From: Jeff King <peff@peff.net>
To: Elia Pinto <gitter.spiros@gmail.com>
Cc: git@vger.kernel.org, tboegi@web.de, ramsay@ramsayjones.plus.com,
gitster@pobox.com, sunshine@sunshineco.com
Subject: Re: [PATCHv5 0/2] Implement the GIT_TRACE_CURL environment variable
Date: Mon, 2 May 2016 14:13:47 -0400 [thread overview]
Message-ID: <20160502181347.GB8439@sigill.intra.peff.net> (raw)
In-Reply-To: <20160502142813.50868-1-gitter.spiros@gmail.com>
On Mon, May 02, 2016 at 02:28:11PM +0000, Elia Pinto wrote:
> - redo the authorization header skip with a replace of possible sensitive data.
> We prefer to print only:
> 09:00:53.238330 http.c:534 => Send header: Authorization: <redacted>
> intested of
> 09:00:53.238330 http.c:534 => Send header: Authorization: Basic(o other scheme) <redacted>
> as it was done in the original proposed suggestion by Jeff King.
> This is because i think it's better not to print even the authorization scheme.
I'm not sure I agree. If you're debugging curl's auth selection, that's
omitting an important piece of data. And unlike the actual credential, I
don't think it's particularly secret (and in many cases can be deduced
from the "WWW-Authenticate" header the server sends, coupled with curl's
code).
> We add also the (previously missing) proxy-authorization case
Good catch.
> In this series i keep the original curl_dump parsing code, even though it is
> objectively difficult to read. This is because the same code is used internally by curl
> to do "ascii-trace" and is also reported in the libcurl code examples and test.
> I think this may make maintenance of code easier in the future (libcurl
> new dev, new features and so on)
I don't agree with this line of reasoning. The code in question is
purely about how we format the output buffer, not about parsing what
curl gives us. We _should_ be diverging if we prefer a different output
format. And I don't think it's a question just of readability (though I
do agree the existing one is hard to read); it also foils the redaction
of the authorization header.
-Peff
prev parent reply other threads:[~2016-05-02 18:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-02 14:28 [PATCHv5 0/2] Implement the GIT_TRACE_CURL environment variable Elia Pinto
2016-05-02 14:28 ` [PATCHv5 1/2] http.c: implement " Elia Pinto
2016-05-02 17:03 ` Ramsay Jones
2016-05-02 18:15 ` Jeff King
2016-05-02 18:59 ` Junio C Hamano
2016-05-02 19:25 ` Jeff King
2016-05-02 19:15 ` Junio C Hamano
2016-05-02 14:28 ` [PATCHv5 2/2] imap-send.c: introduce " Elia Pinto
2016-05-02 18:13 ` Jeff King [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160502181347.GB8439@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=gitter.spiros@gmail.com \
--cc=ramsay@ramsayjones.plus.com \
--cc=sunshine@sunshineco.com \
--cc=tboegi@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).