diff --git a/README.markdown b/README.markdown
index bba805891..c826be673 100644
--- a/README.markdown
+++ b/README.markdown
@@ -6,7 +6,7 @@ Gitblit is an open source, pure Java Git solution for managing, viewing, and ser
More information about Gitblit can be found [here](http://gitblit.com).
-
+
License
diff --git a/build.moxie b/build.moxie
index 5bf44599c..ce71c20f4 100644
--- a/build.moxie
+++ b/build.moxie
@@ -10,12 +10,12 @@ name: Gitblit
description: pure Java Git solution
groupId: com.gitblit
artifactId: gitblit
-version: 1.9.3-SNAPSHOT
+version: 1.9.4-SNAPSHOT
inceptionYear: 2011
# Current stable release
-releaseVersion: 1.9.2
-releaseDate: 2022-02-05
+releaseVersion: 1.9.3
+releaseDate: 2022-04-09
# Project urls
url: 'http://gitblit.com'
diff --git a/releases.moxie b/releases.moxie
index 4b8f07174..93d8d190c 100644
--- a/releases.moxie
+++ b/releases.moxie
@@ -1,7 +1,7 @@
#
# ${project.version} release
#
-r33: {
+r34: {
title: ${project.name} ${project.version} released
id: ${project.version}
date: ${project.buildDate}
@@ -16,6 +16,45 @@ r33: {
contributors: ~
}
+#
+# 1.9.3 release
+#
+r33: {
+ title: Gitblit 1.9.3 released
+ id: 1.9.3
+ date: 2022-04-09
+ note: ''
+ The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.
+ ''
+ html: ~
+ text: ''
+ !! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !!
+
+ There is a security vulnerability in version 1.9.2, which allows an attacker to gain
+ elevated access rights. This is present when the Config User Service is used as the
+ user service, which is the default.
+
+ Version 1.9.2 introduced a new implementation to store user data in the user config file
+ which holds user name, password, access rights etc. This was done to solve problems with
+ very large user bases (pr-1364). This new implementation does not properly escape all
+ control characters, like newline and tab. As a result, a normal user, when logged into
+ Gitblit, can edit his profile data and enter values in e.g. the email address that are
+ interpreted as control characters in the text file stored on disk. This allows the malicious
+ user to give themselves e.g. elevated access rights on their account.
+
+ This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2.
+
+ Many thanks to Github user @YYHYlh for finding and reporting this issue (issue-1410).
+ ''
+ security:
+ - Fix escaping control characters in config user service, resolving a security vulnerability. (issue-1410)
+ fixes: ~
+ changes: ~
+ additions: ~
+ dependencyChanges: ~
+ contributors: ~
+}
+
#
# 1.9.2 release
#
@@ -2056,6 +2095,6 @@ r1: {
- James Moger
}
-snapshot: &r33
-release: &r32
-releases: &r[1..32]
+snapshot: &r34
+release: &r33
+releases: &r[1..33]
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage.html
index 31226ff51..2a151682b 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage.html
@@ -37,7 +37,7 @@ Open Source Git Clients
| Git | the official, command-line Git |
| TortoiseGit | Windows file explorer integration (requires official, command-line Git) |
| Eclipse/EGit | Git for the Eclipse IDE (based on JGit, like Gitblit) |
- | Git Extensions | C# frontend for Git that features Windows Explorer and Visual Studio integration |
+ | Git Extensions | C# frontend for Git that features Windows Explorer and Visual Studio integration |
| GitX-dev | a Mac OS X Git client |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_cs.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_cs.html
index b67a4b9ad..d8fc0c1d5 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_cs.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_cs.html
@@ -37,7 +37,7 @@ Open Source Git klienti
| Git | oficiální, z příkazové řádky |
| TortoiseGit | Integrace do Průzkumníka Windows (vyžaduje oficiální řádkový Git) |
| Eclipse/EGit | Git pro Eclipse IDE (založený na JGit, jako Gitblit) |
- | Git Extensions | C# frontend pro Git, který obsahuje integraci do Průzkumníka Windows a do Visual Studia |
+ | Git Extensions | C# frontend pro Git, který obsahuje integraci do Průzkumníka Windows a do Visual Studia |
| GitX-dev | Mac OS X Git klient |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_de.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_de.html
index 6888e1df7..cf5262b52 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_de.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_de.html
@@ -37,7 +37,7 @@ Open Source Git Clients
| Git | der offizielle Kommandozeilen-Git-Client |
| TortoiseGit | Windows Datei Explorer Integration (erfordert den offiziellen Kommandozeilen-Client) |
| Eclipse/EGit | Git für die Eclipse IDE (basiert auf JGit, ebenso wie Gitblit) |
- | Git Extensions | C# Frontend für Git mit Windows Explorer und Visual Studio Integration |
+ | Git Extensions | C# Frontend für Git mit Windows Explorer und Visual Studio Integration |
| GitX-dev | ein Mac OS X Git Client |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_es.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_es.html
index af75b4eea..8c0cab56b 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_es.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_es.html
@@ -39,7 +39,7 @@ Clientes Git de Código abierto.
