From: Derrick Stolee <derrickstolee@github.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Junio C Hamano <gitster@pobox.com>,
Derrick Stolee via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, peff@peff.net, me@ttaylorr.com,
avarab@gmail.com, christian.couder@gmail.com, jrnieder@gmail.com,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Robert Coup <robert.coup@koordinates.com>
Subject: Re: [PATCH] urlmatch: create fetch.credentialsInUrl config
Date: Tue, 24 May 2022 16:14:08 -0400 [thread overview]
Message-ID: <9318a400-479f-4029-c10b-3bfe498fcbb7@github.com> (raw)
In-Reply-To: <nycvar.QRO.7.76.6.2205241343390.352@tvgsbejvaqbjf.bet>
On 5/24/2022 7:46 AM, Johannes Schindelin wrote:
> Hi Stolee,
>
> On Mon, 23 May 2022, Derrick Stolee wrote:
>
>> On 5/23/2022 3:06 PM, Junio C Hamano wrote:
>>> "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes:
>>>
>>>> +static void detected_credentials_in_url(const char *url, size_t scheme_len)
>>>> +{
>>>> + char *value = NULL;
>>>> + const char *at_ptr;
>>>> + const char *colon_ptr;
>>>> + struct strbuf anonymized = STRBUF_INIT;
>>>> +
>>>> + /* "ignore" is the default behavior. */
>>>> + if (git_config_get_string("fetch.credentialsinurl", &value) ||
>>>> + !strcasecmp("ignore", value))
>>>> + goto cleanup;
>>>> +
>>>> + at_ptr = strchr(url, '@');
>>>> + colon_ptr = strchr(url + scheme_len + 3, ':');
>>>
>>> We expect that at_ptr would come after colon_ptr (i.e. in
>>> "scheme://<u>:<p>@host", no @ exists in <u> or <p> part) and the
>>> while() loop below assumes that for redacting.
>
> Careful here. https://me@there.com:9999/ _is_ a valid URL, too.
Thanks for checking. The method should not be called unless the
password region was already detected. I'll add a BUG() statement and
a comment to prevent future callers from providing incorrect URLs.
I can also add a test to show that this warning is not output when
the only colon is for the port number.
>>> Are we better off if we assert it here, or has the calling parser
>>> already rejected such cases?
>>
>> This computation of at_ptr matches the one in url_normalize_1(),
>> so it at least agrees about where the "username[:password]" section
>> could be. That does mean that the password cannot contain an "@"
>> symbol (unless it is special-cased somehow?).
>
> The password cannot contain a literal `@`, and neither can the user name.
> They have to be URL-encoded, via `%40`.
Thanks!
-Stolee
next prev parent reply other threads:[~2022-05-24 20:14 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget
2022-05-23 19:06 ` Junio C Hamano
2022-05-23 20:31 ` Derrick Stolee
2022-05-23 21:14 ` Junio C Hamano
2022-05-24 11:46 ` Johannes Schindelin
2022-05-24 20:14 ` Derrick Stolee [this message]
2022-05-23 20:37 ` Junio C Hamano
2022-05-24 11:51 ` Johannes Schindelin
2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason
2022-05-24 13:50 ` Derrick Stolee
2022-05-24 21:01 ` Ævar Arnfjörð Bjarmason
2022-05-25 14:03 ` Derrick Stolee
2022-05-24 11:42 ` Johannes Schindelin
2022-05-24 20:16 ` Derrick Stolee
2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget
2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason
2022-05-27 14:43 ` Derrick Stolee
2022-05-27 18:09 ` Junio C Hamano
2022-05-27 18:40 ` Junio C Hamano
2022-05-30 0:16 ` Junio C Hamano
2022-05-31 13:32 ` Derrick Stolee
2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget
2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget
2022-06-01 19:19 ` Ævar Arnfjörð Bjarmason
2022-06-02 13:38 ` Derrick Stolee
2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget
2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason
2022-06-01 18:42 ` Derrick Stolee
2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason
2022-06-02 13:43 ` Derrick Stolee
2022-06-01 20:21 ` Junio C Hamano
2022-06-02 14:24 ` Derrick Stolee
2022-06-02 17:53 ` Junio C Hamano
2022-06-01 20:40 ` Junio C Hamano
2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget
2022-06-02 21:20 ` Junio C Hamano
2022-06-03 12:54 ` Derrick Stolee
2022-06-06 15:37 ` Junio C Hamano
2022-06-06 14:36 ` [PATCH v5] " Derrick Stolee via GitGitGadget
2022-06-06 16:34 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9318a400-479f-4029-c10b-3bfe498fcbb7@github.com \
--to=derrickstolee@github.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=christian.couder@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=me@ttaylorr.com \
--cc=peff@peff.net \
--cc=robert.coup@koordinates.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.