From: Jakub Narebski <jnareb@gmail.com>
To: Sitaram Chamarty <sitaramc@gmail.com>
Cc: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>,
"Ilari Liusvaara" <ilari.liusvaara@elisanet.fi>,
"Jonathan Nieder" <jrnieder@gmail.com>,
git@vger.kernel.org, "Shawn O. Pearce" <spearce@spearce.org>,
"Tarmigan Casebolt" <tarmigan+git@gmail.com>
Subject: Re: [PATCH] Add ERR support to smart HTTP
Date: Mon, 6 Sep 2010 18:31:58 +0200 [thread overview]
Message-ID: <201009061832.00512.jnareb@gmail.com> (raw)
In-Reply-To: <AANLkTi=jqpspQvz6--CGfVEpP8raD7RpNGgMs6KabXfS@mail.gmail.com>
Sitaram Chamarty wrote:
> On Mon, Sep 6, 2010 at 2:19 PM, Jakub Narebski <jnareb@gmail.com> wrote:
> > Nevertheless I think it would be a good idea to make *client* more
> > accepting, which means:
> > 1. Printing full HTTP status, and not only HTTP return / error code;
> > perhaps only if it is non-standard, and perhaps only in --verbose
> > mode.
> > 2. If message body contains ERR line, print error message even if the
> > HTTP status was other than "200 OK". To be "generous in what you
> > receive" (well, kind of).
> > 3. In verbose mode, if body of HTTP error message (not "HTTP OK")
> > exists and does not contain ERR line (e.g. an error from web server),
> > print it in full (perhaps indented).
> >
> > I think that neither of the above would lead to leaking sensitive
> > information.
>
> I didn't understand this bit about leaking info. If the bits are
> coming into my machine I know what they are anyway (or am able to find
> out easily enough, even if git itself isn't showing them to me).
> Where's the leak?
I meant here that programs (including git) do not provide full details
about error condition, especially if it has to do womething with
authentication, to avoid leaking sensitive information (like e.g.
saying that username + password combination is invalid, instead of
telling which one is wrong, to avoid disclosing usernames).
--
Jakub Narebski
Poland
next prev parent reply other threads:[~2010-09-06 16:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-05 17:30 [PATCH] Add ERR support to smart HTTP Ilari Liusvaara
2010-09-05 17:41 ` Jonathan Nieder
2010-09-05 18:49 ` Ilari Liusvaara
2010-09-05 19:27 ` Ævar Arnfjörð Bjarmason
2010-09-05 21:21 ` Ilari Liusvaara
2010-09-05 21:22 ` Jakub Narebski
2010-09-06 1:04 ` Sitaram Chamarty
2010-09-06 5:45 ` Sitaram Chamarty
2010-09-06 8:45 ` Ævar Arnfjörð Bjarmason
2010-09-06 8:49 ` Jakub Narebski
2010-09-06 9:15 ` Joshua Juran
2010-09-06 14:56 ` Shawn O. Pearce
2010-09-06 17:59 ` Sitaram Chamarty
2010-09-06 18:19 ` Shawn O. Pearce
2010-09-08 14:36 ` Sitaram Chamarty
2010-09-06 14:24 ` Sitaram Chamarty
2010-09-06 16:31 ` Jakub Narebski [this message]
2010-09-05 20:11 ` Jonathan Nieder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201009061832.00512.jnareb@gmail.com \
--to=jnareb@gmail.com \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=ilari.liusvaara@elisanet.fi \
--cc=jrnieder@gmail.com \
--cc=sitaramc@gmail.com \
--cc=spearce@spearce.org \
--cc=tarmigan+git@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).