| Git | El Git oficial en línea de comandos |
| TortoiseGit | Explorador de archivos integrado en Windows (necesita Git oficial en línea de comandos) |
| Eclipse/EGit | Git para el IDE de Eclipse (basado en JGit, como Gitblit) |
- | Git Extensions | Interfaz de usuario gráfico Git en C# con integración en IE y en Visual Studio |
+ | Git Extensions | Interfaz de usuario gráfico Git en C# con integración en IE y en Visual Studio |
| GitX-dev | Cliente Git para Mac OS X |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_it.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_it.html
index 365f41351..d2bf8903e 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_it.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_it.html
@@ -37,7 +37,7 @@ Applicazioni client Git open source
| Git | la versione ufficiale di Git, da riga di comando |
| TortoiseGit | Integrazione per Windows Explorer (richiede la versione ufficiale di Git da riga di comando) |
| Eclipse/EGit | Git per ambienti di sviluppo basati su Eclipse (basato su JGit, come Gitblit) |
- | Git Extensions | applicazione C# che integra Git in Windows Explorer e Visual Studio |
+ | Git Extensions | applicazione C# che integra Git in Windows Explorer e Visual Studio |
| GitX-dev | un client Git per Mac OS X |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ja.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ja.html
index f51de7c61..5a845be06 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ja.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ja.html
@@ -37,7 +37,7 @@ ソース公開版 Git クライアント
| Git | 本家コマンドライン版 Git |
| TortoiseGit | Windows エクスプローラ統合型 GUI (要 本家コマンドライン版 Git) |
| Eclipse/EGit | エクリプス IDE 向け Git (Gitblit に似た JGit 使用 ) |
- | Git Extensions | Windows エクスプローラとVisual Studio に統合された、Git の C# 製 UI |
+ | Git Extensions | Windows エクスプローラとVisual Studio に統合された、Git の C# 製 UI |
| GitX-dev | Mac OS X 向け Git クライアント |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ko.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ko.html
index cd777b4b6..c56235937 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ko.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ko.html
@@ -38,7 +38,7 @@ 오픈 소스 Git 클라이언트
| Git | 명령어 기반 공식 Git |
| TortoiseGit | 윈도의 파일 탐색기에 통합된 UI 클라이언트 (명령어 기반 공식 Git 필요) |
| Eclipse/EGit | 이클립스 IDE 플러그인 (Gitblit 과 같은 JGit 기반) |
- | Git Extensions | 윈도 탐색기와 비주얼스튜디어를 위한 C#으로 개발된 기능 |
+ | Git Extensions | 윈도 탐색기와 비주얼스튜디어를 위한 C#으로 개발된 기능 |
| GitX-dev | 맥 OS X 용 Git 클라이언트 |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_nl.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_nl.html
index ab207d1ea..0c4eb4072 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_nl.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_nl.html
@@ -37,7 +37,7 @@ Open Source Git Programma's
| Git | de officiele, command-line Git |
| TortoiseGit | Windows bestandsverkenner integratie (officiele command-line Git is wel nodig) |
| Eclipse/EGit | Git voor de Eclipse IDE (gebaseerd op JGit, zoals Gitblit) |
- | Git Extensions | C# frontend voor Git met Windows Explorer en Visual Studio integratie |
+ | Git Extensions | C# frontend voor Git met Windows Explorer en Visual Studio integratie |
| GitX-dev | een Mac OS X Git client |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_no.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_no.html
index 273e15f99..48c5421f3 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_no.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_no.html
@@ -37,7 +37,7 @@ Open Source Git Clients
| a href="http://git-scm.com">Git - den offisielle, kommando-linje git |
| a href="http://tortoisegit.googlecode.com">TortoiseGit - Windows filutforsker integrasjon (krever den offisielle kommando-linje git versjonen installert |
