From: Junio C Hamano <gitster@pobox.com>
To: Knut Franke <k.franke@science-computing.de>
Cc: git@vger.kernel.org, Eric Sunshine <sunshine@sunshineco.com>
Subject: Re: [PATCH 2/2] http: use credential API to handle proxy authentication
Date: Mon, 02 Nov 2015 14:54:51 -0800 [thread overview]
Message-ID: <xmqqbnbcdnb8.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <1446483264-15123-3-git-send-email-k.franke@science-computing.de> (Knut Franke's message of "Mon, 2 Nov 2015 17:54:24 +0100")
Knut Franke <k.franke@science-computing.de> writes:
> Currently, the only way to pass proxy credentials to curl is by including them
> in the proxy URL. Usually, this means they will end up on disk unencrypted, one
> way or another (by inclusion in ~/.gitconfig, shell profile or history). Since
> proxy authentication often uses a domain user, credentials can be security
> sensitive; therefore, a safer way of passing credentials is desirable.
>
> If the configured proxy contains a username but not a password, query the
> credential API for one. Also, make sure we approve/reject proxy credentials
> properly.
>
> For consistency reasons, add parsing of http_proxy/https_proxy/all_proxy
> environment variables, which would otherwise be evaluated as a fallback by curl.
> Without this, we would have different semantics for git configuration and
> environment variables.
>
> Signed-off-by: Knut Franke <k.franke@science-computing.de>
> Reviewed-by: Junio C Hamano <gitster@pobox.com>
> Reviewed-by: Eric Sunshine <sunshine@sunshineco.com>
As 1/2, I never reviewed this version yet.
> ---
> http.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
> http.h | 1 +
> 2 files changed, 75 insertions(+), 2 deletions(-)
>
> diff --git a/http.c b/http.c
> index 1172819..5708c7a 100644
> --- a/http.c
> +++ b/http.c
> @@ -62,7 +62,7 @@ static const char *ssl_cainfo;
> static long curl_low_speed_limit = -1;
> static long curl_low_speed_time = -1;
> static int curl_ftp_no_epsv;
> -static const char *curl_http_proxy;
> +static const char *curl_http_proxy = NULL;
> static const char *http_proxy_authmethod = NULL;
We do not do unnecessary initialization of file-scope globals to 0
or NULL. The existing definition of curl_http_proxy is correct;
the one for http_proxy_authmethod needs to be changed to match.
> static void init_curl_proxy_auth(CURL *result)
> {
> + if (proxy_auth.username) {
> + if (!proxy_auth.password)
> + credential_fill(&proxy_auth);
> +#if LIBCURL_VERSION_NUM >= 0x071301
> + curl_easy_setopt(result, CURLOPT_PROXYUSERNAME,
> + proxy_auth.username);
> + curl_easy_setopt(result, CURLOPT_PROXYPASSWORD,
> + proxy_auth.password);
> +#else
> + struct strbuf s = STRBUF_INIT;
> + strbuf_addstr_urlencode(&s, proxy_auth.username, 1);
> + strbuf_addch(&s, ':');
> + strbuf_addstr_urlencode(&s, proxy_auth.password, 1);
> + curl_proxyuserpwd = strbuf_detach(&s, NULL);
> + curl_easy_setopt(result, CURLOPT_PROXYUSERPWD, curl_proxyuserpwd);
> +#endif
I think #else clause of this thing would introduce decl-after-stmt
compilation error.
next prev parent reply other threads:[~2015-11-02 22:54 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-26 17:55 [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-10-26 17:55 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-10-26 20:33 ` [PATCH 1/2] http: allow selection of proxy authentication method Junio C Hamano
2015-10-27 8:47 ` Knut Franke
2015-10-28 9:40 ` [PATCH v2] http proxy authentication improvements Knut Franke
2015-10-28 9:40 ` [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-10-28 16:51 ` Junio C Hamano
2015-10-28 16:59 ` Junio C Hamano
2015-10-30 18:01 ` Knut Franke
2015-10-30 19:19 ` Junio C Hamano
2015-10-28 18:54 ` Eric Sunshine
2015-10-28 9:40 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-10-28 18:58 ` Eric Sunshine
2015-10-30 18:24 ` Knut Franke
2015-10-30 19:31 ` Junio C Hamano
2015-10-30 19:35 ` Eric Sunshine
2015-11-02 16:54 ` [PATCH v3 0/2] Knut Franke
2015-11-02 16:54 ` [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-11-02 22:46 ` Junio C Hamano
2015-11-03 9:07 ` Knut Franke
2015-11-03 19:46 ` Junio C Hamano
2015-11-02 16:54 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-11-02 22:54 ` Junio C Hamano [this message]
2015-11-03 9:31 ` Knut Franke
2015-11-03 18:12 ` Eric Sunshine
2015-11-04 9:13 ` [PATCH v4 0/2] Knut Franke
2015-11-04 9:13 ` [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-11-04 19:42 ` Junio C Hamano
2015-11-04 9:13 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-11-04 19:41 ` Eric Sunshine
2015-11-04 19:53 ` Junio C Hamano
2015-11-05 8:24 ` Jeff King
2015-11-05 11:56 ` Knut Franke
2015-11-05 17:30 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqbnbcdnb8.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=k.franke@science-computing.de \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.