From: Junio C Hamano <gitster@pobox.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org,
Konstantin Ryabitsev <konstantin@linuxfoundation.org>,
Philippe Blain <levraiphilippeblain@gmail.com>
Subject: Re: [PATCH] Docs: web server must setenv GIT_PROTOCOL for v2
Date: Thu, 09 Sep 2021 10:28:50 -0700 [thread overview]
Message-ID: <xmqqee9x1wvh.fsf@gitster.g> (raw)
In-Reply-To: <YTiXEEEs36NCEr9S@coredump.intra.peff.net> (Jeff King's message of "Wed, 8 Sep 2021 06:57:20 -0400")
Jeff King <peff@peff.net> writes:
> On Wed, Sep 08, 2021 at 06:48:47AM -0400, Jeff King wrote:
>
>> Both of the included examples here have been tested to work. The one for
>> lighttpd is a little less direct than I'd like, but I couldn't find a
>> way to directly set an environment variable to the value of a request
>> header. From my reading of the documentation, lighttpd will set
>> HTTP_GIT_PROTOCOL automatically, but git-http-backend looks only at
>> GIT_PROTOCOL. Arguably http-backend should do this translation itself.
Nice.
These headers get HTTP_* prefixed as a security measure when servers
expose them to their configuration mechanisms because these names
are attacker controlled. I had a flawed mental model in which the
servers' configuration controls which one of these resulting HTTP_*
headers are passed to CGI and externals selectively, but if servers
pass all HTTP_* environment variables to CGI and externals without
any filtering, the patch you gave here is the most logical solution.
Will queue.
> -- >8 --
> Subject: [PATCH] http-backend: handle HTTP_GIT_PROTOCOL CGI variable
>
> When a client requests the v2 protocol over HTTP, they set the
> Git-Protocol header. Webservers will generaly make that available to our
> CGI as HTTP_GIT_PROTOCOL in the environment. However, that's not
> sufficient for upload-pack, etc, to respect it; they look in
> GIT_PROTOCOL (without the HTTP_ prefix).
>
> Either the webserver or the CGI is responsible for relaying that HTTP
> header into the GIT_PROTOCOL variable. Traditionally, our tests have
> configured the webserver to do so, but that's a burden on the server
> admin. We can make this work out of the box by having the http-backend
> CGI copy the contents.
>
> Signed-off-by: Jeff King <peff@peff.net>
> ---
> http-backend.c | 4 ++++
> t/lib-httpd/apache.conf | 2 --
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/http-backend.c b/http-backend.c
> index b329bf63f0..2f4b4c11de 100644
> --- a/http-backend.c
> +++ b/http-backend.c
> @@ -739,6 +739,7 @@ static int bad_request(struct strbuf *hdr, const struct service_cmd *c)
> int cmd_main(int argc, const char **argv)
> {
> char *method = getenv("REQUEST_METHOD");
> + const char *proto_header;
> char *dir;
> struct service_cmd *cmd = NULL;
> char *cmd_arg = NULL;
> @@ -789,6 +790,9 @@ int cmd_main(int argc, const char **argv)
> http_config();
> max_request_buffer = git_env_ulong("GIT_HTTP_MAX_REQUEST_BUFFER",
> max_request_buffer);
> + proto_header = getenv("HTTP_GIT_PROTOCOL");
> + if (proto_header)
> + setenv(GIT_PROTOCOL_ENVIRONMENT, proto_header, 1);
>
> cmd->imp(&hdr, cmd_arg);
> return 0;
> diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
> index afa91e38b0..71761e3299 100644
> --- a/t/lib-httpd/apache.conf
> +++ b/t/lib-httpd/apache.conf
> @@ -81,8 +81,6 @@ PassEnv GIT_TRACE
> PassEnv GIT_CONFIG_NOSYSTEM
> PassEnv GIT_TEST_SIDEBAND_ALL
>
> -SetEnvIf Git-Protocol ".*" GIT_PROTOCOL=$0
> -
> Alias /dumb/ www/
> Alias /auth/dumb/ www/auth/dumb/
next prev parent reply other threads:[~2021-09-09 17:28 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-04 15:17 [PATCH] Docs: web server must setenv GIT_PROTOCOL for v2 Konstantin Ryabitsev
2021-09-04 15:55 ` Jeff King
2021-09-07 20:57 ` Junio C Hamano
2021-09-07 21:11 ` Konstantin Ryabitsev
2021-09-08 10:48 ` Jeff King
2021-09-08 10:57 ` Jeff King
2021-09-08 16:50 ` Eric Wong
2021-09-09 17:28 ` Junio C Hamano [this message]
2021-09-09 17:35 ` Junio C Hamano
2021-09-10 11:39 ` Jeff King
2021-09-10 14:02 ` Jeff King
2021-09-10 14:04 ` [PATCH 1/5] t5551: test v2-to-v0 http protocol fallback Jeff King
2021-09-10 14:05 ` [PATCH 2/5] http-backend: handle HTTP_GIT_PROTOCOL CGI variable Jeff King
2021-09-10 14:09 ` [PATCH 3/5] docs/http-backend: mention v2 protocol Jeff King
2021-09-10 14:09 ` [PATCH 4/5] docs/git: discuss server-side config for GIT_PROTOCOL Jeff King
2021-09-10 14:10 ` [PATCH 5/5] docs/protocol-v2: point readers transport config discussion Jeff King
2021-09-10 22:08 ` [PATCH] Docs: web server must setenv GIT_PROTOCOL for v2 Junio C Hamano
2021-09-09 17:50 ` Philippe Blain
2021-09-10 5:39 ` Junio C Hamano
2021-09-10 11:40 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqee9x1wvh.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=konstantin@linuxfoundation.org \
--cc=levraiphilippeblain@gmail.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.