* [PATCH 0/3] http: add support for HTTP 429 rate limit retries
@ 2025-11-26 12:30 Vaidas Pilkauskas via GitGitGadget
2025-11-26 12:30 ` [PATCH 1/3] " Vaidas Pilkauskas via GitGitGadget
` (3 more replies)
0 siblings, 4 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2025-11-26 12:30 UTC (permalink / raw)
To: git; +Cc: Vaidas Pilkauskas
This patch series adds support for handling HTTP 429 (Too Many Requests)
responses in Git's HTTP client with automatic retry logic.
Git hosting services can implement rate limiting to protect their
infrastructure. When these limits are reached, servers respond with HTTP 429
status codes, potentially including a Retry-After header to indicate when
the client should retry. Currently, Git treats these responses as fatal
errors, forcing users to manually retry their operations.
This series implements automatic retry support with three new configuration
options:
* http.maxRetries: Controls the maximum number of retry attempts (default:
0, opt-in behavior)
* http.retryAfter: Provides a fallback delay when the server doesn't
include a Retry-After header (default: -1, fail if no header)
* http.maxRetryTime: Sets an upper limit on any single retry delay
(default: 300 seconds) to prevent indefinite blocking
The implementation includes:
Patch 1: Core HTTP 429 retry logic with support for RFC-compliant
Retry-After headers (both delay-seconds and HTTP-date formats),
comprehensive configuration options, and fail-fast behavior for excessive
delays. Includes extensive test coverage.
Patch 2: Fixes a pre-existing memory leak in show_http_message() that became
more visible with the new retry logic.
Patch 3: Adds trace2 instrumentation to enable monitoring and debugging of
retry operations in production environments.
The retry behavior is disabled by default (maxRetries = 0), requiring
explicit opt-in, ensuring backward compatibility while providing a robust
solution for environments that need rate limit handling.
There was a previous attempt to add retry support [1], which was not merged.
It had support for 50x status codes. Should they be supported here too?
[1] https://lore.kernel.org/git/20201012184806.166251-3-smcallis@google.com/
Vaidas Pilkauskas (3): http: add support for HTTP 429 rate limit retries
remote-curl: fix memory leak in show_http_message() http: add trace2 logging
for retry operations
Documentation/config/http.adoc | 24 ++ http-push.c | 8 + http-walker.c | 5 +
http.c | 171 ++++++++++++- http.h | 2 + remote-curl.c | 18 +- t/meson.build
| 1 + t/t5584-http-429-retry.sh | 429 +++++++++++++++++++++++++++++++++ 8
files changed, 650 insertions(+), 8 deletions(-) create mode 100755
t/t5584-http-429-retry.sh
-- 2.50.1
Vaidas Pilkauskas (3):
http: add support for HTTP 429 rate limit retries
remote-curl: fix memory leak in show_http_message()
http: add trace2 logging for retry operations
Documentation/config/http.adoc | 24 ++
http-push.c | 8 +
http-walker.c | 5 +
http.c | 171 ++++++++++++-
http.h | 2 +
remote-curl.c | 18 +-
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 429 +++++++++++++++++++++++++++++++++
8 files changed, 650 insertions(+), 8 deletions(-)
create mode 100755 t/t5584-http-429-retry.sh
base-commit: 6ab38b7e9cc7adafc304f3204616a4debd49c6e9
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-2008%2Fvaidas-shopify%2Fretry-after-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-2008/vaidas-shopify/retry-after-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/2008
--
gitgitgadget
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH 1/3] http: add support for HTTP 429 rate limit retries
2025-11-26 12:30 [PATCH 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2025-11-26 12:30 ` Vaidas Pilkauskas via GitGitGadget
2025-12-09 23:15 ` Taylor Blau
2025-11-26 12:30 ` [PATCH 2/3] remote-curl: fix memory leak in show_http_message() Vaidas Pilkauskas via GitGitGadget
` (2 subsequent siblings)
3 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2025-11-26 12:30 UTC (permalink / raw)
To: git; +Cc: Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add retry logic for HTTP 429 (Too Many Requests) responses to handle
server-side rate limiting gracefully. When Git's HTTP client receives
a 429 response, it can now automatically retry the request after an
appropriate delay, respecting the server's rate limits.
The implementation supports the RFC-compliant Retry-After header in
both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
past date is provided, Git retries immediately without waiting.
Retry behavior is controlled by three new configuration options:
* http.maxRetries: Maximum number of retry attempts (default: 0,
meaning retries are disabled by default). Users must explicitly
opt-in to retry behavior.
* http.retryAfter: Default delay in seconds when the server doesn't
provide a Retry-After header (default: -1, meaning fail if no
header is provided). This serves as a fallback mechanism.
* http.maxRetryTime: Maximum delay in seconds for a single retry
(default: 300). If the server requests a delay exceeding this
limit, Git fails immediately rather than waiting. This prevents
indefinite blocking on unreasonable server requests.
All three options can be overridden via environment variables:
GIT_HTTP_MAX_RETRIES, GIT_HTTP_RETRY_AFTER, and
GIT_HTTP_MAX_RETRY_TIME.
The retry logic implements a fail-fast approach: if any delay
(whether from server header or configuration) exceeds maxRetryTime,
Git fails immediately with a clear error message rather than capping
the delay. This provides better visibility into rate limiting issues.
The implementation includes extensive test coverage for basic retry
behavior, Retry-After header formats (integer and HTTP-date),
configuration combinations, maxRetryTime limits, invalid header
handling, environment variable overrides, and edge cases.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
Documentation/config/http.adoc | 24 ++
http-push.c | 8 +
http-walker.c | 5 +
http.c | 149 +++++++++++-
http.h | 2 +
remote-curl.c | 4 +
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 429 +++++++++++++++++++++++++++++++++
8 files changed, 618 insertions(+), 4 deletions(-)
create mode 100755 t/t5584-http-429-retry.sh
diff --git a/Documentation/config/http.adoc b/Documentation/config/http.adoc
index 9da5c298cc..9e3c888df4 100644
--- a/Documentation/config/http.adoc
+++ b/Documentation/config/http.adoc
@@ -315,6 +315,30 @@ http.keepAliveCount::
unset, curl's default value is used. Can be overridden by the
`GIT_HTTP_KEEPALIVE_COUNT` environment variable.
+http.retryAfter::
+ Default wait time in seconds before retrying when a server returns
+ HTTP 429 (Too Many Requests) without a Retry-After header. If set
+ to -1 (the default), Git will fail immediately when encountering
+ a 429 response without a Retry-After header. When a Retry-After
+ header is present, its value takes precedence over this setting.
+ Can be overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
+ Maximum number of times to retry after receiving HTTP 429 (Too Many
+ Requests) responses. Set to 0 (the default) to disable retries.
+ Can be overridden by the `GIT_HTTP_MAX_RETRIES` environment variable.
+ See also `http.retryAfter` and `http.maxRetryTime`.
+
+http.maxRetryTime::
+ Maximum time in seconds to wait for a single retry attempt when
+ handling HTTP 429 (Too Many Requests) responses. If the server
+ requests a delay (via Retry-After header) or if `http.retryAfter`
+ is configured with a value that exceeds this maximum, Git will fail
+ immediately rather than waiting. Default is 300 seconds (5 minutes).
+ Can be overridden by the `GIT_HTTP_MAX_RETRY_TIME` environment
+ variable. See also `http.retryAfter` and `http.maxRetries`.
+
http.noEPSV::
A boolean which disables using of EPSV ftp command by curl.
This can be helpful with some "poor" ftp servers which don't
diff --git a/http-push.c b/http-push.c
index d86ce77119..a602a302ec 100644
--- a/http-push.c
+++ b/http-push.c
@@ -716,6 +716,10 @@ static int fetch_indices(void)
case HTTP_MISSING_TARGET:
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
+ error("rate limited by '%s', please try again later", repo->url);
+ ret = -1;
+ break;
default:
ret = -1;
}
@@ -1548,6 +1552,10 @@ static int remote_exists(const char *path)
case HTTP_MISSING_TARGET:
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
+ error("rate limited by '%s', please try again later", url);
+ ret = -1;
+ break;
case HTTP_ERROR:
error("unable to access '%s': %s", url, curl_errorstr);
/* fallthrough */
diff --git a/http-walker.c b/http-walker.c
index e886e64866..9f06f47de1 100644
--- a/http-walker.c
+++ b/http-walker.c
@@ -414,6 +414,11 @@ static int fetch_indices(struct walker *walker, struct alt_base *repo)
repo->got_indices = 1;
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
+ error("rate limited by '%s', please try again later", repo->base);
+ repo->got_indices = 0;
+ ret = -1;
+ break;
default:
repo->got_indices = 0;
ret = -1;
diff --git a/http.c b/http.c
index 41f850db16..212805cad5 100644
--- a/http.c
+++ b/http.c
@@ -22,6 +22,7 @@
#include "object-file.h"
#include "odb.h"
#include "tempfile.h"
+#include "date.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -149,6 +150,14 @@ static char *cached_accept_language;
static char *http_ssl_backend;
static int http_schannel_check_revoke = 1;
+
+/* Retry configuration */
+static long http_retry_after = -1; /* Default retry-after in seconds when header is missing (-1 means not set, exit with 128) */
+static long http_max_retries = 0; /* Maximum number of retry attempts (0 means retries are disabled) */
+static long http_max_retry_time = 300; /* Maximum time to wait for a single retry (default 5 minutes) */
+
+/* Store retry_after value from 429 responses for retry logic (-1 = not set, 0 = retry immediately, >0 = delay in seconds) */
+static long last_retry_after = -1;
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ -209,13 +218,14 @@ static inline int is_hdr_continuation(const char *ptr, const size_t size)
return size && (*ptr == ' ' || *ptr == '\t');
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
+static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
struct strbuf buf = STRBUF_INIT;
const char *val;
size_t val_len;
+ struct active_request_slot *slot = (struct active_request_slot *)p;
/*
* Header lines may not come NULL-terminated from libcurl so we must
@@ -257,6 +267,47 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
goto exit;
}
+ /* Parse Retry-After header for rate limiting */
+ if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
+ strbuf_add(&buf, val, val_len);
+ strbuf_trim(&buf);
+
+ if (slot && slot->results) {
+ /* Parse the retry-after value (delay-seconds or HTTP-date) */
+ char *endptr;
+ long retry_after;
+
+ errno = 0;
+ retry_after = strtol(buf.buf, &endptr, 10);
+
+ /* Check if it's a valid integer (delay-seconds format) */
+ if (endptr != buf.buf && *endptr == '\0' &&
+ errno != ERANGE && retry_after > 0) {
+ slot->results->retry_after = retry_after;
+ } else {
+ /* Try parsing as HTTP-date format */
+ timestamp_t timestamp;
+ int offset;
+ if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
+ /* Successfully parsed as date, calculate delay from now */
+ timestamp_t now = time(NULL);
+ if (timestamp > now) {
+ slot->results->retry_after = (long)(timestamp - now);
+ } else {
+ /* Past date means retry immediately */
+ slot->results->retry_after = 0;
+ }
+ } else {
+ /* Failed to parse as either delay-seconds or HTTP-date */
+ warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
+ }
+ }
+ }
+
+ http_auth.header_is_last_match = 1;
+ goto exit;
+ }
+
/*
* This line could be a continuation of the previously matched header
* field. If this is the case then we should append this value to the
@@ -575,6 +626,21 @@ static int http_options(const char *var, const char *value,
return 0;
}
+ if (!strcmp("http.retryafter", var)) {
+ http_retry_after = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretries", var)) {
+ http_max_retries = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretrytime", var)) {
+ http_max_retry_time = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
/* Fall back on the default ones */
return git_default_config(var, value, ctx, data);
}
@@ -1422,6 +1488,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
+ set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
+ set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
+ set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
+
curl_default = get_curl_handle();
}
@@ -1871,6 +1941,10 @@ static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
+ /* Store the retry_after value for use in retry logic */
+ last_retry_after = results->retry_after;
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
credential_reject(the_repository, &proxy_auth);
@@ -1886,6 +1960,8 @@ int run_one_slot(struct active_request_slot *slot,
struct slot_results *results)
{
slot->results = results;
+ /* Initialize retry_after to -1 (not set) */
+ results->retry_after = -1;
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
@@ -2149,6 +2225,7 @@ static int http_request(const char *url,
}
curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
accept_language = http_get_accept_language_header();
@@ -2253,19 +2330,36 @@ static int update_url_from_redirect(struct strbuf *base,
return 1;
}
+/*
+ * Sleep for the specified number of seconds before retrying.
