Re: git no longer prompting for password

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Iain Paton <ipaton0@gmail.com>
To: Jeff King <peff@peff.net>
Cc: git@vger.kernel.org
Subject: Re: git no longer prompting for password
Date: Sun, 26 Aug 2012 15:18:11 +0100	[thread overview]
Message-ID: <503A3023.6000103@gmail.com> (raw)
In-Reply-To: <20120826101341.GA12566@sigill.intra.peff.net>

On 26/08/12 11:13, Jeff King wrote:

> Yeah, I'm surprised it took this long to come up, too. Perhaps most
> people just do anonymous http, and then rely on ssh for pushing to
> achieve the same effect. Or maybe my analysis of the problem is wrong.
> :)

I'd be using ssh to push too, but the simple fact is that the http way 
works through a proxy and so essentially works from anywhere. The same 
isn't true for ssh or git protocols. Well that's my reason anyway :)

> Yeah, I think that will work. It feels a little weird and hacky. E.g.,

Yeah, it does. I couldn't find a simple way though, most stuff like 
LocationMatch specifically excludes the query string which makes it 
rather more difficult.

> I don't know enough about Apache to know off-hand if there is a cleaner
> way. I'll investigate a bit more before doing my documentation patch.

I'm not an apache expert either. What I could find was using mod_rewrite to 
set an env var based on something in the query string, but not actually do 
any rewrite. Then looking at how to check the env var and do something based 
on that got me the example of simply using If with an expression to match 
directly on the query string.

> I think that would be cleaner. It would be even nicer if you could
> really just match "service=" as a query parameter, but I don't know that
> apache parses that at all. I also don't know if Apache does any
> canonicalization of the QUERY_STRING. When matching, you'd want to make

>From what I can tell apache really doesn't care much about the query string 
at all, it seems to just pass it through unless you start messing with it 
using mod_rewrite, but even then you're still regex based. I couldn't find 
anything that parsed out individual parameters. Of course I could just be 
looking in all the wrong places :) 

> sure there is no way of a client sneaking in a parameter that git would
> understand to mean a push, but that your pattern would not notice (so,
> e.g., just matching "git-receive-pack$" would not be sufficient, as I

yep, and matching on THE_REQUEST gets you the whole string, including the 
HTTP/1.1 on the end. I tried putting the $ on the end of the regex and it 
didn't work. 
It should be possible to combine the original regex from the LocationMatch 
example and something like /[?&]service=git-receive-pack/ though, which 
should make it somewhat safer.

> No problem. I'll probably be a day or two on the patches, as the http
> tests are in need of some refactoring before adding more tests. But in
> the meantime, I think your config change is a sane work-around.

Works-For-Me is all I need right now :)  I'll be interested if you come 
up with something better though.

Iain

next prev parent reply	other threads:[~2012-08-26 14:19 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-24 20:19 git no longer prompting for password Iain Paton
2012-08-24 21:25 ` Jeff King
     [not found]   ` <5038E781.1090008@gmail.com>
2012-08-25 20:39     ` Jeff King
2012-08-26  9:57       ` Iain Paton
2012-08-26 10:13         ` Jeff King
2012-08-26 14:18           ` Iain Paton [this message]
2012-08-27 13:21           ` [PATCH 0/8] fix password prompting for "half-auth" servers Jeff King
2012-08-27 13:23             ` [PATCH 1/8] t5550: put auth-required repo in auth/dumb Jeff King
2012-08-27 13:24             ` [PATCH 2/8] t5550: factor out http auth setup Jeff King
2012-08-27 13:24             ` [PATCH 3/8] t/lib-httpd: only route auth/dumb to dumb repos Jeff King
2012-08-27 13:25             ` [PATCH 4/8] t/lib-httpd: recognize */smart/* repos as smart-http Jeff King
2012-08-27 13:25             ` [PATCH 5/8] t: test basic smart-http authentication Jeff King
2012-08-27 13:25             ` [PATCH 6/8] t: test http access to "half-auth" repositories Jeff King
2012-08-27 13:26             ` [PATCH 7/8] http: factor out http error code handling Jeff King
2012-08-28 18:06               ` Junio C Hamano
2012-08-27 13:27             ` [PATCH 8/8] http: prompt for credentials on failed POST Jeff King
2012-08-27 17:48               ` Junio C Hamano
2012-08-27 21:49                 ` Jeff King
2012-08-27 23:29                   ` Junio C Hamano
2012-08-27 17:14             ` [PATCH 0/8] fix password prompting for "half-auth" servers Junio C Hamano
2012-08-27  8:28         ` git no longer prompting for password Iain Paton
2012-08-27 13:33           ` BJ Hargrave

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=503A3023.6000103@gmail.com \
    --to=ipaton0@gmail.com \
    --cc=git@vger.kernel.org \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).