| Eclipse/EGit - Git for Eclipse IDE (basert p\u00e5 JGit, akkurat som Gitblit er) |
- | Git Extensions - En C# frontend for Git som integrerer med filutforskeren og Visual Studio. |
+ | Git Extensions - En C# frontend for Git som integrerer med filutforskeren og Visual Studio. |
| GitX-dev - En git klient for OS X |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pl.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pl.html
index b50bdac34..893683e1d 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pl.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pl.html
@@ -39,7 +39,7 @@ Darmowi klienci GITa
| Git | Oficjalny klient, dostępny przez linię poleceń |
| TortoiseGit | Rozszerzenie eksploratora Windows (wymaga oficjalnego, dostępnego przez linię poleceń klienta) |
| Eclipse/EGit | GIT dla edytora Eclipse (oparty o JGit, podobnie jak Gitblit) |
- | Git Extensions | napisana w C# fasada na GIT, udostępniająca integrację dla Windows Explorer oraz Visual Studio |
+ | Git Extensions | napisana w C# fasada na GIT, udostępniająca integrację dla Windows Explorer oraz Visual Studio |
| GitX-dev | klient GIT na Mac OS X |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pt_BR.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pt_BR.html
index fc2012103..20fcc25cc 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pt_BR.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_pt_BR.html
@@ -37,7 +37,7 @@ Alguns clients do Git que são Open Source
| Git | o Git oficial através de linhas de comando |
| TortoiseGit | Faz integração do Explorer do Windows com o Git (por isso requer o Git Oficial) |
| Eclipse/EGit | Git para a IDE Eclipse (baseada no JGit, como o Gitblit) |
- | Git Extensions | Interface (em C#) para o Git cuja a característica é a integração com o Windows Explorer e o Visual Studio |
+ | Git Extensions | Interface (em C#) para o Git cuja a característica é a integração com o Windows Explorer e o Visual Studio |
| GitX-dev | um Cliente do Git para Mac OS X |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ru.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ru.html
index d2461173e..d7d06906e 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ru.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_ru.html
@@ -37,7 +37,7 @@ Git-клиенты с открытым исходным кодом
| Git | the official, command-line Git |
| TortoiseGit | Windows file explorer integration (requires official, command-line Git) |
| Eclipse/EGit | Git for the Eclipse IDE (based on JGit, like Gitblit) |
- | Git Extensions | C# frontend for Git that features Windows Explorer and Visual Studio integration |
+ | Git Extensions | C# frontend for Git that features Windows Explorer and Visual Studio integration |
| GitX-dev | a Mac OS X Git client |
diff --git a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_zh_CN.html b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_zh_CN.html
index 72ce051e7..462954c8e 100644
--- a/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_zh_CN.html
+++ b/src/main/java/com/gitblit/wicket/pages/EmptyRepositoryPage_zh_CN.html
@@ -38,7 +38,7 @@ 开源 Git 客户端
| Git | 官方, 命令行版本 Git |
| TortoiseGit | 与 Windows 资源管理器集成 (需要官方, 命令行 Git 的支持) |
| Eclipse/EGit | Git for the Eclipse IDE (基于 JGit, 类似 Gitblit) |
- | Git Extensions | C# 版本的 Git 前端,与 Windows 资源管理器和 Visual Studio 集成 |
+ | Git Extensions | C# 版本的 Git 前端,与 Windows 资源管理器和 Visual Studio 集成 |
| GitX-dev | Mac OS X Git 客户端 |
diff --git a/src/site/design.mkd b/src/site/design.mkd
index 9ef302c16..619880ea9 100644
--- a/src/site/design.mkd
+++ b/src/site/design.mkd
@@ -15,7 +15,7 @@ The following dependencies are bundled with Gitblit.
