git clone over http with basic auth bug?

git clone over http with basic auth bug?

[Paul J R]

Hi All,

Im not sure if this is a bug, or just "as implemented". But when cloning 
from a repo sitting on a web site that uses basic auth, the git client 
appears to forget its authentication info and ignores the 401's the 
server is sending back. It appears to initially login and get refs and 
HEAD ok, but after that it never authenticates again. Using a .netrc 
file this will work (or a url of the form http://user:pass@host though 
http://user@host wont), but i'm curious if theres a way of doing this 
without having to expose the password in some way?

Im using git 1.7.9.5 and when i clone i get the following:

$ git clone http://host/gitrepo/repo.git/
Cloning into 'repo'...
Username for 'http://host': user
Password for 'http://user@host':
error: The requested URL returned error: 401 (curl_result = 22, 
http_code = 401, sha1 = f7748ec924c30b4472132dabcf318d3c420a1a15)
error: Unable to find f7748ec924c30b4472132dabcf318d3c420a1a15 under 
http://host/gitrepo/repo.git
Cannot obtain needed commit f7748ec924c30b4472132dabcf318d3c420a1a15
while processing commit 1283f0d8043b7aafc4edd1c4627d465a92355a49.
error: Fetch failed.

And on the server side, the logs show:
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/info/refs?service=git-upload-pack HTTP/1.1" 401 708 
"-" "git/1.7.9.5"
x.x.x.x - user [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/info/refs?service=git-upload-pack HTTP/1.1" 200 406 
"-" "git/1.7.9.5"
x.x.x.x - user [22/Sep/2012:09:03:21 +1000] "GET /gitrepo/repo.git/HEAD 
HTTP/1.1" 200 233 "-" "git/1.7.9.5"
x.x.x.x - user [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/12/83f0d8043b7aafc4edd1c4627d465a92355a49 
HTTP/1.1" 200 415 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/f7/748ec924c30b4472132dabcf318d3c420a1a15 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - user [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/c1/2f6404116fba31590dccad46b9dbb35de615a9 
HTTP/1.1" 200 505 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/f7/fc6c45d465000483425bfe5f8d52e561b5e376 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/16/2cac064671b4058eab103d697c15f98da14d54 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/af/63ba2c594c08f17d1114c1c1cdc6f48d561e59 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/7e/2300a52c3dc9ecad58226c4f78f9d091e85a00 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/c0/312c337c661aecf299a4a4f5378b1809bd2c44 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/97/3e5550bd73275eea820a40067f9da5853c6e5d 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/info/packs HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/00/6b5267c3b2f11136aedd8b4698e4c22e6c341c 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/55/a5ba763c58c6fa196b97fa5f637198f8e56c07 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/66/86a522a4f1d2fb93da34c676de85867fb3ab96 
HTTP/1.1" 401 708 "-" "git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/info/http-alternates HTTP/1.1" 401 708 "-" 
"git/1.7.9.5"
x.x.x.x - - [22/Sep/2012:09:03:21 +1000] "GET 
/gitrepo/repo.git/objects/info/alternates HTTP/1.1" 401 708 "-" 
"git/1.7.9.5"

Re: git clone over http with basic auth bug?

[Jeff King]

On Sat, Sep 22, 2012 at 09:37:38AM +1000, Paul J R wrote:

> Im not sure if this is a bug, or just "as implemented". But when
> cloning from a repo sitting on a web site that uses basic auth, the
> git client appears to forget its authentication info and ignores the
> 401's the server is sending back. It appears to initially login and
> get refs and HEAD ok, but after that it never authenticates again.
> Using a .netrc file this will work (or a url of the form
> http://user:pass@host though http://user@host wont), but i'm curious
> if theres a way of doing this without having to expose the password
> in some way?
> 
> Im using git 1.7.9.5 and when i clone i get the following:
> [...]

>From your logs, it looks like you are using the "dumb" http protocol
(wherein the server does not have to understand git at all). In this
protocol, we end up making multiple simultaneous requests for objects
with different curl handles. We had a bug where not all handles are told
about the credential (but it doesn't always happen; it depends on the
exact pattern of requests).

This was fixed by dfa1725 (fix http auth with multiple curl handles,
2012-04-10), which is in git v1.7.10.2 and higher.

Can you try upgrading to see if that fixes your problem?

-Peff

Re: git clone over http with basic auth bug?

[Paul J R]

Indeed, thats correct, i should have tried a newer version really before 
i posted cause i do pull the main git repo and it would have been 
relatively easy.

Newer version did indeed fix the problem.

It hadnt occured to me that git-http-backend behaves differently to the 
"dumb" http protocol on read (though that was from reading the git 
source so i obviously missed what was going on there). Ultimately im 
writing a little webapp that wraps around git-http-backend for some git 
repository management and on reads i've been just "acting like 
webserver" but on writes i throw off to git-http-backend. But seeing it 
do authenticated reads properly via git-http-backend im going to change 
how it functions, cause that does work with older clients.

Thanks!

On 22/09/12 15:09, Jeff King wrote:
> On Sat, Sep 22, 2012 at 09:37:38AM +1000, Paul J R wrote:
>
>> Im not sure if this is a bug, or just "as implemented". But when
>> cloning from a repo sitting on a web site that uses basic auth, the
>> git client appears to forget its authentication info and ignores the
>> 401's the server is sending back. It appears to initially login and
>> get refs and HEAD ok, but after that it never authenticates again.
>> Using a .netrc file this will work (or a url of the form
>> http://user:pass@host though http://user@host wont), but i'm curious
>> if theres a way of doing this without having to expose the password
>> in some way?
>>
>> Im using git 1.7.9.5 and when i clone i get the following:
>> [...]
>  From your logs, it looks like you are using the "dumb" http protocol
> (wherein the server does not have to understand git at all). In this
> protocol, we end up making multiple simultaneous requests for objects
> with different curl handles. We had a bug where not all handles are told
> about the credential (but it doesn't always happen; it depends on the
> exact pattern of requests).
>
> This was fixed by dfa1725 (fix http auth with multiple curl handles,
> 2012-04-10), which is in git v1.7.10.2 and higher.
>
> Can you try upgrading to see if that fixes your problem?
>
> -Peff
>

Re: git clone over http with basic auth bug?

[Shawn Pearce]

On Sat, Sep 22, 2012 at 1:43 PM, Paul J R <me@pjr.cc> wrote:
> It hadnt occured to me that git-http-backend behaves differently to the
> "dumb" http protocol on read (though that was from reading the git source so
> i obviously missed what was going on there). Ultimately im writing a little
> webapp that wraps around git-http-backend for some git repository management
> and on reads i've been just "acting like webserver" but on writes i throw
> off to git-http-backend. But seeing it do authenticated reads properly via
> git-http-backend im going to change how it functions, cause that does work
> with older clients.

It works back as far as 1.6.6 as a client. Clients before 1.6.6 can't
use git-http-backend. Fortunately 1.6.6 is pretty old, its nearly 3
years ago (Dec 23, 2009).