From: 王小建 <littlejian8@gmail.com>
To: Daniel Stenberg <daniel@haxx.se>
Cc: Jeff King <peff@peff.net>, git@vger.kernel.org, lj167647@alibaba-inc.com
Subject: Re: git clone with basic auth in url directly returns authentication failure after 401 received under some git versions
Date: Mon, 22 Aug 2022 11:35:10 +0800 [thread overview]
Message-ID: <CADmGLV0F==7ep-xZKd2crZLi8JnFBFVkdX9Bi2T63NECcSAbVw@mail.gmail.com> (raw)
In-Reply-To: <o4sp3o6-75sp-o12o-2p29-r94s2s769r47@unkk.fr>
Thank you very much for your answer!
And now I tried to add CURLOPT_UNRESTRICTED_AUTH but it failed.
Here are a few examples of what I've tried.
1. docker run -it -e CURLOPT_UNRESTRICTED_AUTH=1 5de1a96efc49 clone
http://xxx:xxx@xxx/xxx/xxx
2. echo CURLOPT_UNRESTRICTED_AUTH=1 > $HOME/.curlrc
I wonder if it's the way I'm trying to do it wrong
Daniel Stenberg <daniel@haxx.se> 于2022年8月21日周日 06:32写道:
>
> On Sat, 20 Aug 2022, Jeff King wrote:
>
> > The curl change seems to be from 620ea2141 (transfer: redirects to other
> > protocols or ports clear auth, 2022-04-25). The goal is to avoid leaking
> > credentials between ports: https://curl.se/docs/CVE-2022-27774.html
> >
> > So that makes sense, though I wonder if curl ought to make an exception
> > for moving from 80 to 443 and http to https?
>
> Nice research there Jeff, and yes this seems entirely correct.
>
> We stopped curl from following such redirects because of the reasons stated in
> the security advisory for that CVE. We quite simply realized that when curl
> previously did that, it was actually doing more than what was documented and
> what can be considered reasonably safe.
>
> Following a redirect to another protocol and another port, even if it is still
> on the same host name, might very well connect and use another server run by
> someone else than the one reached first. We therefore now consider that second
> host+port+protocol combo a different host.
>
> Setting CURLOPT_UNRESTRICTED_AUTH is then the only way to make libcurl send
> the credentials again after such a redirect.
>
> I would not mind having a discussion in the curl project to see if we should
> possibly consider adding a middle-ground where we allow sending credentials to
> another port for the same host name, but I am personally NOT sold on the idea.
> I think such redirects should rather be fixed and avoided - since I believe
> users will not understand the security implications of doing them.
>
> --
>
> / daniel.haxx.se
next prev parent reply other threads:[~2022-08-22 3:35 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-20 2:51 git clone with basic auth in url directly returns authentication failure after 401 received under some git versions 王小建
2022-08-20 8:44 ` Jeff King
2022-08-20 11:59 ` 王小建
2022-08-20 22:32 ` Daniel Stenberg
2022-08-22 3:35 ` 王小建 [this message]
2022-08-22 9:07 ` Jeff King
2022-08-22 9:04 ` Jeff King
2022-08-22 22:11 ` brian m. carlson
2022-08-23 20:16 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADmGLV0F==7ep-xZKd2crZLi8JnFBFVkdX9Bi2T63NECcSAbVw@mail.gmail.com' \
--to=littlejian8@gmail.com \
--cc=daniel@haxx.se \
--cc=git@vger.kernel.org \
--cc=lj167647@alibaba-inc.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).