+ */
+static void sleep_for_retry(long retry_after)
+{
+ if (retry_after > 0) {
+ unsigned int remaining;
+ warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
+ remaining = sleep(retry_after);
+ while (remaining > 0) {
+ /* Sleep was interrupted, continue sleeping */
+ remaining = sleep(remaining);
+ }
+ }
+}
+
static int http_request_reauth(const char *url,
void *result, int target,
struct http_get_options *options)
{
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
ret = http_request(url, result, target, options);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
if (options && options->effective_url && options->base_url) {
@@ -2276,7 +2370,7 @@ static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
+ while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
/*
* The previous request may have put cruft into our output stream; we
* should clear it out before making our next request.
@@ -2302,7 +2396,54 @@ static int http_request_reauth(const char *url,
BUG("Unknown http_request target");
}
- credential_fill(the_repository, &http_auth, 1);
+ if (ret == HTTP_RATE_LIMITED) {
+ /* Handle rate limiting with retry logic */
+ int retry_attempt = http_max_retries - rate_limit_retries + 1;
+
+ if (rate_limit_retries <= 0) {
+ /* Retries are disabled or exhausted */
+ if (http_max_retries > 0) {
+ error(_("too many rate limit retries, giving up"));
+ }
+ return HTTP_ERROR;
+ }
+
+ /* Decrement retries counter */
+ rate_limit_retries--;
+
+ /* Use the stored retry_after value or configured default */
+ if (last_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
+ if (last_retry_after > http_max_retry_time) {
+ error(_("rate limited (HTTP 429) requested %ld second delay, "
+ "exceeds http.maxRetryTime of %ld seconds"),
+ last_retry_after, http_max_retry_time);
+ last_retry_after = -1; /* Reset after use */
+ return HTTP_ERROR;
+ }
+ sleep_for_retry(last_retry_after);
+ last_retry_after = -1; /* Reset after use */
+ } else {
+ /* No Retry-After header provided */
+ if (http_retry_after < 0) {
+ /* Not configured - exit with error */
+ error(_("rate limited (HTTP 429) and no Retry-After header provided. "
+ "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
+ return HTTP_ERROR;
+ }
+ /* Check if configured default exceeds maximum allowed */
+ if (http_retry_after > http_max_retry_time) {
+ error(_("configured http.retryAfter (%ld seconds) exceeds "
+ "http.maxRetryTime (%ld seconds)"),
+ http_retry_after, http_max_retry_time);
+ return HTTP_ERROR;
+ }
+ /* Use configured default retry-after value */
+ sleep_for_retry(http_retry_after);
+ }
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
ret = http_request(url, result, target, options);
}
diff --git a/http.h b/http.h
index f9d4593404..eb40456450 100644
--- a/http.h
+++ b/http.h
@@ -20,6 +20,7 @@ struct slot_results {
long http_code;
long auth_avail;
long http_connectcode;
+ long retry_after;
};
struct active_request_slot {
@@ -167,6 +168,7 @@ struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
#define HTTP_NOMATCHPUBLICKEY 6
+#define HTTP_RATE_LIMITED 7
/*
* Requests a URL and stores the result in a strbuf.
diff --git a/remote-curl.c b/remote-curl.c
index 69f919454a..5959461cd3 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -529,6 +529,10 @@ static struct discovery *discover_refs(const char *service, int for_push)
show_http_message(&type, &charset, &buffer);
die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
+ show_http_message(&type, &charset, &buffer);
+ die(_("rate limited by '%s', please try again later"),
+ transport_anonymize_url(url.buf));
default:
show_http_message(&type, &charset, &buffer);
die(_("unable to access '%s': %s"),
diff --git a/t/meson.build b/t/meson.build
index dc43d69636..98bd6949e6 100644
--- a/t/meson.build
+++ b/t/meson.build
@@ -698,6 +698,7 @@ integration_tests = [
't5581-http-curl-verbose.sh',
't5582-fetch-negative-refspec.sh',
't5583-push-branches.sh',
+ 't5584-http-429-retry.sh',
't5600-clone-fail-cleanup.sh',
't5601-clone.sh',
't5602-clone-remote-exec.sh',
diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
new file mode 100755
index 0000000000..8bcc382763
--- /dev/null
+++ b/t/t5584-http-429-retry.sh
@@ -0,0 +1,429 @@
+#!/bin/sh
+
+test_description='test HTTP 429 Too Many Requests retry logic'
+
+. ./test-lib.sh
+
+. "$TEST_DIRECTORY"/lib-httpd.sh
+
+start_httpd
+
+test_expect_success 'setup test repository' '
+ test_commit initial &&
+ git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
+ git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
+'
+
+test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Set maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Should fail immediately without any retry attempt
+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message in stderr)
+ ! grep -i "waiting.*retry" err &&
+
+ # The one-time script will be consumed on first request (not a retry)
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 permanent should fail after max retries' '
+ # Install a permanent error script to prove retries are limited
+ write_script "$HTTPD_ROOT_PATH/http-429-permanent.sh" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Permanently rate limited\n"
+ EOF
+
+ # Enable retries with a limit
+ test_config http.maxRetries 2 &&
+
+ # Git should retry but eventually fail when 429 persists
+ test_must_fail git ls-remote "$HTTPD_URL/error/http-429-permanent.sh/repo.git" 2>err
+'
+
+test_expect_success 'HTTP 429 with Retry-After is retried and succeeds' '
+ # Create a one-time script that returns 429 with Retry-After header
+ # on the first request. Subsequent requests will succeed.
+ # This contrasts with the permanent 429 above - proving retry works
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ # Return HTTP 429 response instead of git response
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited - please retry after 1 second\n"
+ # Output something different from input so the script gets removed
+ cat "$1" >/dev/null
+ EOF
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry after receiving 429 and eventually succeed
+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output &&
+
+ # The one-time script should have been consumed (proving retry happened)
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 without Retry-After uses configured default' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited - no retry info\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Enable retries and configure default delay
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Git should retry using configured default and succeed
+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 retry delays are respected' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 2\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
+ test "$duration" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 100\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited with long delay\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Configure max retry time to 3 seconds (much less than requested 100)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
+ start=$(date +%s) &&
+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (less than 2 seconds, no 100 second wait)
+ test "$duration" -lt 2 &&
+ test_grep "exceeds http.maxRetryTime" err &&
+
+ # The one-time script will be consumed on first request
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
+ # Test misconfiguration: retryAfter > maxRetryTime
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited without header\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Configure retryAfter larger than maxRetryTime
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 100 &&
+ test_config http.maxRetryTime 5 &&
+
+ # Should fail immediately with configuration error
+ start=$(date +%s) &&
+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly
+ test "$duration" -lt 2 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with Retry-After HTTP-date format' '
+ # Test HTTP-date format (RFC 2822) in Retry-After header
+ # Generate a date 2 seconds in the future
+ future_date=$(TZ=GMT date -d "+2 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ TZ=GMT date -v+2S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ echo "skip") &&
+
+ if test "$future_date" = "skip"
+ then
+ skip_all="date command does not support required format" &&
+ test_done
+ fi &&
+
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-EOF &&
+ printf "Status: 429 Too Many Requests\\r\\n"
+ printf "Retry-After: $future_date\\r\\n"
+ printf "Content-Type: text/plain\\r\\n"
+ printf "\\r\\n"
+ printf "Rate limited with HTTP-date\\n"
+ cat "\$1" >/dev/null
+ EOF
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
+ test "$duration" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
+ # Generate a date 200 seconds in the future
+ future_date=$(TZ=GMT date -d "+200 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ TZ=GMT date -v+200S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ echo "skip") &&
+
+ if test "$future_date" = "skip"
+ then
+ skip_all="date command does not support required format" &&
+ test_done
+ fi &&
+
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-EOF &&
+ printf "Status: 429 Too Many Requests\\r\\n"
+ printf "Retry-After: $future_date\\r\\n"
+ printf "Content-Type: text/plain\\r\\n"
+ printf "\\r\\n"
+ printf "Rate limited with long HTTP-date\\n"
+ cat "\$1" >/dev/null
+ EOF
+
+ # Configure max retry time much less than the 200 second delay
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 10 &&
+
+ # Should fail immediately without waiting 200 seconds
+ start=$(date +%s) &&
+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (not wait 200 seconds)
+ test "$duration" -lt 2 &&
+ test_grep "exceeds http.maxRetryTime" err &&
+
+ # The one-time script will be consumed on first request
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
+ past_date=$(TZ=GMT date -d "-10 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ TZ=GMT date -v-10S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ echo "skip") &&
+
+ if test "$past_date" = "skip"
+ then
+ skip_all="date command does not support required format" &&
+ test_done
+ fi &&
+
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-EOF &&
+ printf "Status: 429 Too Many Requests\\r\\n"
+ printf "Retry-After: $past_date\\r\\n"
+ printf "Content-Type: text/plain\\r\\n"
+ printf "\\r\\n"
+ printf "Rate limited with past date\\n"
+ cat "\$1" >/dev/null
+ EOF
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should complete quickly (less than 2 seconds)
+ test "$duration" -lt 2 &&
+ test_grep "refs/heads/" output &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 with invalid Retry-After format uses configured default' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: invalid-format-123abc\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited with malformed header\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Configure default retry-after
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should take at least 1 second (the configured default)
+ test "$duration" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'HTTP 429 will not be retried without config' '
+ # Default config means http.maxRetries=0 (retries disabled)
+ # When 429 is received, it should fail immediately without retry
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Do NOT configure anything - use defaults (http.maxRetries defaults to 0)
+
+ # Should fail immediately without retry
+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message)
+ ! grep -i "waiting.*retry" err &&
+
+ # Should get 429 error
+ test_grep "429" err &&
+
+ # The one-time script should be consumed on first request
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'GIT_HTTP_RETRY_AFTER overrides http.retryAfter config' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited - no Retry-After header\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Configure retryAfter to 10 seconds
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
+ start=$(date +%s) &&
+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should use env var (1 second), not config (10 seconds)
+ test "$duration" -ge 1 &&
+ test "$duration" -lt 5 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRIES overrides http.maxRetries config' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Configure maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Override with environment variable to enable retries
+ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
+
+ # Should retry (env var enables it despite config saying disabled)
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRY_TIME overrides http.maxRetryTime config' '
+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
+ printf "Status: 429 Too Many Requests\r\n"
+ printf "Retry-After: 50\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Rate limited with long delay\n"
+ cat "$1" >/dev/null
+ EOF
+
+ # Configure maxRetryTime to 100 seconds (would accept 50 second delay)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 100 &&
+
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
+ start=$(date +%s) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ test "$duration" -lt 5 &&
+ test_grep "exceeds http.maxRetryTime" err &&
+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
+'
+
+test_expect_success 'verify normal repository access still works' '
+ git ls-remote "$HTTPD_URL/smart/repo.git" >output &&
+ test_grep "refs/heads/" output
+'
+
+test_done
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH 2/3] remote-curl: fix memory leak in show_http_message()
2025-11-26 12:30 [PATCH 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2025-11-26 12:30 ` [PATCH 1/3] " Vaidas Pilkauskas via GitGitGadget
@ 2025-11-26 12:30 ` Vaidas Pilkauskas via GitGitGadget
2025-12-09 23:52 ` Taylor Blau
2025-11-26 12:30 ` [PATCH 3/3] http: add trace2 logging for retry operations Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 0/2] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
3 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2025-11-26 12:30 UTC (permalink / raw)
To: git; +Cc: Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Fix a memory leak in show_http_message() that was triggered when
displaying HTTP error messages before die(). The function would call
strbuf_reencode() which modifies the caller's strbuf in place,
allocating new memory for the re-encoded string. Since this function
is only called immediately before die(), the allocated memory was
never explicitly freed, causing leak detectors to report it.
The leak became visible when HTTP 429 rate limit retry support was
added, which introduced the HTTP_RATE_LIMITED error case. However,
the issue existed in pre-existing error paths as well
(HTTP_MISSING_TARGET, HTTP_NOAUTH, HTTP_NOMATCHPUBLICKEY) - the new
retry logic just made it more visible in tests because retries
exercise the error paths more frequently.
The leak was detected by LeakSanitizer in t5584 tests that enable
retries (maxRetries > 0). Tests with retries disabled passed because
they took a different code path or timing.
Fix this by making show_http_message() work on a local copy of the
message buffer instead of modifying the caller's buffer in place:
1. Create a local strbuf and copy the message into it
2. Perform re-encoding on the local copy if needed
3. Display the message from the local copy
4. Properly release the local copy before returning
This ensures all memory allocated by strbuf_reencode() is freed
before the function returns, even though die() is called immediately
after, eliminating the leak.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
remote-curl.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/remote-curl.c b/remote-curl.c
index 5959461cd3..dd0680e5ae 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -371,6 +371,7 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
struct strbuf *msg)
{
const char *p, *eol;
+ struct strbuf msgbuf = STRBUF_INIT;
/*
* We only show text/plain parts, as other types are likely
@@ -378,19 +379,24 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
*/
if (strcmp(type->buf, "text/plain"))
return -1;
+
+ strbuf_addbuf(&msgbuf, msg);
if (charset->len)
- strbuf_reencode(msg, charset->buf, get_log_output_encoding());
+ strbuf_reencode(&msgbuf, charset->buf, get_log_output_encoding());
- strbuf_trim(msg);
- if (!msg->len)
+ strbuf_trim(&msgbuf);
+ if (!msgbuf.len) {
+ strbuf_release(&msgbuf);
return -1;
+ }
- p = msg->buf;
+ p = msgbuf.buf;
do {
eol = strchrnul(p, '\n');
fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
p = eol + 1;
} while(*eol);
+ strbuf_release(&msgbuf);
return 0;
}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH 3/3] http: add trace2 logging for retry operations
2025-11-26 12:30 [PATCH 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2025-11-26 12:30 ` [PATCH 1/3] " Vaidas Pilkauskas via GitGitGadget
2025-11-26 12:30 ` [PATCH 2/3] remote-curl: fix memory leak in show_http_message() Vaidas Pilkauskas via GitGitGadget
@ 2025-11-26 12:30 ` Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 0/2] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
3 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2025-11-26 12:30 UTC (permalink / raw)
To: git; +Cc: Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add trace2 instrumentation to HTTP 429 retry operations to enable
monitoring and debugging of rate limit scenarios in production
environments.
The trace2 logging captures:
* Retry attempt numbers (http/429-retry-attempt) to track retry
progression and identify how many attempts were needed
* Retry-After header values (http/429-retry-after) from server
responses to understand server-requested delays
* Actual sleep durations (http/retry-sleep-seconds) within trace2
regions (http/retry-sleep) to measure time spent waiting
* Error conditions (http/429-error) such as "retries-exhausted",
"exceeds-max-retry-time", "no-retry-after-config", and
"config-exceeds-max-retry-time" for diagnosing failures
* Retry source (http/429-retry-source) indicating whether delay
came from server header or config default
This instrumentation provides complete visibility into retry behavior,
enabling operators to monitor rate limiting patterns, diagnose retry
failures, and optimize retry configuration based on real-world data.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
http.c | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/http.c b/http.c
index 212805cad5..f318e2fbe8 100644
--- a/http.c
+++ b/http.c
@@ -23,6 +23,7 @@
#include "odb.h"
#include "tempfile.h"
#include "date.h"
+#include "trace2.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -1944,6 +1945,8 @@ static int handle_curl_result(struct slot_results *results)
} else if (results->http_code == 429) {
/* Store the retry_after value for use in retry logic */
last_retry_after = results->retry_after;
+ trace2_data_intmax("http", the_repository, "http/429-retry-after",
+ last_retry_after);
return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
@@ -2338,11 +2341,15 @@ static void sleep_for_retry(long retry_after)
if (retry_after > 0) {
unsigned int remaining;
warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
+ trace2_region_enter("http", "retry-sleep", the_repository);
+ trace2_data_intmax("http", the_repository, "http/retry-sleep-seconds",
+ retry_after);
remaining = sleep(retry_after);
while (remaining > 0) {
/* Sleep was interrupted, continue sleeping */
remaining = sleep(remaining);
}
+ trace2_region_leave("http", "retry-sleep", the_repository);
}
}
@@ -2400,10 +2407,15 @@ static int http_request_reauth(const char *url,
/* Handle rate limiting with retry logic */
int retry_attempt = http_max_retries - rate_limit_retries + 1;
+ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
+ retry_attempt);
+
if (rate_limit_retries <= 0) {
/* Retries are disabled or exhausted */
if (http_max_retries > 0) {
error(_("too many rate limit retries, giving up"));
+ trace2_data_string("http", the_repository,
+ "http/429-error", "retries-exhausted");
}
return HTTP_ERROR;
}
@@ -2418,6 +2430,10 @@ static int http_request_reauth(const char *url,
error(_("rate limited (HTTP 429) requested %ld second delay, "
"exceeds http.maxRetryTime of %ld seconds"),
last_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "exceeds-max-retry-time");
+ trace2_data_intmax("http", the_repository,
+ "http/429-requested-delay", last_retry_after);
last_retry_after = -1; /* Reset after use */
return HTTP_ERROR;
}
@@ -2429,17 +2445,23 @@ static int http_request_reauth(const char *url,
/* Not configured - exit with error */
error(_("rate limited (HTTP 429) and no Retry-After header provided. "
"Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
+ trace2_data_string("http", the_repository,
+ "http/429-error", "no-retry-after-config");
return HTTP_ERROR;
}
- /* Check if configured default exceeds maximum allowed */
- if (http_retry_after > http_max_retry_time) {
- error(_("configured http.retryAfter (%ld seconds) exceeds "
- "http.maxRetryTime (%ld seconds)"),
- http_retry_after, http_max_retry_time);
- return HTTP_ERROR;
- }
- /* Use configured default retry-after value */
- sleep_for_retry(http_retry_after);
+ /* Check if configured default exceeds maximum allowed */
+ if (http_retry_after > http_max_retry_time) {
+ error(_("configured http.retryAfter (%ld seconds) exceeds "
+ "http.maxRetryTime (%ld seconds)"),
+ http_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "config-exceeds-max-retry-time");
+ return HTTP_ERROR;
+ }
+ /* Use configured default retry-after value */
+ trace2_data_string("http", the_repository,
+ "http/429-retry-source", "config-default");
+ sleep_for_retry(http_retry_after);
}
} else if (ret == HTTP_REAUTH) {
credential_fill(the_repository, &http_auth, 1);
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH 1/3] http: add support for HTTP 429 rate limit retries
2025-11-26 12:30 ` [PATCH 1/3] " Vaidas Pilkauskas via GitGitGadget
@ 2025-12-09 23:15 ` Taylor Blau
2025-12-12 12:36 ` Vaidas Pilkauskas
0 siblings, 1 reply; 49+ messages in thread
From: Taylor Blau @ 2025-12-09 23:15 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget; +Cc: git, Vaidas Pilkauskas
On Wed, Nov 26, 2025 at 12:30:25PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> Retry behavior is controlled by three new configuration options:
>
> * http.maxRetries: Maximum number of retry attempts (default: 0,
> meaning retries are disabled by default). Users must explicitly
> opt-in to retry behavior.
>
> * http.retryAfter: Default delay in seconds when the server doesn't
> provide a Retry-After header (default: -1, meaning fail if no
> header is provided). This serves as a fallback mechanism.
>
> * http.maxRetryTime: Maximum delay in seconds for a single retry
> (default: 300). If the server requests a delay exceeding this
> limit, Git fails immediately rather than waiting. This prevents
> indefinite blocking on unreasonable server requests.
>
> All three options can be overridden via environment variables:
> GIT_HTTP_MAX_RETRIES, GIT_HTTP_RETRY_AFTER, and
> GIT_HTTP_MAX_RETRY_TIME.
This is great information, and I am glad that it is written down in
http.adoc so that it shows up in git-config(1). I think that it's fine
to omit this level of detail from the commit message, since it
duplicates information from the authoritative source on configuration
knobs.
It might be reasonable to say something like:
Retry behavior is controlled by three new configuration options
(http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
documented in git-config(1).
or something.
> diff --git a/http-push.c b/http-push.c
> index d86ce77119..a602a302ec 100644
> --- a/http-push.c
> +++ b/http-push.c
> @@ -716,6 +716,10 @@ static int fetch_indices(void)
> case HTTP_MISSING_TARGET:
> ret = 0;
> break;
> + case HTTP_RATE_LIMITED:
> + error("rate limited by '%s', please try again later", repo->url);
> + ret = -1;
Other strings in this file aren't marked for translation, but I think
we can/should mark this one like so:
error(_("rate limited by %s ..."), repo->url);
> diff --git a/http.c b/http.c
> index 41f850db16..212805cad5 100644
> --- a/http.c
> +++ b/http.c
> @@ -22,6 +22,7 @@
> #include "object-file.h"
> #include "odb.h"
> #include "tempfile.h"
> +#include "date.h"
>
> static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
> static int trace_curl_data = 1;
> @@ -149,6 +150,14 @@ static char *cached_accept_language;
> static char *http_ssl_backend;
>
> static int http_schannel_check_revoke = 1;
> +
> +/* Retry configuration */
> +static long http_retry_after = -1; /* Default retry-after in seconds when header is missing (-1 means not set, exit with 128) */
> +static long http_max_retries = 0; /* Maximum number of retry attempts (0 means retries are disabled) */
> +static long http_max_retry_time = 300; /* Maximum time to wait for a single retry (default 5 minutes) */
These comments should be OK to drop, the variables indicate what Git
configuration they correspond to (e.g., http_retry_after ->
http.retryAfter), so git-config(1) is the authoritative source for
documentation here.
> @@ -257,6 +267,47 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
> goto exit;
> }
>
> + /* Parse Retry-After header for rate limiting */
> + if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
Makes sense, though I wonder if we should rename this function, since
fwrite_wwwauth is now doing more than just handling WWW-Authenticate
headers.
Perhaps we should have a single top-level function that is registered as
our CURLOPT_HEADERFUNCTION that dispatches calls to header-specific
functions? Otherwise the actual parsing of the Retry-After header looks
good to me.
> @@ -1422,6 +1488,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
> set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
> set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
>
> + set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
> + set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
> + set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
> +
The configuration handling and overrides look good to me.
> @@ -2253,19 +2330,36 @@ static int update_url_from_redirect(struct strbuf *base,
> return 1;
> }
>
> +/*
> + * Sleep for the specified number of seconds before retrying.
> + */
> +static void sleep_for_retry(long retry_after)
> +{
> + if (retry_after > 0) {
> + unsigned int remaining;
> + warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
> + remaining = sleep(retry_after);
What should we do if there are other active request slots? It has been a
couple of years since I have looked at Git's HTTP code, but I imagine
that we should be able to continue processing other requests while
waiting for the retry-after period to elapse here.
> @@ -2302,7 +2396,54 @@ static int http_request_reauth(const char *url,
> BUG("Unknown http_request target");
> }
>
> - credential_fill(the_repository, &http_auth, 1);
> + if (ret == HTTP_RATE_LIMITED) {
Should handling the retry behavior be moved into a separate function? I
think that http_request_reauth() might be clearer if it read:
if (ret == HTTP_RATE_LIMITED)
apply_rate_limit(...); /* presumably with a better name */
else
credential_fill(...);
, and likewise, should we rename this function as it is no longer just
re-authenticating HTTP requests?
> diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
> new file mode 100755
> index 0000000000..8bcc382763
> --- /dev/null
> +++ b/t/t5584-http-429-retry.sh
> @@ -0,0 +1,429 @@
> +#!/bin/sh
> +
> +test_description='test HTTP 429 Too Many Requests retry logic'
> +
> +. ./test-lib.sh
> +
> +. "$TEST_DIRECTORY"/lib-httpd.sh
> +
> +start_httpd
> +
> +test_expect_success 'setup test repository' '
> + test_commit initial &&
> + git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
> + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
> +'
> +
> +test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
> + write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
> + printf "Status: 429 Too Many Requests\r\n"
> + printf "Retry-After: 1\r\n"
> + printf "Content-Type: text/plain\r\n"
> + printf "\r\n"
> + printf "Rate limited\n"
> + cat "$1" >/dev/null
> + EOF
To avoid having to write this script multiple write, you can write it as
a separate script in t/lib-httpd and then make sure to list it in
prepare_httpd() (from t/lib-httpd.sh).
You can then list it in the apache.conf in the same directory and invoke
it however you like. If you need to take in arguments to the script
(e.g., to change the Retry-After value), you can use a ScriptAliasMatch
instead of a normal ScriptAlias to pass in extra parameters from the URL.
The one-time-script mechanism here will cause the test harness to delete
the script after its first (and only) use, which can be useful for some
cases but I suspect is not necessary for all of these tests.
> +
> + # Set maxRetries to 0 (disabled)
> + test_config http.maxRetries 0 &&
> + test_config http.retryAfter 1 &&
> +
> + # Should fail immediately without any retry attempt
> + test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
> +
> + # Verify no retry happened (no "waiting" message in stderr)
> + ! grep -i "waiting.*retry" err &&
test_grep can be helpful when reading the output of test failures, since
it dumps the contents of the file it was searching. Just make sure to
write "test_grep !" instead of "! test_grep" (there are a few such
instances of the latter that I just wrote patches to clean up).
"! test_grep" isn't *wrong* per-se, but it will pollute the test output
with "couldn't find xyz in abc".
I skimmed through the the remainder of the tests since I imagine that
they will change substantially after writing the script out explicitly
instead of using one-time-script, so I'll hold off on reviewing that
portion in more detail until then.
Thanks,
Taylor
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH 2/3] remote-curl: fix memory leak in show_http_message()
2025-11-26 12:30 ` [PATCH 2/3] remote-curl: fix memory leak in show_http_message() Vaidas Pilkauskas via GitGitGadget
@ 2025-12-09 23:52 ` Taylor Blau
0 siblings, 0 replies; 49+ messages in thread
From: Taylor Blau @ 2025-12-09 23:52 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget; +Cc: git, Vaidas Pilkauskas
On Wed, Nov 26, 2025 at 12:30:26PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> diff --git a/remote-curl.c b/remote-curl.c
> index 5959461cd3..dd0680e5ae 100644
> --- a/remote-curl.c
> +++ b/remote-curl.c
> @@ -371,6 +371,7 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
> struct strbuf *msg)
> {
> const char *p, *eol;
> + struct strbuf msgbuf = STRBUF_INIT;
>
> /*
> * We only show text/plain parts, as other types are likely
> @@ -378,19 +379,24 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
> */
> if (strcmp(type->buf, "text/plain"))
> return -1;
> +
> + strbuf_addbuf(&msgbuf, msg);
Hmm. Looking at the list of show_http_message() callers, it looks like
they all follow the pattern of constructing a strbuf "msg", passing it
to this function, and then calling die() with some user-friendly
message.
I agree that the patch here does address that leak, but I wonder if we
should do it in a way that doesn't involve copying the "msg" buffer. One
thing we could do is rename 'show_http_message()' to make it clear that
it's fatal and then free the re-encoded buffer ourselves (along with the
other buffers type and charset), perhaps like so (on top of the previous
patch in lieu of this one):
--- 8< ---
diff --git a/remote-curl.c b/remote-curl.c
index 5959461cd34..9d8359665ee 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -367,23 +367,25 @@ static void free_discovery(struct discovery *d)
}
}
-static int show_http_message(struct strbuf *type, struct strbuf *charset,
- struct strbuf *msg)
+static void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
+ struct strbuf *msg, const char *fmt, ...)
{
const char *p, *eol;
+ va_list ap;
+ report_fn die_message_routine = get_die_message_routine();
/*
* We only show text/plain parts, as other types are likely
* to be ugly to look at on the user's terminal.
*/
if (strcmp(type->buf, "text/plain"))
- return -1;
+ goto out;
if (charset->len)
strbuf_reencode(msg, charset->buf, get_log_output_encoding());
strbuf_trim(msg);
if (!msg->len)
- return -1;
+ goto out;
p = msg->buf;
do {
@@ -391,7 +393,15 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
p = eol + 1;
} while(*eol);
- return 0;
+
+out:
+ strbuf_release(type);
+ strbuf_release(charset);
+ strbuf_release(msg);
+
+ va_start(ap, fmt);
+ die_message_routine(fmt, ap);
+ va_end(ap);
}
static int get_protocol_http_header(enum protocol_version version,
@@ -518,25 +528,27 @@ static struct discovery *discover_refs(const char *service, int for_push)
case HTTP_OK:
break;
case HTTP_MISSING_TARGET:
- show_http_message(&type, &charset, &buffer);
- die(_("repository '%s' not found"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("repository '%s' not found"),
+ transport_anonymize_url(url.buf));
--- >8 ---
(...and so on for the remaining cases).
Thanks,
Taylor
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH 1/3] http: add support for HTTP 429 rate limit retries
2025-12-09 23:15 ` Taylor Blau
@ 2025-12-12 12:36 ` Vaidas Pilkauskas
0 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas @ 2025-12-12 12:36 UTC (permalink / raw)
To: Taylor Blau; +Cc: Vaidas Pilkauskas via GitGitGadget, git
On Wed, Dec 10, 2025 at 1:15 AM Taylor Blau <me@ttaylorr.com> wrote:
> > +/*
> > + * Sleep for the specified number of seconds before retrying.
> > + */
> > +static void sleep_for_retry(long retry_after)
> > +{
> > + if (retry_after > 0) {
> > + unsigned int remaining;
> > + warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
> > + remaining = sleep(retry_after);
>
> What should we do if there are other active request slots? It has been a
> couple of years since I have looked at Git's HTTP code, but I imagine
> that we should be able to continue processing other requests while
> waiting for the retry-after period to elapse here.
This is a very good catch - I'll rewrite this to a non-blocking wait.
Thanks for the review, Taylor, I'll work to address this and other
comments in the next version of the patch.
On Wed, Dec 10, 2025 at 1:15 AM Taylor Blau <me@ttaylorr.com> wrote:
>
> On Wed, Nov 26, 2025 at 12:30:25PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> > Retry behavior is controlled by three new configuration options:
> >
> > * http.maxRetries: Maximum number of retry attempts (default: 0,
> > meaning retries are disabled by default). Users must explicitly
> > opt-in to retry behavior.
> >
> > * http.retryAfter: Default delay in seconds when the server doesn't
> > provide a Retry-After header (default: -1, meaning fail if no
> > header is provided). This serves as a fallback mechanism.
> >
> > * http.maxRetryTime: Maximum delay in seconds for a single retry
> > (default: 300). If the server requests a delay exceeding this
> > limit, Git fails immediately rather than waiting. This prevents
> > indefinite blocking on unreasonable server requests.
> >
> > All three options can be overridden via environment variables:
> > GIT_HTTP_MAX_RETRIES, GIT_HTTP_RETRY_AFTER, and
> > GIT_HTTP_MAX_RETRY_TIME.
>
> This is great information, and I am glad that it is written down in
> http.adoc so that it shows up in git-config(1). I think that it's fine
> to omit this level of detail from the commit message, since it
> duplicates information from the authoritative source on configuration
> knobs.
>
> It might be reasonable to say something like:
>
> Retry behavior is controlled by three new configuration options
> (http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
> documented in git-config(1).
>
> or something.
>
> > diff --git a/http-push.c b/http-push.c
> > index d86ce77119..a602a302ec 100644
> > --- a/http-push.c
> > +++ b/http-push.c
> > @@ -716,6 +716,10 @@ static int fetch_indices(void)
> > case HTTP_MISSING_TARGET:
> > ret = 0;
> > break;
> > + case HTTP_RATE_LIMITED:
> > + error("rate limited by '%s', please try again later", repo->url);
> > + ret = -1;
>
> Other strings in this file aren't marked for translation, but I think
> we can/should mark this one like so:
>
> error(_("rate limited by %s ..."), repo->url);
>
> > diff --git a/http.c b/http.c
> > index 41f850db16..212805cad5 100644
> > --- a/http.c
> > +++ b/http.c
> > @@ -22,6 +22,7 @@
> > #include "object-file.h"
> > #include "odb.h"
> > #include "tempfile.h"
> > +#include "date.h"
> >
> > static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
> > static int trace_curl_data = 1;
> > @@ -149,6 +150,14 @@ static char *cached_accept_language;
> > static char *http_ssl_backend;
> >
> > static int http_schannel_check_revoke = 1;
> > +
> > +/* Retry configuration */
> > +static long http_retry_after = -1; /* Default retry-after in seconds when header is missing (-1 means not set, exit with 128) */
> > +static long http_max_retries = 0; /* Maximum number of retry attempts (0 means retries are disabled) */
> > +static long http_max_retry_time = 300; /* Maximum time to wait for a single retry (default 5 minutes) */
>
> These comments should be OK to drop, the variables indicate what Git
> configuration they correspond to (e.g., http_retry_after ->
> http.retryAfter), so git-config(1) is the authoritative source for
> documentation here.
>
> > @@ -257,6 +267,47 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
> > goto exit;
> > }
> >
> > + /* Parse Retry-After header for rate limiting */
> > + if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
>
> Makes sense, though I wonder if we should rename this function, since
> fwrite_wwwauth is now doing more than just handling WWW-Authenticate
> headers.
>
> Perhaps we should have a single top-level function that is registered as
> our CURLOPT_HEADERFUNCTION that dispatches calls to header-specific
> functions? Otherwise the actual parsing of the Retry-After header looks
> good to me.
>
> > @@ -1422,6 +1488,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
> > set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
> > set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
> >
> > + set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
> > + set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
> > + set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
> > +
>
> The configuration handling and overrides look good to me.
>
> > @@ -2253,19 +2330,36 @@ static int update_url_from_redirect(struct strbuf *base,
> > return 1;
> > }
> >
> > +/*
> > + * Sleep for the specified number of seconds before retrying.
> > + */
> > +static void sleep_for_retry(long retry_after)
> > +{
> > + if (retry_after > 0) {
> > + unsigned int remaining;
> > + warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
> > + remaining = sleep(retry_after);
>
> What should we do if there are other active request slots? It has been a
> couple of years since I have looked at Git's HTTP code, but I imagine
> that we should be able to continue processing other requests while
> waiting for the retry-after period to elapse here.
>
> > @@ -2302,7 +2396,54 @@ static int http_request_reauth(const char *url,
> > BUG("Unknown http_request target");
> > }
> >
> > - credential_fill(the_repository, &http_auth, 1);
> > + if (ret == HTTP_RATE_LIMITED) {
>
> Should handling the retry behavior be moved into a separate function? I
> think that http_request_reauth() might be clearer if it read:
>
> if (ret == HTTP_RATE_LIMITED)
> apply_rate_limit(...); /* presumably with a better name */
> else
> credential_fill(...);
>
> , and likewise, should we rename this function as it is no longer just
> re-authenticating HTTP requests?
>
> > diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
> > new file mode 100755
> > index 0000000000..8bcc382763
> > --- /dev/null
> > +++ b/t/t5584-http-429-retry.sh
> > @@ -0,0 +1,429 @@
> > +#!/bin/sh
> > +
> > +test_description='test HTTP 429 Too Many Requests retry logic'
> > +
> > +. ./test-lib.sh
> > +
> > +. "$TEST_DIRECTORY"/lib-httpd.sh
> > +
> > +start_httpd
> > +
> > +test_expect_success 'setup test repository' '
> > + test_commit initial &&
> > + git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
> > + git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
> > +'
> > +
> > +test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
> > + write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
> > + printf "Status: 429 Too Many Requests\r\n"
> > + printf "Retry-After: 1\r\n"
> > + printf "Content-Type: text/plain\r\n"
> > + printf "\r\n"
> > + printf "Rate limited\n"
> > + cat "$1" >/dev/null
> > + EOF
>
> To avoid having to write this script multiple write, you can write it as
> a separate script in t/lib-httpd and then make sure to list it in
> prepare_httpd() (from t/lib-httpd.sh).
>
> You can then list it in the apache.conf in the same directory and invoke
> it however you like. If you need to take in arguments to the script
> (e.g., to change the Retry-After value), you can use a ScriptAliasMatch
> instead of a normal ScriptAlias to pass in extra parameters from the URL.
>
> The one-time-script mechanism here will cause the test harness to delete
> the script after its first (and only) use, which can be useful for some
> cases but I suspect is not necessary for all of these tests.
> > +
> > + # Set maxRetries to 0 (disabled)
> > + test_config http.maxRetries 0 &&
> > + test_config http.retryAfter 1 &&
> > +
> > + # Should fail immediately without any retry attempt
> > + test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
> > +
> > + # Verify no retry happened (no "waiting" message in stderr)
> > + ! grep -i "waiting.*retry" err &&
>
> test_grep can be helpful when reading the output of test failures, since
> it dumps the contents of the file it was searching. Just make sure to
> write "test_grep !" instead of "! test_grep" (there are a few such
> instances of the latter that I just wrote patches to clean up).
>
> "! test_grep" isn't *wrong* per-se, but it will pollute the test output
> with "couldn't find xyz in abc".
>
> I skimmed through the the remainder of the tests since I imagine that
> they will change substantially after writing the script out explicitly
> instead of using one-time-script, so I'll hold off on reviewing that
> portion in more detail until then.
>
> Thanks,
> Taylor
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 0/2] http: add support for HTTP 429 rate limit retries
2025-11-26 12:30 [PATCH 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
` (2 preceding siblings ...)
2025-11-26 12:30 ` [PATCH 3/3] http: add trace2 logging for retry operations Vaidas Pilkauskas via GitGitGadget
@ 2025-12-18 14:44 ` Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 1/2] " Vaidas Pilkauskas via GitGitGadget
` (2 more replies)
3 siblings, 3 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2025-12-18 14:44 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Vaidas Pilkauskas
Changes since v1:
* removed configuration options from commit message
* marked "rate limited by %s ..." message for translation in http-push.c
* dropped redundant comments from retry configuration variables
* renamed "fwrite_wwwauth" to "fwrite_headers". Due to complexity related
with header continuation handling, I've decide not to split into header
specific functions.
* rewritten the sleep logic into non-blocking handling, so that the rest of
the slots can be processed at the time retry delay is requested
* renamed "http_request_reauth" to "http_request_recoverable" to better
reflect that it does not only reauth , but also other recoverable
handling
* updated test setup code to use setup script to reduce repetition in the
test code
* updated to use test_grep instead of grep
* dropped memory leak fix patch in afvor to rename of the
"show_http_message" to "show_http_message_fatal".
* Adjusted alloc size in "strbuf_reencode" for "strbuf_attach" call, which
seems to solve the leak problem
The implementation includes:
Patch 1: Core HTTP 429 retry logic with support for RFC-compliant
Retry-After headers (both delay-seconds and HTTP-date formats),
comprehensive configuration options, and fail-fast behavior for excessive
delays. Includes extensive test coverage.
Patch 2: Adds trace2 instrumentation to enable monitoring and debugging of
retry operations in production environments.
Vaidas Pilkauskas (2):
http: add support for HTTP 429 rate limit retries
http: add trace2 logging for retry operations
Documentation/config/http.adoc | 24 +++
http-push.c | 8 +
http-walker.c | 5 +
http.c | 321 +++++++++++++++++++++++++++++----
http.h | 4 +
remote-curl.c | 49 +++--
strbuf.c | 2 +-
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 286 +++++++++++++++++++++++++++++
12 files changed, 750 insertions(+), 57 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
base-commit: c4a0c8845e2426375ad257b6c221a3a7d92ecfda
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-2008%2Fvaidas-shopify%2Fretry-after-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-2008/vaidas-shopify/retry-after-v2
Pull-Request: https://github.com/gitgitgadget/git/pull/2008
Range-diff vs v1:
1: ae0087cd1c ! 1: d80ce07703 http: add support for HTTP 429 rate limit retries
@@ Commit message
both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
past date is provided, Git retries immediately without waiting.
- Retry behavior is controlled by three new configuration options:
-
- * http.maxRetries: Maximum number of retry attempts (default: 0,
- meaning retries are disabled by default). Users must explicitly
- opt-in to retry behavior.
-
- * http.retryAfter: Default delay in seconds when the server doesn't
- provide a Retry-After header (default: -1, meaning fail if no
- header is provided). This serves as a fallback mechanism.
-
- * http.maxRetryTime: Maximum delay in seconds for a single retry
- (default: 300). If the server requests a delay exceeding this
- limit, Git fails immediately rather than waiting. This prevents
- indefinite blocking on unreasonable server requests.
-
- All three options can be overridden via environment variables:
- GIT_HTTP_MAX_RETRIES, GIT_HTTP_RETRY_AFTER, and
- GIT_HTTP_MAX_RETRY_TIME.
+ Retry behavior is controlled by three new configuration options
+ (http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
+ documented in git-config(1).
The retry logic implements a fail-fast approach: if any delay
(whether from server header or configuration) exceeds maxRetryTime,
@@ http-push.c: static int fetch_indices(void)
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
-+ error("rate limited by '%s', please try again later", repo->url);
++ error(_("rate limited by '%s', please try again later"), repo->url);
+ ret = -1;
+ break;
default:
@@ http-push.c: static int remote_exists(const char *path)
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
-+ error("rate limited by '%s', please try again later", url);
++ error(_("rate limited by '%s', please try again later"), url);
+ ret = -1;
+ break;
case HTTP_ERROR:
@@ http.c: static char *cached_accept_language;
static int http_schannel_check_revoke = 1;
+
-+/* Retry configuration */
-+static long http_retry_after = -1; /* Default retry-after in seconds when header is missing (-1 means not set, exit with 128) */
-+static long http_max_retries = 0; /* Maximum number of retry attempts (0 means retries are disabled) */
-+static long http_max_retry_time = 300; /* Maximum time to wait for a single retry (default 5 minutes) */
++static long http_retry_after = -1;
++static long http_max_retries = 0;
++static long http_max_retry_time = 300;
+
-+/* Store retry_after value from 429 responses for retry logic (-1 = not set, 0 = retry immediately, >0 = delay in seconds) */
-+static long last_retry_after = -1;
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ http.c: static inline int is_hdr_continuation(const char *ptr, const size_t size
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
-+static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p)
++static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
@@ http.c: void http_init(struct remote *remote, const char *url, int proactive_aut
curl_default = get_curl_handle();
}
+@@ http.c: struct active_request_slot *get_active_slot(void)
+ slot->finished = NULL;
+ slot->callback_data = NULL;
+ slot->callback_func = NULL;
++ slot->retry_delay_seconds = -1;
++ memset(&slot->retry_delay_start, 0, sizeof(slot->retry_delay_start));
+
+ if (curl_cookie_file && !strcmp(curl_cookie_file, "-")) {
+ warning(_("refusing to read cookies from http.cookiefile '-'"));
+@@ http.c: void run_active_slot(struct active_request_slot *slot)
+ fd_set excfds;
+ int max_fd;
+ struct timeval select_timeout;
++ long curl_timeout;
++ struct timeval start_time = {0}, current_time, elapsed_time = {0};
++ long remaining_seconds;
+ int finished = 0;
++ int slot_not_started = (slot->finished == NULL);
++ int waiting_for_delay = (slot->retry_delay_seconds > 0);
++
++ if (waiting_for_delay) {
++ warning(_("rate limited, waiting %ld seconds before retry"), slot->retry_delay_seconds);
++ start_time = slot->retry_delay_start;
++ }
+
+ slot->finished = &finished;
+- while (!finished) {
++ while (waiting_for_delay || !finished) {
++ if (waiting_for_delay) {
++ gettimeofday(¤t_time, NULL);
++ elapsed_time.tv_sec = current_time.tv_sec - start_time.tv_sec;
++ elapsed_time.tv_usec = current_time.tv_usec - start_time.tv_usec;
++ if (elapsed_time.tv_usec < 0) {
++ elapsed_time.tv_sec--;
++ elapsed_time.tv_usec += 1000000;
++ }
++
++ if (elapsed_time.tv_sec >= slot->retry_delay_seconds) {
++ slot->retry_delay_seconds = -1;
++ waiting_for_delay = 0;
++
++ if (slot_not_started)
++ return;
++ }
++ }
++
+ step_active_slots();
+
+- if (slot->in_use) {
+- long curl_timeout;
+- curl_multi_timeout(curlm, &curl_timeout);
+- if (curl_timeout == 0) {
++ if (!waiting_for_delay && !slot->in_use)
++ continue;
++
++ curl_multi_timeout(curlm, &curl_timeout);
++ if (curl_timeout == 0) {
++ if (!waiting_for_delay)
+ continue;
+- } else if (curl_timeout == -1) {
+- select_timeout.tv_sec = 0;
+- select_timeout.tv_usec = 50000;
++ select_timeout.tv_sec = 0;
++ select_timeout.tv_usec = 50000; /* 50ms */
++ } else if (curl_timeout == -1) {
++ select_timeout.tv_sec = 0;
++ select_timeout.tv_usec = 50000;
++ } else {
++ long curl_timeout_sec = curl_timeout / 1000;
++ long curl_timeout_usec = (curl_timeout % 1000) * 1000;
++
++ if (waiting_for_delay) {
++ remaining_seconds = slot->retry_delay_seconds - elapsed_time.tv_sec;
++ if (curl_timeout_sec < remaining_seconds) {
++ select_timeout.tv_sec = curl_timeout_sec;
++ select_timeout.tv_usec = curl_timeout_usec;
++ } else {
++ select_timeout.tv_sec = remaining_seconds;
++ select_timeout.tv_usec = 0;
++ }
+ } else {
+- select_timeout.tv_sec = curl_timeout / 1000;
+- select_timeout.tv_usec = (curl_timeout % 1000) * 1000;
++ select_timeout.tv_sec = curl_timeout_sec;
++ select_timeout.tv_usec = curl_timeout_usec;
+ }
++ }
+
+- max_fd = -1;
+- FD_ZERO(&readfds);
+- FD_ZERO(&writefds);
+- FD_ZERO(&excfds);
+- curl_multi_fdset(curlm, &readfds, &writefds, &excfds, &max_fd);
++ max_fd = -1;
++ FD_ZERO(&readfds);
++ FD_ZERO(&writefds);
++ FD_ZERO(&excfds);
++ curl_multi_fdset(curlm, &readfds, &writefds, &excfds, &max_fd);
+
+- /*
+- * It can happen that curl_multi_timeout returns a pathologically
+- * long timeout when curl_multi_fdset returns no file descriptors
+- * to read. See commit message for more details.
+- */
+- if (max_fd < 0 &&
+- (select_timeout.tv_sec > 0 ||
+- select_timeout.tv_usec > 50000)) {
+- select_timeout.tv_sec = 0;
+- select_timeout.tv_usec = 50000;
+- }
++ /*
++ * It can happen that curl_multi_timeout returns a pathologically
++ * long timeout when curl_multi_fdset returns no file descriptors
++ * to read. See commit message for more details.
++ */
++ if (max_fd < 0 &&
++ (select_timeout.tv_sec > 0 ||
++ select_timeout.tv_usec > 50000)) {
++ select_timeout.tv_sec = 0;
++ select_timeout.tv_usec = 50000;
++ }
+
+- select(max_fd+1, &readfds, &writefds, &excfds, &select_timeout);
++ /*
++ * If curl_multi_fdset returns no file descriptors but we have
++ * a timeout, still use select() to wait for the timeout period.
++ */
++ if (max_fd < 0) {
++ /* No file descriptors, just wait for timeout */
++ select(0, NULL, NULL, NULL, &select_timeout);
++ } else {
++ select(max_fd + 1, &readfds, &writefds, &excfds, &select_timeout);
+ }
+ }
+
@@ http.c: static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
-+ /* Store the retry_after value for use in retry logic */
-+ last_retry_after = results->retry_after;
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
@@ http.c: int run_one_slot(struct active_request_slot *slot,
slot->results = results;
+ /* Initialize retry_after to -1 (not set) */
+ results->retry_after = -1;
++
++ /* If there's a retry delay, wait for it before starting the slot */
++ if (slot->retry_delay_seconds > 0) {
++ run_active_slot(slot);
++ }
++
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
+@@ http.c: static void http_opt_request_remainder(CURL *curl, off_t pos)
+ #define HTTP_REQUEST_STRBUF 0
+ #define HTTP_REQUEST_FILE 1
+
++static void sleep_for_retry(struct active_request_slot *slot, long retry_after);
++
+ static int http_request(const char *url,
+ void *result, int target,
+- const struct http_get_options *options)
++ const struct http_get_options *options,
++ long *retry_after_out,
++ long retry_delay)
+ {
+ struct active_request_slot *slot;
+ struct slot_results results;
@@ http.c: static int http_request(const char *url,
+ int ret;
+
+ slot = get_active_slot();
++ /* Mark slot for delay if retry delay is provided */
++ if (retry_delay > 0) {
++ sleep_for_retry(slot, retry_delay);
++ }
+ curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1L);
+
+ if (!result) {
+@@ http.c: static int http_request(const char *url,
+ fwrite_buffer);
}
- curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
+- curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
++ curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_headers);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
accept_language = http_get_accept_language_header();
+@@ http.c: static int http_request(const char *url,
+
+ ret = run_one_slot(slot, &results);
+
++ /* Store retry_after from slot results if output parameter provided */
++ if (retry_after_out)
++ *retry_after_out = results.retry_after;
++
+ if (options && options->content_type) {
+ struct strbuf raw = STRBUF_INIT;
+ curlinfo_strbuf(slot->curl, CURLINFO_CONTENT_TYPE, &raw);
@@ http.c: static int update_url_from_redirect(struct strbuf *base,
return 1;
}
+-static int http_request_reauth(const char *url,
+/*
-+ * Sleep for the specified number of seconds before retrying.
++ * Mark slot to be delayed for retry. The actual delay will be handled
++ * in run_active_slot when the slot is executed.
+ */
-+static void sleep_for_retry(long retry_after)
++static void sleep_for_retry(struct active_request_slot *slot, long retry_after)
+{
-+ if (retry_after > 0) {
-+ unsigned int remaining;
++ if (retry_after > 0 && slot) {
+ warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
-+ remaining = sleep(retry_after);
-+ while (remaining > 0) {
-+ /* Sleep was interrupted, continue sleeping */
-+ remaining = sleep(remaining);
++ slot->retry_delay_seconds = retry_after;
++ gettimeofday(&slot->retry_delay_start, NULL);
++ }
++}
++
++/*
++ * Handle rate limiting retry logic for HTTP 429 responses.
++ * Uses slot-specific retry_after value to support concurrent slots.
++ * Returns a negative value if retries are exhausted or configuration is invalid,
++ * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
++ */
++static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
++{
++ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
++ if (*rate_limit_retries <= 0) {
++ /* Retries are disabled or exhausted */
++ if (http_max_retries > 0) {
++ error(_("too many rate limit retries, giving up"));
++ }
++ return -1;
++ }
++
++ /* Decrement retries counter */
++ (*rate_limit_retries)--;
++
++ /* Use the slot-specific retry_after value or configured default */
++ if (slot_retry_after >= 0) {
++ /* Check if retry delay exceeds maximum allowed */
++ if (slot_retry_after > http_max_retry_time) {
++ error(_("rate limited (HTTP 429) requested %ld second delay, "
++ "exceeds http.maxRetryTime of %ld seconds"),
++ slot_retry_after, http_max_retry_time);
++ return -1;
++ }
++ return slot_retry_after;
++ } else {
++ /* No Retry-After header provided */
++ if (http_retry_after < 0) {
++ /* Not configured - exit with error */
++ error(_("rate limited (HTTP 429) and no Retry-After header provided. "
++ "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
++ return -1;
+ }
++ /* Check if configured default exceeds maximum allowed */
++ if (http_retry_after > http_max_retry_time) {
++ error(_("configured http.retryAfter (%ld seconds) exceeds "
++ "http.maxRetryTime (%ld seconds)"),
++ http_retry_after, http_max_retry_time);
++ return -1;
++ }
++
++ return http_retry_after;
+ }
+}
+
- static int http_request_reauth(const char *url,
++static int http_request_recoverable(const char *url,
void *result, int target,
struct http_get_options *options)
{
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
++ long slot_retry_after = -1; /* Per-slot retry_after value */
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
- ret = http_request(url, result, target, options);
+- ret = http_request(url, result, target, options);
++ ret = http_request(url, result, target, options, &slot_retry_after, -1);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
++ /* If retries are disabled and we got a 429, fail immediately */
++ if (ret == HTTP_RATE_LIMITED && http_max_retries == 0)
++ return HTTP_ERROR;
++
if (options && options->effective_url && options->base_url) {
+ if (update_url_from_redirect(options->base_url,
+ url, options->effective_url)) {
@@ http.c: static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
+ while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
++ long retry_delay = -1;
/*
* The previous request may have put cruft into our output stream; we
* should clear it out before making our next request.
@@ http.c: static int http_request_reauth(const char *url,
+ default:
BUG("Unknown http_request target");
}
-
-- credential_fill(the_repository, &http_auth, 1);
+ if (ret == HTTP_RATE_LIMITED) {
-+ /* Handle rate limiting with retry logic */
-+ int retry_attempt = http_max_retries - rate_limit_retries + 1;
-+
-+ if (rate_limit_retries <= 0) {
-+ /* Retries are disabled or exhausted */
-+ if (http_max_retries > 0) {
-+ error(_("too many rate limit retries, giving up"));
-+ }
++ retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
++ if (retry_delay < 0)
+ return HTTP_ERROR;
-+ }
-+
-+ /* Decrement retries counter */
-+ rate_limit_retries--;
-+
-+ /* Use the stored retry_after value or configured default */
-+ if (last_retry_after >= 0) {
-+ /* Check if retry delay exceeds maximum allowed */
-+ if (last_retry_after > http_max_retry_time) {
-+ error(_("rate limited (HTTP 429) requested %ld second delay, "
-+ "exceeds http.maxRetryTime of %ld seconds"),
-+ last_retry_after, http_max_retry_time);
-+ last_retry_after = -1; /* Reset after use */
-+ return HTTP_ERROR;
-+ }
-+ sleep_for_retry(last_retry_after);
-+ last_retry_after = -1; /* Reset after use */
-+ } else {
-+ /* No Retry-After header provided */
-+ if (http_retry_after < 0) {
-+ /* Not configured - exit with error */
-+ error(_("rate limited (HTTP 429) and no Retry-After header provided. "
-+ "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
-+ return HTTP_ERROR;
-+ }
-+ /* Check if configured default exceeds maximum allowed */
-+ if (http_retry_after > http_max_retry_time) {
-+ error(_("configured http.retryAfter (%ld seconds) exceeds "
-+ "http.maxRetryTime (%ld seconds)"),
-+ http_retry_after, http_max_retry_time);
-+ return HTTP_ERROR;
-+ }
-+ /* Use configured default retry-after value */
-+ sleep_for_retry(http_retry_after);
-+ }
++ slot_retry_after = -1; /* Reset after use */
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
- ret = http_request(url, result, target, options);
+- credential_fill(the_repository, &http_auth, 1);
+-
+- ret = http_request(url, result, target, options);
++ ret = http_request(url, result, target, options, &slot_retry_after, retry_delay);
}
+ return ret;
+ }
+@@ http.c: int http_get_strbuf(const char *url,
+ struct strbuf *result,
+ struct http_get_options *options)
+ {
+- return http_request_reauth(url, result, HTTP_REQUEST_STRBUF, options);
++ return http_request_recoverable(url, result, HTTP_REQUEST_STRBUF, options);
+ }
+
+ /*
+@@ http.c: int http_get_file(const char *url, const char *filename,
+ goto cleanup;
+ }
+
+- ret = http_request_reauth(url, result, HTTP_REQUEST_FILE, options);
++ ret = http_request_recoverable(url, result, HTTP_REQUEST_FILE, options);
+ fclose(result);
+
+ if (ret == HTTP_OK && finalize_object_file(the_repository, tmpfile.buf, filename))
## http.h ##
@@ http.h: struct slot_results {
@@ http.h: struct slot_results {
};
struct active_request_slot {
+@@ http.h: struct active_request_slot {
+ void *callback_data;
+ void (*callback_func)(void *data);
+ struct active_request_slot *next;
++ long retry_delay_seconds;
++ struct timeval retry_delay_start;
+ };
+
+ struct buffer {
@@ http.h: struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
@@ http.h: struct http_get_options {
* Requests a URL and stores the result in a strbuf.
## remote-curl.c ##
+@@ remote-curl.c: static void free_discovery(struct discovery *d)
+ }
+ }
+
+-static int show_http_message(struct strbuf *type, struct strbuf *charset,
+- struct strbuf *msg)
++static NORETURN void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
++ struct strbuf *msg, const char *fmt, ...)
+ {
+ const char *p, *eol;
++ va_list ap;
++ report_fn die_message_routine = get_die_message_routine();
+
+ /*
+ * We only show text/plain parts, as other types are likely
+ * to be ugly to look at on the user's terminal.
+ */
+ if (strcmp(type->buf, "text/plain"))
+- return -1;
++ goto out;
+ if (charset->len)
+ strbuf_reencode(msg, charset->buf, get_log_output_encoding());
+
+ strbuf_trim(msg);
+ if (!msg->len)
+- return -1;
++ goto out;
+
+ p = msg->buf;
+ do {
+@@ remote-curl.c: static int show_http_message(struct strbuf *type, struct strbuf *charset,
+ fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
+ p = eol + 1;
+ } while(*eol);
+- return 0;
++
++out:
++ strbuf_release(type);
++ strbuf_release(charset);
++ strbuf_release(msg);
++
++ va_start(ap, fmt);
++ die_message_routine(fmt, ap);
++ va_end(ap);
++ exit(128);
+ }
+
+ static int get_protocol_http_header(enum protocol_version version,
@@ remote-curl.c: static struct discovery *discover_refs(const char *service, int for_push)
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_OK:
+ break;
+ case HTTP_MISSING_TARGET:
+- show_http_message(&type, &charset, &buffer);
+- die(_("repository '%s' not found"),
+- transport_anonymize_url(url.buf));
++ show_http_message_fatal(&type, &charset, &buffer,
++ _("repository '%s' not found"),
++ transport_anonymize_url(url.buf));
+ case HTTP_NOAUTH:
+- show_http_message(&type, &charset, &buffer);
+- die(_("Authentication failed for '%s'"),
+- transport_anonymize_url(url.buf));
++ show_http_message_fatal(&type, &charset, &buffer,
++ _("Authentication failed for '%s'"),
++ transport_anonymize_url(url.buf));
+ case HTTP_NOMATCHPUBLICKEY:
+- show_http_message(&type, &charset, &buffer);
+- die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
+- transport_anonymize_url(url.buf), curl_errorstr);
++ show_http_message_fatal(&type, &charset, &buffer,
++ _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
++ transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
-+ show_http_message(&type, &charset, &buffer);
-+ die(_("rate limited by '%s', please try again later"),
-+ transport_anonymize_url(url.buf));
++ show_http_message_fatal(&type, &charset, &buffer,
++ _("rate limited by '%s', please try again later"),
++ transport_anonymize_url(url.buf));
default:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s': %s"),
+- show_http_message(&type, &charset, &buffer);
+- die(_("unable to access '%s': %s"),
+- transport_anonymize_url(url.buf), curl_errorstr);
++ show_http_message_fatal(&type, &charset, &buffer,
++ _("unable to access '%s': %s"),
++ transport_anonymize_url(url.buf), curl_errorstr);
+ }
+
+ if (options.verbosity && !starts_with(refs_url.buf, url.buf)) {
+
+ ## strbuf.c ##
+@@ strbuf.c: int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
+ if (!out)
+ return -1;
+
+- strbuf_attach(sb, out, len, len);
++ strbuf_attach(sb, out, len, len + 1);
+ return 0;
+ }
+
+
+ ## t/lib-httpd.sh ##
+@@ t/lib-httpd.sh: prepare_httpd() {
+ install_script error.sh
+ install_script apply-one-time-script.sh
+ install_script nph-custom-auth.sh
++ install_script http-429.sh
+
+ ln -s "$LIB_HTTPD_MODULE_PATH" "$HTTPD_ROOT_PATH/modules"
+
+
+ ## t/lib-httpd/apache.conf ##
+@@ t/lib-httpd/apache.conf: SetEnv PERL_PATH ${PERL_PATH}
+ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
+ SetEnv GIT_HTTP_EXPORT_ALL
+ </LocationMatch>
++<LocationMatch /http_429/>
++ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
++ SetEnv GIT_HTTP_EXPORT_ALL
++</LocationMatch>
+ <LocationMatch /smart_v0/>
+ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
+ SetEnv GIT_HTTP_EXPORT_ALL
+@@ t/lib-httpd/apache.conf: ScriptAlias /broken_smart/ broken-smart-http.sh/
+ ScriptAlias /error_smart/ error-smart-http.sh/
+ ScriptAlias /error/ error.sh/
+ ScriptAliasMatch /one_time_script/(.*) apply-one-time-script.sh/$1
++ScriptAliasMatch /http_429/(.*) http-429.sh/$1
+ ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
+ <Directory ${GIT_EXEC_PATH}>
+ Options FollowSymlinks
+@@ t/lib-httpd/apache.conf: ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
+ <Files apply-one-time-script.sh>
+ Options ExecCGI
+ </Files>
++<Files http-429.sh>
++ Options ExecCGI
++</Files>
+ <Files ${GIT_EXEC_PATH}/git-http-backend>
+ Options ExecCGI
+ </Files>
+
+ ## t/lib-httpd/http-429.sh (new) ##
+@@
++#!/bin/sh
++
++# Script to return HTTP 429 Too Many Requests responses for testing retry logic.
++# Usage: /http_429/<test-context>/<retry-after-value>/<repo-path>
++#
++# The test-context is a unique identifier for each test to isolate state files.
++# The retry-after-value can be:
++# - A number (e.g., "1", "2", "100") - sets Retry-After header to that many seconds
++# - "none" - no Retry-After header
++# - "invalid" - invalid Retry-After format
++# - "permanent" - always return 429 (never succeed)
++# - An HTTP-date string (RFC 2822 format) - sets Retry-After to that date
++#
++# On first call, returns 429. On subsequent calls (after retry), forwards to git-http-backend
++# unless retry-after-value is "permanent".
++
++# Extract test context, retry-after value and repo path from PATH_INFO
++# PATH_INFO format: /<test-context>/<retry-after-value>/<repo-path>
++path_info="${PATH_INFO#/}" # Remove leading slash
++test_context="${path_info%%/*}" # Get first component (test context)
++remaining="${path_info#*/}" # Get rest
++retry_after="${remaining%%/*}" # Get second component (retry-after value)
++repo_path="${remaining#*/}" # Get rest (repo path)
++
++# Extract repository name from repo_path (e.g., "repo.git" from "repo.git/info/refs")
++# The repo name is the first component before any "/"
++repo_name="${repo_path%%/*}"
++
++# Use current directory (HTTPD_ROOT_PATH) for state file
++# Create a safe filename from test_context, retry_after and repo_name
++# This ensures all requests for the same test context share the same state file
++safe_name=$(echo "${test_context}-${retry_after}-${repo_name}" | tr '/' '_' | tr -cd 'a-zA-Z0-9_-')
++state_file="http-429-state-${safe_name}"
++
++# Check if this is the first call (no state file exists)
++if test -f "$state_file"
++then
++ # Already returned 429 once, forward to git-http-backend
++ # Set PATH_INFO to just the repo path (without retry-after value)
++ # Set GIT_PROJECT_ROOT so git-http-backend can find the repository
++ # Use exec to replace this process so git-http-backend gets the updated environment
++ PATH_INFO="/$repo_path"
++ export PATH_INFO
++ # GIT_PROJECT_ROOT points to the document root where repositories are stored
++ # The script runs from HTTPD_ROOT_PATH, and www/ is the document root
++ if test -z "$GIT_PROJECT_ROOT"
++ then
++ # Construct path: current directory (HTTPD_ROOT_PATH) + /www
++ GIT_PROJECT_ROOT="$(pwd)/www"
++ export GIT_PROJECT_ROOT
++ fi
++ exec "$GIT_EXEC_PATH/git-http-backend"
++fi
++
++# Mark that we've returned 429
++touch "$state_file"
++
++# Output HTTP 429 response
++printf "Status: 429 Too Many Requests\r\n"
++
++# Set Retry-After header based on retry_after value
++case "$retry_after" in
++ none)
++ # No Retry-After header
++ ;;
++ invalid)
++ printf "Retry-After: invalid-format-123abc\r\n"
++ ;;
++ permanent)
++ # Always return 429, don't set state file for success
++ rm -f "$state_file"
++ printf "Retry-After: 1\r\n"
++ printf "Content-Type: text/plain\r\n"
++ printf "\r\n"
++ printf "Permanently rate limited\n"
++ exit 0
++ ;;
++ *)
++ # Check if it's a number
++ case "$retry_after" in
++ [0-9]*)
++ # Numeric value
++ printf "Retry-After: %s\r\n" "$retry_after"
++ ;;
++ *)
++ # Assume it's an HTTP-date format (passed as-is, URL decoded)
++ # Apache may URL-encode the path, so decode common URL-encoded characters
++ # %20 = space, %2C = comma, %3A = colon
++ retry_value=$(echo "$retry_after" | sed -e 's/%20/ /g' -e 's/%2C/,/g' -e 's/%3A/:/g')
++ printf "Retry-After: %s\r\n" "$retry_value"
++ ;;
++ esac
++ ;;
++esac
++
++printf "Content-Type: text/plain\r\n"
++printf "\r\n"
++printf "Rate limited\n"
## t/meson.build ##
@@ t/meson.build: integration_tests = [
@@ t/t5584-http-429-retry.sh (new)
+ git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
+'
+
-+test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 1\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited\n"
-+ cat "$1" >/dev/null
-+ EOF
++# This test suite uses a special HTTP 429 endpoint at /http_429/ that simulates
++# rate limiting. The endpoint format is:
++# /http_429/<test-context>/<retry-after-value>/<repo-path>
++# The http-429.sh script (in t/lib-httpd) returns a 429 response with the
++# specified Retry-After header on the first request for each test context,
++# then forwards subsequent requests to git-http-backend. Each test context
++# is isolated, allowing multiple tests to run independently.
+
++test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
+ # Set maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Should fail immediately without any retry attempt
-+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
++ test_must_fail git ls-remote "$HTTPD_URL/http_429/retries-disabled/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message in stderr)
-+ ! grep -i "waiting.*retry" err &&
-+
-+ # The one-time script will be consumed on first request (not a retry)
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep ! -i "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 permanent should fail after max retries' '
-+ # Install a permanent error script to prove retries are limited
-+ write_script "$HTTPD_ROOT_PATH/http-429-permanent.sh" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 1\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Permanently rate limited\n"
-+ EOF
-+
+ # Enable retries with a limit
+ test_config http.maxRetries 2 &&
+
+ # Git should retry but eventually fail when 429 persists
-+ test_must_fail git ls-remote "$HTTPD_URL/error/http-429-permanent.sh/repo.git" 2>err
++ test_must_fail git ls-remote "$HTTPD_URL/http_429/permanent-fail/permanent/repo.git" 2>err
+'
+
+test_expect_success 'HTTP 429 with Retry-After is retried and succeeds' '
-+ # Create a one-time script that returns 429 with Retry-After header
-+ # on the first request. Subsequent requests will succeed.
-+ # This contrasts with the permanent 429 above - proving retry works
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ # Return HTTP 429 response instead of git response
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 1\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited - please retry after 1 second\n"
-+ # Output something different from input so the script gets removed
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry after receiving 429 and eventually succeed
-+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
-+ test_grep "refs/heads/" output &&
-+
-+ # The one-time script should have been consumed (proving retry happened)
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ git ls-remote "$HTTPD_URL/http_429/retry-succeeds/1/repo.git" >output 2>err &&
++ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 without Retry-After uses configured default' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited - no retry info\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Enable retries and configure default delay
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Git should retry using configured default and succeed
-+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
-+ test_grep "refs/heads/" output &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ git ls-remote "$HTTPD_URL/http_429/no-retry-after-header/none/repo.git" >output 2>err &&
++ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 retry delays are respected' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 2\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
+ start=$(date +%s) &&
-+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
++ git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
+ test "$duration" -ge 1 &&
-+ test_grep "refs/heads/" output &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 100\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited with long delay\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Configure max retry time to 3 seconds (much less than requested 100)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
+ start=$(date +%s) &&
-+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
++ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (less than 2 seconds, no 100 second wait)
+ test "$duration" -lt 2 &&
-+ test_grep "exceeds http.maxRetryTime" err &&
-+
-+ # The one-time script will be consumed on first request
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "exceeds http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
+ # Test misconfiguration: retryAfter > maxRetryTime
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited without header\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Configure retryAfter larger than maxRetryTime
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 100 &&
@@ t/t5584-http-429-retry.sh (new)
+
+ # Should fail immediately with configuration error
+ start=$(date +%s) &&
-+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
++ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
@@ t/t5584-http-429-retry.sh (new)
+ test_done
+ fi &&
+
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-EOF &&
-+ printf "Status: 429 Too Many Requests\\r\\n"
-+ printf "Retry-After: $future_date\\r\\n"
-+ printf "Content-Type: text/plain\\r\\n"
-+ printf "\\r\\n"
-+ printf "Rate limited with HTTP-date\\n"
-+ cat "\$1" >/dev/null
-+ EOF
++ # URL-encode the date (replace spaces with %20)
++ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
+ start=$(date +%s) &&
-+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
++ git ls-remote "$HTTPD_URL/http_429/http-date-format/$future_date_encoded/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
+ test "$duration" -ge 1 &&
-+ test_grep "refs/heads/" output &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
@@ t/t5584-http-429-retry.sh (new)
+ test_done
+ fi &&
+
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-EOF &&
-+ printf "Status: 429 Too Many Requests\\r\\n"
-+ printf "Retry-After: $future_date\\r\\n"
-+ printf "Content-Type: text/plain\\r\\n"
-+ printf "\\r\\n"
-+ printf "Rate limited with long HTTP-date\\n"
-+ cat "\$1" >/dev/null
-+ EOF
++ # URL-encode the date (replace spaces with %20)
++ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Configure max retry time much less than the 200 second delay
+ test_config http.maxRetries 3 &&
@@ t/t5584-http-429-retry.sh (new)
+
+ # Should fail immediately without waiting 200 seconds
+ start=$(date +%s) &&
-+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
++ test_must_fail git ls-remote "$HTTPD_URL/http_429/http-date-exceeds-max-time/$future_date_encoded/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (not wait 200 seconds)
+ test "$duration" -lt 2 &&
-+ test_grep "exceeds http.maxRetryTime" err &&
-+
-+ # The one-time script will be consumed on first request
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "exceeds http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
@@ t/t5584-http-429-retry.sh (new)
+ test_done
+ fi &&
+
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-EOF &&
-+ printf "Status: 429 Too Many Requests\\r\\n"
-+ printf "Retry-After: $past_date\\r\\n"
-+ printf "Content-Type: text/plain\\r\\n"
-+ printf "\\r\\n"
-+ printf "Rate limited with past date\\n"
-+ cat "\$1" >/dev/null
-+ EOF
++ # URL-encode the date (replace spaces with %20)
++ past_date_encoded=$(echo "$past_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
+ start=$(date +%s) &&
-+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
++ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should complete quickly (less than 2 seconds)
+ test "$duration" -lt 2 &&
-+ test_grep "refs/heads/" output &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with invalid Retry-After format uses configured default' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: invalid-format-123abc\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited with malformed header\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Configure default retry-after
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
+ start=$(date +%s) &&
-+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
++ git ls-remote "$HTTPD_URL/http_429/invalid-retry-after-format/invalid/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should take at least 1 second (the configured default)
+ test "$duration" -ge 1 &&
+ test_grep "refs/heads/" output &&
-+ test_grep "waiting.*retry" err &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 will not be retried without config' '
+ # Default config means http.maxRetries=0 (retries disabled)
+ # When 429 is received, it should fail immediately without retry
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 1\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Do NOT configure anything - use defaults (http.maxRetries defaults to 0)
+
+ # Should fail immediately without retry
-+ test_must_fail git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
++ test_must_fail git ls-remote "$HTTPD_URL/http_429/no-retry-without-config/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message)
-+ ! grep -i "waiting.*retry" err &&
++ test_grep ! -i "waiting.*retry" err &&
+
+ # Should get 429 error
-+ test_grep "429" err &&
-+
-+ # The one-time script should be consumed on first request
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "429" err
+'
+
+test_expect_success 'GIT_HTTP_RETRY_AFTER overrides http.retryAfter config' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited - no Retry-After header\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Configure retryAfter to 10 seconds
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
+ start=$(date +%s) &&
-+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
++ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/http_429/env-retry-after-override/none/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
@@ t/t5584-http-429-retry.sh (new)
+ test "$duration" -ge 1 &&
+ test "$duration" -lt 5 &&
+ test_grep "refs/heads/" output &&
-+ test_grep "waiting.*retry" err &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRIES overrides http.maxRetries config' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 1\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Configure maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Override with environment variable to enable retries
-+ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/one_time_script/repo.git" >output 2>err &&
++ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/http_429/env-max-retries-override/1/repo.git" >output 2>err &&
+
+ # Should retry (env var enables it despite config saying disabled)
+ test_grep "refs/heads/" output &&
-+ test_grep "waiting.*retry" err &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRY_TIME overrides http.maxRetryTime config' '
-+ write_script "$HTTPD_ROOT_PATH/one-time-script" <<-\EOF &&
-+ printf "Status: 429 Too Many Requests\r\n"
-+ printf "Retry-After: 50\r\n"
-+ printf "Content-Type: text/plain\r\n"
-+ printf "\r\n"
-+ printf "Rate limited with long delay\n"
-+ cat "$1" >/dev/null
-+ EOF
-+
+ # Configure maxRetryTime to 100 seconds (would accept 50 second delay)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 100 &&
@@ t/t5584-http-429-retry.sh (new)
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
+ start=$(date +%s) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
-+ git ls-remote "$HTTPD_URL/one_time_script/repo.git" 2>err &&
++ git ls-remote "$HTTPD_URL/http_429/env-max-retry-time-override/50/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ test "$duration" -lt 5 &&
-+ test_grep "exceeds http.maxRetryTime" err &&