- [Iconic](http://somerandomdude.com/work/iconic) (Creative Commons Share Alike 3.0)
- [AngularJS](http://angularjs.org) (MIT)
- [Clippy](https://github.com/mojombo/clippy) (MIT)
-- [google-code-prettify](http://code.google.com/p/google-code-prettify) (Apache 2.0)
+- [google-code-prettify](https://github.com/googlearchive/code-prettify) (Apache 2.0)
- [Commons Daemon](http://commons.apache.org/daemon) (Apache 2.0)
- [jQuery](https://jquery.org) (MIT)
- [flotr2](http://humblesoftware.com/flotr2) (BSD)
@@ -38,7 +38,7 @@ The following dependencies are automatically downloaded by Gitblit GO (or alread
- [JSch - Java Secure Channel](http://www.jcraft.com/jsch) (BSD)
- [Rome](http://rome.dev.java.net) (Apache 1.1)
- [jdom](http://www.jdom.org) (Apache-style JDOM license)
-- [google-gson](http://code.google.com/google-gson) (Apache 2.0)
+- [google-gson](https://github.com/google/gson) (Apache 2.0)
- [javamail](http://kenai.com/projects/javamail) (CDDL-1.0, BSD, GPL-2.0, GNU-Classpath)
- [Groovy](http://groovy.codehaus.org) (Apache 2.0)
- [Lucene](http://lucene.apache.org) (Apache 2.0)
@@ -50,14 +50,14 @@ The following dependencies are automatically downloaded by Gitblit GO (or alread
- [FreeMarker](http://www.freemarker.org) (modified BSD)
- [Waffle](http://dblock.github.io/waffle) (EPL 1.0)
- [JNA](https://github.com/twall/jna) (LGPL 2.1)
-- [Guava](https://code.google.com/p/guava-libraries) (Apache 2.0)
+- [Guava](https://github.com/google/guava) (Apache 2.0)
- [libpam4j](https://github.com/kohsuke/libpam4j) (MIT)
- [commons-codec](http://commons.apache.org/proper/commons-codec) (Apache 2.0)
- [pegdown](https://github.com/sirthias/pegdown) (Apache 2.0)
- [jedis](https://github.com/xetorthio/jedis) (MIT)
- [Mina SSHD](https://mina.apache.org) (Apache 2.0)
- [pf4j](https://github.com/decebals/pf4j) (Apache 2.0)
-- [google-guice](https://code.google.com/p/google-guice) (Apache 2.0)
+- [google-guice](https://github.com/google/guice) (Apache 2.0)
### Other Build Dependencies
- [Fancybox image viewer](http://fancybox.net) (MIT and GPL dual-licensed)
diff --git a/src/site/federation.mkd b/src/site/federation.mkd
index b802a087a..9fdcf4c6a 100644
--- a/src/site/federation.mkd
+++ b/src/site/federation.mkd
@@ -17,7 +17,7 @@ The *Gitblit 0.8.0* federation protocol adds retrieval of teams and referenced p
The *Gitblit 0.7.0* federation protocol is incompatible with the 0.6.0 federation protocol because of a change in the way timestamps are formatted.
