Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 419705

Summary: Forbidden git-log access
Product: [ECD] Orion Reporter: Maciej Bendkowski <maciej.bendkowski>
Component: ClientAssignee: Simon Kaegi <simon_kaegi>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: P3 CC: Silenio_Quarti, simon_kaegi
Version: 4.0Flags: simon_kaegi: review+
Target Milestone: 4.0 RC3   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Attachments:
Description Flags
Revert patch none

Description Maciej Bendkowski CLA 2013-10-17 08:57:32 EDT 
With latest Silenio's changes in git-log (commit http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=e48f54f7feef209cc5c97d0f7bc0b6e5f0689f5c) I'm unable to view the git log using links like 'Git Log', 'Show full Log'. I'm getting a 403: Forbidden access error. Debugging revealed that the root cause are URI decodings/encodings bugs in PageUtil. The scenario I has hitting:

1. Click 'Git Log' on a branch.
2. The git-log resource contains /refs/heads, where '/' is encoded using %252.
3. Git-log uses PageUtil to extract the hash resource.
4. PageUtil is decoding the resource using decodeURIComponent, hence the encoded %252 are decoded into %2F.
5. Git-log sends a GET request using the decoded resource to the server.
6. The AbstractGitHandler checks permissions, using a decoded form of the already decoded path, therefore the path is 'refs/heads/...' instead of the expected 'refs%252heads...'. The first path segment is removed, and 'heads/...' is used to check user permissions. Obviously, the user has no permissions to this URLs. The previous version worked, because the whole 'refs%252heads...' was treated as one segment, thus the 'file/...' path part was used to check permissions.

Before this bug, we were using the 'resourceRaw' form. Reverting the mentioned commit fixes the bug - obviously, we should do better then that.
Silenio, could you please take a look?
Comment 1 Maciej Bendkowski CLA 2013-10-17 08:59:02 EDT 
Created attachment 236595 [details]
Revert patch
Comment 2 Simon Kaegi CLA 2013-10-17 10:02:17 EDT 
There's a bunch of link creation that happens in gitRepositoryExplorer.js that we need to convert to using uri templates instead. On it.
Comment 3 Silenio Quarti CLA 2013-10-17 10:25:09 EDT 
As a workaround while this gets fixed, one can use the Git Log link on the related links drop down.
Comment 5 Silenio Quarti CLA 2013-10-17 15:27:49 EDT 
.