Originally reported on Google Code with ID 222
>> What steps will reproduce the problem?
1. In gitblit.properties, set the web.authenticateViewPages to true
2. Point your browser at https://gitblit.<mydomain>
3. Now there is an HTML page requesting me to log in first... but I see that it has
GitBlit version 1.2.1 running; this gives an attacker its first information
>> What is the expected output? What do you see instead?
I want only a popup requesting me for my username/password, before showing anything.
That is, it should respond with a code 401 header and request for (basic) authentication:
HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="My Server"
Content-Length: 0
>> What version of the product are you using? On what operating system?
GitBlit 1.2.1
The absence of this feature is a deal-breaker to have it integrated in our IT environment,
as it does not meet our safety standards.
</mydomain>Reported by laurensvrijnsen on 2013-03-18 09:52:36
该提问来源于开源项目:gitblit/gitblit
