10/23 18:06:59 | INFO ARF: kake.git/info/refs?service=git-upload-pack
(401)
INFO | jvm 1 | 2011/10/23 18:06:59 | INFO AUTH: Challenge Basic realm="Gitblit"
INFO | jvm 1 | 2011/10/23 18:07:05 | INFO ARF: kake.git/info/refs?service=git-upload-pack
(401)
INFO | jvm 1 | 2011/10/23 18:07:05 | INFO AUTH: Challenge Basic realm="Gitblit"
INFO | jvm 1 | 2011/10/23 18:07:05 | INFO AUTH: invalid credentials (bla:blub)
INFO | jvm 1 | 2011/10/23 18:07:05 | INFO ARF: kake.git/info/refs?service=git-upload-pack
(401)
INFO | jvm 1 | 2011/10/23 18:07:05 | INFO AUTH: Challenge Basic realm="Gitblit"
INFO | jvm 1 | 2011/10/23 18:07:05 | INFO ARF: kake.git/info/refs (100) unauthenticated
INFO | jvm 1 | 2011/10/23 18:07:06 | INFO ARF: kake.git/HEAD (100) unauthenticated
INFO | jvm 1 | 2011/10/23 18:07:06 | INFO ARF: kake.git/objects/e5/8cb482d051fe0d269468d76e556f23cfb84fab
(100) unauthenticated
INFO | jvm 1 | 2011/10/23 18:07:06 | INFO ARF: kake.git/objects/da/12904f9adf481ffcf1fd695e76df748542770f
(100) unauthenticated
INFO | jvm 1 | 2011/10/23 18:07:06 | INFO ARF: kake.git/objects/67/f869a6b5fff28b25eb5368adff0a67ad67393c
(100) unauthenticated
INFO | jvm 1 | 2011/10/23 18:07:06 | INFO ARF: kake.git/objects/18/d70f02cb8eeded3bb20b75f0cd29bb66157990
(100) unauthenticated
INFO | jvm 1 | 2011/10/23 18:07:06 | INFO ARF: kake.git/objects/ff/58cd936270ea2d151448f5f1cfb5a887213682
(100) unauthenticated
But it's still cloned successfully.
Reported by rob2d2
on 2011-10-23 16:11:27
from gitblit.
Ok. Please repeat with the GO version and post your findings to help me determine where
the problem lies.
Reported by James.Moger
on 2011-10-23 16:26:59
from gitblit.
Same thing happens. I copied in one of my repositories, enabled http and started gibtlit
go locally. Then I cloned successfully from localhost using bogus login data. On Win7
with a 64bit Java7u1.
I can send you the whole thing including the repository if it helps.
Reported by rob2d2
on 2011-10-23 16:57:31
from gitblit.
That might be very diagnostic. Try zipping and attaching to this issue - if its not
too large. I'll install TortoiseGit to see if I can replicate here.
Reported by James.Moger
on 2011-10-23 17:49:57
from gitblit.
Oh shit. I just replicated this with TortoiseGit. This is obviously a nasty security
hole in my restriction filter implementation. EGit/JGit doesn't trigger this. Last
I checked, CGit doesn't trigger this either... but maybe it does now. I'll check that
too. It looks like TortoiseGit just keeps chugging along trying to make every URL
request instead of (really) stopping after authentication failure. Actually, what
happens is that it prompts for credentials on the first challenge, but then disregards
all subsequent challenges and makes url requests which Gitblit happily processes, even
though it should not.
Thanks for reporting this. I'll have this fixed today or tomorrow on Master. I was
planning on a new release (big changes) by end of the week... this will be an *important*
addition.
Reported by James.Moger
on 2011-10-23 18:28:00
from gitblit.
Ah, okidoki, glad I could help, really like the software.
Reported by rob2d2
on 2011-10-23 21:20:38
from gitblit.
Fix deployed in v0.7.0.
Reported by James.Moger
on 2011-11-11 23:16:24
- Status changed:
Fixed
from gitblit.
Related Issues (20)
- Error when using ssh clone repository HOT 1
- Can not disable Gravatar in issue page HOT 1
- Garbled code in the comparison page with interface set to Simplified Chinese HOT 2
- Translation of fork as "分支" in Chinese has ambiguity HOT 3
- Maven artifacts are inaccessible HOT 1
- close() called when useCnt is already zero HOT 2
- docker run error N ] Illegal character 0x16 in state=START for buffer HOT 9
- failed to generate gitblit ca certificte HOT 2
- Many vulnerabilies HOT 1
- Support SSH with ED25519-key HOT 4
- How can I specify the JDK version when Gitblit Starts? HOT 2
- Make code IntelliJ friendly? HOT 3
- Let non-admin user create nested repository groups
- Cannot view private repositories
- Missleading message "You have already merged this patchset." when attempting to push ticket patchest branch without any commit on it.
- Ignore whitespace changes -- no config on Server side?
- A gift, an android platform solution for gitblit. PR too troublesome.
- Possible corruption of user.conf
- When ssh clones more than 2G libraries, "Cannot upload pack:" appears.
- Please Check Your Email Regarding a Security Vulnerability
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitblit.