Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Successfull login into Gitblit again under valid Redmine login and invalid password after the second login #683

Closed
gitblit opened this issue Aug 12, 2015 · 7 comments

Comments

@gitblit
Copy link
Owner

@gitblit gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 387

What steps will reproduce the problem?
1. First time successfull login into Gitblit under valid Redmine account pair (login
& password). 
2. Close browser and open it again.
3. Successfull login into Gitblit again under valid Redmine login and invalid password
 (!!!)

What is the expected output? What do you see instead?
I should be blocked in case of usage invalid Redmine password for valid account.

What version of the product are you using? On what operating system?
CentOS 5 with latest udpates, Gitblit 1.4.0 behind Apache reverse proxy (interconnection
through AJP/13 port tcp/8009), Redmine 1.3.1

Please provide any additional information below.
I'm not sure, but it can be global bug for all external authentication or just for
Redmine.

Reported by shumal.av on 2014-03-18 04:15:29

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

The second login is probably cookie authentication.  Try disabling cookies or repeating
this test in two private browsing sessions.

Reported by James.Moger on 2014-03-18 12:11:14

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

I'm seeing a similar issue with LDAP authentication.

Even if I delete the Gitblit and JSESSIONID cookies before trying to log in again,
using an invalid password always lets me back in.

Centos 6.5
Gitblit 1.4.0

NOTE: Gitblit 1.3.2 does not exhibit this behaviour in my testing. We currently have
1.3.2 in production. 

Reported by kaosagnt on 2014-03-18 23:13:54

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

Hmmm.  Sounds there is a systemic problem here.

Reported by James.Moger on 2014-03-19 00:02:12

  • Status changed: Accepted
  • Labels added: Milestone-1.4.1

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

I've reproduced this in a unit test.  Fix to follow.

Reported by James.Moger on 2014-03-19 00:11:35

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

The fix as been pushed to master.  I'm firing up the release machinery.  Look for 1.4.1
shortly.

Reported by James.Moger on 2014-03-19 01:17:50

  • Status changed: Queued

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

Sweet, thanks for looking into this so quickly.

Reported by kaosagnt on 2014-03-19 01:38:57

@gitblit
Copy link
Owner Author

@gitblit gitblit commented Aug 12, 2015

v1.4.1 released with a critical security fix.  Please update.

Reported by James.Moger on 2014-03-19 02:15:48

  • Status changed: Done

@gitblit gitblit closed this as completed Aug 12, 2015
@flaix flaix added this to the 1.4.1 milestone Dec 13, 2016
@flaix flaix added this to the 1.4.1 milestone Dec 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants