From: Jeff King <peff@peff.net>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: David Turner <David.Turner@twosigma.com>,
Junio C Hamano <gitster@pobox.com>,
"git@vger.kernel.org" <git@vger.kernel.org>,
"sandals@crustytoothpaste.net" <sandals@crustytoothpaste.net>,
Eric Sunshine <sunshine@sunshineco.com>
Subject: Re: [PATCH 2/2] http: add an "auto" mode for http.emptyauth
Date: Sat, 25 Feb 2017 14:15:06 -0500 [thread overview]
Message-ID: <20170225191506.4it7pdsi6ijanfft@sigill.intra.peff.net> (raw)
In-Reply-To: <alpine.DEB.2.20.1702251243390.3767@virtualbox>
On Sat, Feb 25, 2017 at 12:48:54PM +0100, Johannes Schindelin wrote:
> Hi,
>
> On Wed, 22 Feb 2017, Jeff King wrote:
>
> > [two beautiful patches]
>
> I applied them and verified that the reported issue is fixed. Thank you!
>
> Hopefully you do not mind that I cherry-picked them in preparation for
> Git for Windows v2.12.0?
No, I don't mind. I'm happy that more people with a non-Basic setup are
verifying that they work. :)
Of the changes:
> diff --git a/http.c b/http.c
> index f8eb0f23d6c..fb94c444c80 100644
> --- a/http.c
> +++ b/http.c
> @@ -334,7 +334,10 @@ static int http_options(const char *var, const char *value, void *cb)
> return git_config_string(&user_agent, var, value);
>
> if (!strcmp("http.emptyauth", var)) {
> - curl_empty_auth = git_config_bool(var, value);
> + if (value && !strcmp("auto", value))
> + curl_empty_auth = -1;
> + else
> + curl_empty_auth = git_config_bool(var, value);
> return 0;
> }
Obviously good, I should have included this in the original.
> +#ifndef LIBCURL_CAN_HANDLE_AUTH_ANY
> + /*
> + * Our libcurl is too old to do AUTH_ANY in the first place;
> + * just default to turning the feature off.
> + */
> #else
> - /*
> - * Our libcurl is too old to do AUTH_ANY in the first place;
> - * just default to turning the feature off.
> - */
The ifdef reordering here is good.
> + /*
> + * In the automatic case, kick in the empty-auth
> + * hack as long as we would potentially try some
> + * method more exotic than "Basic".
> + *
> + * But only do this when this is our second or
> + * subsequent * request, as by then we know what
> + * methods are available.
> + */
> + if (http_auth_methods_restricted)
> + switch (http_auth_methods) {
> + case CURLAUTH_BASIC:
> + case CURLAUTH_DIGEST:
> +#ifdef CURLAUTH_DIGEST_IE
> + case CURLAUTH_DIGEST_IE:
> #endif
> [...]
> + return 0;
> + default:
> + return 1;
> + }
This is an improvement over my basic-only, but I think you actually want
to bitmask here. A server which advertises only BASIC|DIGEST should not
do empty-auth, but wouldn't match your switch statement.
Patch below.
> Now, how to get this into upstream Git, too? Jeff, do you want to submit a
> v2? In that case, would you please consider the fixup! I mentioned above?
> Otherwise I'd be happy to take it from here.
I don't mind doing a v2. I'm unsure of whether we want to default to
"auto" or not upstream. It seems from your releases that you think it is
safe enough to do in Windows. And I guess nobody outside of that is
really doing NTLM. So it's OK, I guess?
<shrug> I don't have enough information to make an intelligent opinion,
so I'm happy to defer.
I'll send my v2 in a minute. Here's the interdiff/fixup if you need to
apply it separately:
diff --git a/http.c b/http.c
index 523c43cf9..dd637d031 100644
--- a/http.c
+++ b/http.c
@@ -126,6 +126,13 @@ static int ssl_cert_password_required;
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
static unsigned long http_auth_methods = CURLAUTH_ANY;
static int http_auth_methods_restricted;
+/* Modes for which empty_auth cannot actually help us. */
+static unsigned long empty_auth_useless =
+ CURLAUTH_BASIC
+#ifdef CURLAUTH_DIGEST_IE
+ | CURLAUTH_DIGEST_IE
+#endif
+ | CURLAUTH_DIGEST;
#endif
static struct curl_slist *pragma_header;
@@ -400,23 +407,15 @@ static int curl_empty_auth_enabled(void)
/*
* In the automatic case, kick in the empty-auth
* hack as long as we would potentially try some
- * method more exotic than "Basic".
+ * method more exotic than "Basic" or "Digest".
*
* But only do this when this is our second or
* subsequent * request, as by then we know what
* methods are available.
*/
- if (http_auth_methods_restricted)
- switch (http_auth_methods) {
- case CURLAUTH_BASIC:
- case CURLAUTH_DIGEST:
-#ifdef CURLAUTH_DIGEST_IE
- case CURLAUTH_DIGEST_IE:
-#endif
- return 0;
- default:
- return 1;
- }
+ if (http_auth_methods_restricted &&
+ (http_auth_methods & ~empty_auth_useless))
+ return 1;
#endif
return 0;
}
next prev parent reply other threads:[~2017-02-25 19:22 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-22 17:39 [PATCH] http(s): automatically try NTLM authentication first David Turner
2017-02-22 20:19 ` Junio C Hamano
2017-02-22 21:04 ` David Turner
2017-02-22 21:16 ` Junio C Hamano
2017-02-22 21:34 ` Jeff King
2017-02-23 17:08 ` Johannes Schindelin
2017-02-23 19:06 ` Junio C Hamano
2017-02-23 19:42 ` Jeff King
2017-02-23 20:37 ` Junio C Hamano
2017-02-23 20:48 ` Jeff King
2017-02-25 11:51 ` Johannes Schindelin
2017-02-22 23:34 ` brian m. carlson
2017-02-22 23:42 ` Jeff King
2017-02-23 2:15 ` Junio C Hamano
2017-02-23 19:11 ` Junio C Hamano
2017-02-23 19:35 ` Jeff King
2017-02-23 1:03 ` David Turner
2017-02-23 4:19 ` brian m. carlson
2017-02-23 9:13 ` Mantas Mikulėnas
2017-02-22 21:06 ` Jeff King
2017-02-22 21:25 ` Junio C Hamano
2017-02-22 21:35 ` Jeff King
2017-02-22 21:57 ` Junio C Hamano
2017-02-22 21:58 ` Jeff King
2017-02-22 22:35 ` Junio C Hamano
2017-02-22 23:33 ` Jeff King
2017-02-22 23:34 ` [PATCH 1/2] http: restrict auth methods to what the server advertises Jeff King
2017-02-22 23:40 ` [PATCH 2/2] http: add an "auto" mode for http.emptyauth Jeff King
2017-02-23 1:16 ` David Turner
2017-02-23 1:37 ` Jeff King
2017-02-23 16:31 ` David Turner
2017-02-23 19:44 ` Jeff King
2017-02-23 20:05 ` David Turner
2017-02-25 11:48 ` Johannes Schindelin
2017-02-25 19:15 ` Jeff King [this message]
2017-02-25 19:18 ` [PATCH] " Jeff King
2017-02-27 18:35 ` Junio C Hamano
2017-02-28 10:18 ` Johannes Schindelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170225191506.4it7pdsi6ijanfft@sigill.intra.peff.net \
--to=peff@peff.net \
--cc=David.Turner@twosigma.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=sandals@crustytoothpaste.net \
--cc=sunshine@sunshineco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).