Merge branch 'stable-2.13'

* stable-2.13:
  Filter Git LFS HTTP requests through auth filter

Change-Id: Ie30440231c4a14b3be4be575cb0b05f91811d57d

gerrit-httpd/src/main/java/com/google/gerrit/httpd/GitOverHttpModule.java

@@ -15,6 +15,7 @@
 package com.google.gerrit.httpd;
 
 import static com.google.gerrit.extensions.client.AuthType.OAUTH;
+import static com.google.gerrit.httpd.plugins.LfsPluginServlet.LFS_REST;
 
 import com.google.gerrit.reviewdb.client.CoreDownloadSchemes;
 import com.google.gerrit.server.config.AuthConfig;
@@ -25,6 +26,9 @@ import javax.servlet.Filter;
 
 /** Configures Git access over HTTP with authentication. */
 public class GitOverHttpModule extends ServletModule {
+  private static final String LFS_URL_REGEX =
+      "^(?:(?!/a/))" + LFS_REST;
+
   private final AuthConfig authConfig;
   private final DownloadConfig downloadConfig;
 
@@ -55,6 +59,7 @@ public class GitOverHttpModule extends ServletModule {
       serveRegex(git).with(GitOverHttpServlet.class);
     }
 
+    filterRegex(LFS_URL_REGEX).through(authFilter);
     filter("/a/*").through(authFilter);
   }
 

gerrit-httpd/src/main/java/com/google/gerrit/httpd/plugins/LfsPluginServlet.java

@@ -53,7 +53,10 @@ public class LfsPluginServlet extends HttpServlet
   private static final long serialVersionUID = 1L;
   private static final Logger log = LoggerFactory.getLogger(LfsPluginServlet.class);
 
-  public static final String URL_REGEX = "^(?:/a)?(?:/p/|/)(.+)(?:/info/lfs/objects/batch)$";
+  public static final String LFS_REST =
+      "(?:/p/|/)(.+)(?:/info/lfs/objects/batch)$";
+  public static final String URL_REGEX =
+      "^(?:/a)?" + LFS_REST;
 
   private static final String CONTENTTYPE_VND_GIT_LFS_JSON =
       "application/vnd.git-lfs+json; charset=utf-8";