From: Junio C Hamano <gitster@pobox.com>
To: Quentin Bouget <ypsah@devyard.org>
Cc: git@vger.kernel.org
Subject: Re: [PATCH 2/2] http: prevent redirect from dropping credentials during reauth
Date: Sun, 04 Feb 2024 14:51:54 -0800 [thread overview]
Message-ID: <xmqq8r3zonat.fsf@gitster.g> (raw)
In-Reply-To: <20240204185427.39664-3-ypsah@devyard.org> (Quentin Bouget's message of "Sun, 4 Feb 2024 19:54:27 +0100")
Quentin Bouget <ypsah@devyard.org> writes:
> During a re-authentication (second attempt at authenticating with a
> remote, e.g. after a failed GSSAPI attempt), git allows the remote to
> provide credential overrides in the redirect URL and unconditionnaly
> drops the current HTTP credentials in favors of those, even when there
> aren't any.
>
> This commit makes it so HTTP credentials are only overridden when the
> redirect URL actually contains credentials itself.
"This commit makes it so" -> "Make it so"
> + char *username = NULL, *password = NULL;
> +
> + if (http_auth.username)
> + username = xstrdup(http_auth.username);
> + if (http_auth.password)
> + password = xstrdup(http_auth.password);
Not a huge deal, but we have xstrdup_or_null() helper function
exactly for a use case like this.
> credential_from_url(&http_auth, options->base_url->buf);
> +
> + if (http_auth.username)
> + free(username);
> + else if (username)
> + http_auth.username = username;
> +
> + if (http_auth.password)
> + free(password);
> + else if (password)
> + http_auth.password = password;
This is an interesting change. I wonder what breaks if we
completely ignored such credential materials forced by the remote
via a redirect?
> url = options->effective_url->buf;
> }
> }
Thanks.
next prev parent reply other threads:[~2024-02-04 22:51 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-04 18:54 [PATCH 0/2] Fix gitlab's token-based authentication w/ kerberos Quentin Bouget
2024-02-04 18:54 ` [PATCH 1/2] http: only reject basic auth credentials once they have been tried Quentin Bouget
2024-02-04 22:47 ` Junio C Hamano
2024-02-05 3:03 ` Quentin Bouget
2024-02-05 5:47 ` Patrick Steinhardt
2024-02-04 18:54 ` [PATCH 2/2] http: prevent redirect from dropping credentials during reauth Quentin Bouget
2024-02-04 22:36 ` brian m. carlson
2024-02-05 3:01 ` Quentin Bouget
2024-02-05 22:18 ` brian m. carlson
2024-02-05 22:52 ` rsbecker
2024-02-04 22:51 ` Junio C Hamano [this message]
2024-02-05 3:06 ` Quentin Bouget
2024-02-04 23:01 ` rsbecker
2024-02-05 3:12 ` Quentin Bouget
2024-02-05 9:22 ` Robert Coup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqq8r3zonat.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=ypsah@devyard.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.