-Gitblit 0.6.0 uses the default [google-gson](http://google-gson.googlecode.com) timestamp serializer which generates locally formatted timestamps. Unfortunately, this creates problems for distributed repositories and distributed developers. Gitblit 0.7.0 corrects this error by serializing dates to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. As a result 0.7.0 is not compatible with 0.6.0. A partial backwards-compatibility fallback was considered but it would only work one direction and since the federation mechanism is bidirectional it was not implemented.
+Gitblit 0.6.0 uses the default [google-gson](https://github.com/google/gson) timestamp serializer which generates locally formatted timestamps. Unfortunately, this creates problems for distributed repositories and distributed developers. Gitblit 0.7.0 corrects this error by serializing dates to the [iso8601](http://en.wikipedia.org/wiki/ISO_8601) standard. As a result 0.7.0 is not compatible with 0.6.0. A partial backwards-compatibility fallback was considered but it would only work one direction and since the federation mechanism is bidirectional it was not implemented.
### Origin Gitblit Instance Requirements
@@ -132,7 +132,7 @@ Origin Gitblit instances can not directly track the success or failure status of
### How does it work? (Origin Gitblit Instances)
-A pulling Gitblit instance will periodically contact your Gitblit instance and will provide the token as proof that you have granted it federation access. Your Gitblit instance will decide, based on the supplied token, if the requested data should be returned to the pulling Gitblit instance. Gitblit data (user accounts, repository metadata, and server settings) are serialized as [JSON](http://json.org) using [google-gson](http://google-gson.googlecode.com) and returned to the pulling Gitblit instance. Standard Git clone and pull operations are used to transfer commits.
+A pulling Gitblit instance will periodically contact your Gitblit instance and will provide the token as proof that you have granted it federation access. Your Gitblit instance will decide, based on the supplied token, if the requested data should be returned to the pulling Gitblit instance. Gitblit data (user accounts, repository metadata, and server settings) are serialized as [JSON](http://json.org) using [google-gson](https://github.com/google/gson) and returned to the pulling Gitblit instance. Standard Git clone and pull operations are used to transfer commits.
The federation process executes using an internal administrator account, *$gitblit*. All the normal authentication and authorization processes are used for federation requests. For example, Git commands are authenticated as *$gitblit / token*.
@@ -313,7 +313,7 @@ The repositories will be put in *git.repositoriesFolder*/example4.
## Federation Client
-Instead of setting up a full-blown pulling Gitblit instance, you can also use the [federation client](http://code.google.com/p/gitblit/downloads/detail?name=%FEDCLIENT%) command-line utility. This is a packaged subset of the federation feature in a smaller, simpler command-line only tool.
+Instead of setting up a full-blown pulling Gitblit instance, you can also use the [federation client](https://github.com/gitblit/gitblit/releases/latest) command-line utility. This is a packaged subset of the federation feature in a smaller, simpler command-line only tool.
The *federation client* relies on many of the same dependencies as Gitblit and will download them on first execution.
diff --git a/src/site/rpc.mkd b/src/site/rpc.mkd
index ac963a878..0e0093e84 100644
--- a/src/site/rpc.mkd
+++ b/src/site/rpc.mkd
@@ -16,7 +16,7 @@ The Gitblit JSON RPC mechanism, like the Gitblit JGit servlet, syndication/feed
The Gitblit Manager is an example Java/Swing application that allows remote management (repository and user objects) and administration (server settings) of a Gitblit server.
-This application uses a combination of RSS feeds and the JSON RPC interface, both of which are part of the [Gitblit API](http://code.google.com/p/gitblit/downloads/detail?name=%API%) library, to present live information from a Gitblit server. Some JSON RPC methods from the utility class `com.gitblit.utils.RpcUtils` are not currently used by the Gitblit Manager.
+This application uses a combination of RSS feeds and the JSON RPC interface, both of which are part of the [Gitblit API](https://github.com/gitblit/gitblit/releases/latest) library, to present live information from a Gitblit server. Some JSON RPC methods from the utility class `com.gitblit.utils.RpcUtils` are not currently used by the Gitblit Manager.
**NOTE:**
Gitblit Manager stores your login credentials **INSECURELY** in homedir/.gitblit/config.