From: Matthew DeVore <matvore@comcast.net>
To: "brian m. carlson" <sandals@crustytoothpaste.net>,
Matthew DeVore <matvore@google.com>,
git@vger.kernel.org, jeffhost@microsoft.com, l.s.r@web.de,
gitster@pobox.com, spearce@spearce.org, jrn@google.com
Subject: Re: [PATCH 2/2] url: do not allow %00 to represent NULL in URLs
Date: Tue, 4 Jun 2019 10:38:18 -0700 [thread overview]
Message-ID: <20190604173818.GL4641@comcast.net> (raw)
In-Reply-To: <20190604010243.GR8616@genre.crustytoothpaste.net>
On Tue, Jun 04, 2019 at 01:02:43AM +0000, brian m. carlson wrote:
> It looks like several of the places we do this are in the credential
> manager code, and I think I can agree that usernames and passwords
> should not contain NUL characters (for Basic auth, RFC 7617 prohibits
> it). It also seems that the credential code decodes the path parameter
> before passing it on, which is unfortunate, but can't be changed for
> backward compatibility reasons.
>
> And then the other instances are a file: URL in remote-testsvn.c and
> query parameters that have no reason to contain NULs in http-backend.c.
OK. Good to know that there is no justification to support %00 in URLs.
> So I think overall this is fine, although we probably want to change the
> commit summary to say "NUL" instead of "NULL".
Applied for the next roll-up. Thank you for taking a look.
next prev parent reply other threads:[~2019-06-04 17:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-03 20:45 [PATCH 0/2] Harden url.c URL-decoding logic Matthew DeVore
2019-06-03 20:45 ` [PATCH 1/2] url: do not read past end of buffer Matthew DeVore
2019-06-04 5:00 ` René Scharfe
2019-06-04 17:22 ` Matthew DeVore
2019-06-03 20:45 ` [PATCH 2/2] url: do not allow %00 to represent NULL in URLs Matthew DeVore
2019-06-04 1:02 ` brian m. carlson
2019-06-04 17:38 ` Matthew DeVore [this message]
2019-06-04 5:01 ` René Scharfe
2019-06-04 17:23 ` Matthew DeVore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190604173818.GL4641@comcast.net \
--to=matvore@comcast.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jeffhost@microsoft.com \
--cc=jrn@google.com \
--cc=l.s.r@web.de \
--cc=matvore@google.com \
--cc=sandals@crustytoothpaste.net \
--cc=spearce@spearce.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.