-+ test_path_is_missing "$HTTPD_ROOT_PATH/one-time-script"
++ test_grep "exceeds http.maxRetryTime" err
+'
+
+test_expect_success 'verify normal repository access still works' '
2: 4382237922 < -: ---------- remote-curl: fix memory leak in show_http_message()
3: adbcc0251f ! 2: ad4495fc94 http: add trace2 logging for retry operations
@@ http.c
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
+@@ http.c: void run_active_slot(struct active_request_slot *slot)
+
+ if (waiting_for_delay) {
+ warning(_("rate limited, waiting %ld seconds before retry"), slot->retry_delay_seconds);
++ trace2_data_intmax("http", the_repository, "http/retry-sleep-seconds",
++ slot->retry_delay_seconds);
+ start_time = slot->retry_delay_start;
+ }
+
+@@ http.c: void run_active_slot(struct active_request_slot *slot)
+ }
+
+ if (elapsed_time.tv_sec >= slot->retry_delay_seconds) {
++ trace2_region_leave("http", "retry-sleep", the_repository);
+ slot->retry_delay_seconds = -1;
+ waiting_for_delay = 0;
+
@@ http.c: static int handle_curl_result(struct slot_results *results)
+ return HTTP_REAUTH;
+ }
} else if (results->http_code == 429) {
- /* Store the retry_after value for use in retry logic */
- last_retry_after = results->retry_after;
+ trace2_data_intmax("http", the_repository, "http/429-retry-after",
-+ last_retry_after);
++ results->retry_after);
return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
-@@ http.c: static void sleep_for_retry(long retry_after)
- if (retry_after > 0) {
- unsigned int remaining;
- warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
-+ trace2_region_enter("http", "retry-sleep", the_repository);
-+ trace2_data_intmax("http", the_repository, "http/retry-sleep-seconds",
-+ retry_after);
- remaining = sleep(retry_after);
- while (remaining > 0) {
- /* Sleep was interrupted, continue sleeping */
- remaining = sleep(remaining);
+@@ http.c: static void sleep_for_retry(struct active_request_slot *slot, long retry_after)
+ static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
+ {
+ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
++
++ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
++ retry_attempt);
++
+ if (*rate_limit_retries <= 0) {
+ /* Retries are disabled or exhausted */
+ if (http_max_retries > 0) {
+ error(_("too many rate limit retries, giving up"));
++ trace2_data_string("http", the_repository,
++ "http/429-error", "retries-exhausted");
}
-+ trace2_region_leave("http", "retry-sleep", the_repository);
+ return -1;
}
- }
-
-@@ http.c: static int http_request_reauth(const char *url,
- /* Handle rate limiting with retry logic */
- int retry_attempt = http_max_retries - rate_limit_retries + 1;
-
-+ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
-+ retry_attempt);
-+
- if (rate_limit_retries <= 0) {
- /* Retries are disabled or exhausted */
- if (http_max_retries > 0) {
- error(_("too many rate limit retries, giving up"));
-+ trace2_data_string("http", the_repository,
-+ "http/429-error", "retries-exhausted");
- }
- return HTTP_ERROR;
- }
-@@ http.c: static int http_request_reauth(const char *url,
- error(_("rate limited (HTTP 429) requested %ld second delay, "
- "exceeds http.maxRetryTime of %ld seconds"),
- last_retry_after, http_max_retry_time);
-+ trace2_data_string("http", the_repository,
-+ "http/429-error", "exceeds-max-retry-time");
-+ trace2_data_intmax("http", the_repository,
-+ "http/429-requested-delay", last_retry_after);
- last_retry_after = -1; /* Reset after use */
- return HTTP_ERROR;
- }
-@@ http.c: static int http_request_reauth(const char *url,
- /* Not configured - exit with error */
- error(_("rate limited (HTTP 429) and no Retry-After header provided. "
- "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
-+ trace2_data_string("http", the_repository,
-+ "http/429-error", "no-retry-after-config");
- return HTTP_ERROR;
- }
-- /* Check if configured default exceeds maximum allowed */
-- if (http_retry_after > http_max_retry_time) {
-- error(_("configured http.retryAfter (%ld seconds) exceeds "
-- "http.maxRetryTime (%ld seconds)"),
-- http_retry_after, http_max_retry_time);
-- return HTTP_ERROR;
-- }
-- /* Use configured default retry-after value */
-- sleep_for_retry(http_retry_after);
-+ /* Check if configured default exceeds maximum allowed */
-+ if (http_retry_after > http_max_retry_time) {
-+ error(_("configured http.retryAfter (%ld seconds) exceeds "
-+ "http.maxRetryTime (%ld seconds)"),
-+ http_retry_after, http_max_retry_time);
-+ trace2_data_string("http", the_repository,
-+ "http/429-error", "config-exceeds-max-retry-time");
-+ return HTTP_ERROR;
-+ }
-+ /* Use configured default retry-after value */
+@@ http.c: static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_aft
+ error(_("rate limited (HTTP 429) requested %ld second delay, "
+ "exceeds http.maxRetryTime of %ld seconds"),
+ slot_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
-+ "http/429-retry-source", "config-default");
-+ sleep_for_retry(http_retry_after);
- }
- } else if (ret == HTTP_REAUTH) {
- credential_fill(the_repository, &http_auth, 1);
++ "http/429-error", "exceeds-max-retry-time");
++ trace2_data_intmax("http", the_repository,
++ "http/429-requested-delay", slot_retry_after);
+ return -1;
+ }
+ return slot_retry_after;
+@@ http.c: static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_aft
+ /* Not configured - exit with error */
+ error(_("rate limited (HTTP 429) and no Retry-After header provided. "
+ "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
++ trace2_data_string("http", the_repository,
++ "http/429-error", "no-retry-after-config");
+ return -1;
+ }
+ /* Check if configured default exceeds maximum allowed */
+@@ http.c: static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_aft
+ error(_("configured http.retryAfter (%ld seconds) exceeds "
+ "http.maxRetryTime (%ld seconds)"),
+ http_retry_after, http_max_retry_time);
++ trace2_data_string("http", the_repository,
++ "http/429-error", "config-exceeds-max-retry-time");
+ return -1;
+ }
+-
++ trace2_data_string("http", the_repository,
++ "http/429-retry-source", "config-default");
+ return http_retry_after;
+ }
+ }
--
gitgitgadget
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v2 1/2] http: add support for HTTP 429 rate limit retries
2025-12-18 14:44 ` [PATCH v2 0/2] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2025-12-18 14:44 ` Vaidas Pilkauskas via GitGitGadget
2026-02-11 1:05 ` Taylor Blau
2025-12-18 14:44 ` [PATCH v2 2/2] http: add trace2 logging for retry operations Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2025-12-18 14:44 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add retry logic for HTTP 429 (Too Many Requests) responses to handle
server-side rate limiting gracefully. When Git's HTTP client receives
a 429 response, it can now automatically retry the request after an
appropriate delay, respecting the server's rate limits.
The implementation supports the RFC-compliant Retry-After header in
both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
past date is provided, Git retries immediately without waiting.
Retry behavior is controlled by three new configuration options
(http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
documented in git-config(1).
The retry logic implements a fail-fast approach: if any delay
(whether from server header or configuration) exceeds maxRetryTime,
Git fails immediately with a clear error message rather than capping
the delay. This provides better visibility into rate limiting issues.
The implementation includes extensive test coverage for basic retry
behavior, Retry-After header formats (integer and HTTP-date),
configuration combinations, maxRetryTime limits, invalid header
handling, environment variable overrides, and edge cases.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
Documentation/config/http.adoc | 24 +++
http-push.c | 8 +
http-walker.c | 5 +
http.c | 300 ++++++++++++++++++++++++++++-----
http.h | 4 +
remote-curl.c | 49 ++++--
strbuf.c | 2 +-
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 +++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 286 +++++++++++++++++++++++++++++++
12 files changed, 729 insertions(+), 57 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
diff --git a/Documentation/config/http.adoc b/Documentation/config/http.adoc
index 9da5c298cc..9e3c888df4 100644
--- a/Documentation/config/http.adoc
+++ b/Documentation/config/http.adoc
@@ -315,6 +315,30 @@ http.keepAliveCount::
unset, curl's default value is used. Can be overridden by the
`GIT_HTTP_KEEPALIVE_COUNT` environment variable.
+http.retryAfter::
+ Default wait time in seconds before retrying when a server returns
+ HTTP 429 (Too Many Requests) without a Retry-After header. If set
+ to -1 (the default), Git will fail immediately when encountering
+ a 429 response without a Retry-After header. When a Retry-After
+ header is present, its value takes precedence over this setting.
+ Can be overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
+ Maximum number of times to retry after receiving HTTP 429 (Too Many
+ Requests) responses. Set to 0 (the default) to disable retries.
+ Can be overridden by the `GIT_HTTP_MAX_RETRIES` environment variable.
+ See also `http.retryAfter` and `http.maxRetryTime`.
+
+http.maxRetryTime::
+ Maximum time in seconds to wait for a single retry attempt when
+ handling HTTP 429 (Too Many Requests) responses. If the server
+ requests a delay (via Retry-After header) or if `http.retryAfter`
+ is configured with a value that exceeds this maximum, Git will fail
+ immediately rather than waiting. Default is 300 seconds (5 minutes).
+ Can be overridden by the `GIT_HTTP_MAX_RETRY_TIME` environment
+ variable. See also `http.retryAfter` and `http.maxRetries`.
+
http.noEPSV::
A boolean which disables using of EPSV ftp command by curl.
This can be helpful with some "poor" ftp servers which don't
diff --git a/http-push.c b/http-push.c
index 60a9b75620..ddb9948352 100644
--- a/http-push.c
+++ b/http-push.c
@@ -716,6 +716,10 @@ static int fetch_indices(void)
case HTTP_MISSING_TARGET:
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
+ error(_("rate limited by '%s', please try again later"), repo->url);
+ ret = -1;
+ break;
default:
ret = -1;
}
@@ -1548,6 +1552,10 @@ static int remote_exists(const char *path)
case HTTP_MISSING_TARGET:
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
+ error(_("rate limited by '%s', please try again later"), url);
+ ret = -1;
+ break;
case HTTP_ERROR:
error("unable to access '%s': %s", url, curl_errorstr);
/* fallthrough */
diff --git a/http-walker.c b/http-walker.c
index e886e64866..9f06f47de1 100644
--- a/http-walker.c
+++ b/http-walker.c
@@ -414,6 +414,11 @@ static int fetch_indices(struct walker *walker, struct alt_base *repo)
repo->got_indices = 1;
ret = 0;
break;
+ case HTTP_RATE_LIMITED:
+ error("rate limited by '%s', please try again later", repo->base);
+ repo->got_indices = 0;
+ ret = -1;
+ break;
default:
repo->got_indices = 0;
ret = -1;
diff --git a/http.c b/http.c
index 41f850db16..60e0364f57 100644
--- a/http.c
+++ b/http.c
@@ -22,6 +22,7 @@
#include "object-file.h"
#include "odb.h"
#include "tempfile.h"
+#include "date.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -149,6 +150,11 @@ static char *cached_accept_language;
static char *http_ssl_backend;
static int http_schannel_check_revoke = 1;
+
+static long http_retry_after = -1;
+static long http_max_retries = 0;
+static long http_max_retry_time = 300;
+
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ -209,13 +215,14 @@ static inline int is_hdr_continuation(const char *ptr, const size_t size)
return size && (*ptr == ' ' || *ptr == '\t');
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
+static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
struct strbuf buf = STRBUF_INIT;
const char *val;
size_t val_len;
+ struct active_request_slot *slot = (struct active_request_slot *)p;
/*
* Header lines may not come NULL-terminated from libcurl so we must
@@ -257,6 +264,47 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
goto exit;
}
+ /* Parse Retry-After header for rate limiting */
+ if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
+ strbuf_add(&buf, val, val_len);
+ strbuf_trim(&buf);
+
+ if (slot && slot->results) {
+ /* Parse the retry-after value (delay-seconds or HTTP-date) */
+ char *endptr;
+ long retry_after;
+
+ errno = 0;
+ retry_after = strtol(buf.buf, &endptr, 10);
+
+ /* Check if it's a valid integer (delay-seconds format) */
+ if (endptr != buf.buf && *endptr == '\0' &&
+ errno != ERANGE && retry_after > 0) {
+ slot->results->retry_after = retry_after;
+ } else {
+ /* Try parsing as HTTP-date format */
+ timestamp_t timestamp;
+ int offset;
+ if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
+ /* Successfully parsed as date, calculate delay from now */
+ timestamp_t now = time(NULL);
+ if (timestamp > now) {
+ slot->results->retry_after = (long)(timestamp - now);
+ } else {
+ /* Past date means retry immediately */
+ slot->results->retry_after = 0;
+ }
+ } else {
+ /* Failed to parse as either delay-seconds or HTTP-date */
+ warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
+ }
+ }
+ }
+
+ http_auth.header_is_last_match = 1;
+ goto exit;
+ }
+
/*
* This line could be a continuation of the previously matched header
* field. If this is the case then we should append this value to the
@@ -575,6 +623,21 @@ static int http_options(const char *var, const char *value,
return 0;
}
+ if (!strcmp("http.retryafter", var)) {
+ http_retry_after = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretries", var)) {
+ http_max_retries = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretrytime", var)) {
+ http_max_retry_time = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
/* Fall back on the default ones */
return git_default_config(var, value, ctx, data);
}
@@ -1422,6 +1485,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
+ set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
+ set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
+ set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
+
curl_default = get_curl_handle();
}
@@ -1529,6 +1596,8 @@ struct active_request_slot *get_active_slot(void)
slot->finished = NULL;
slot->callback_data = NULL;
slot->callback_func = NULL;
+ slot->retry_delay_seconds = -1;
+ memset(&slot->retry_delay_start, 0, sizeof(slot->retry_delay_start));
if (curl_cookie_file && !strcmp(curl_cookie_file, "-")) {
warning(_("refusing to read cookies from http.cookiefile '-'"));
@@ -1660,44 +1729,98 @@ void run_active_slot(struct active_request_slot *slot)
fd_set excfds;
int max_fd;
struct timeval select_timeout;
+ long curl_timeout;
+ struct timeval start_time = {0}, current_time, elapsed_time = {0};
+ long remaining_seconds;
int finished = 0;
+ int slot_not_started = (slot->finished == NULL);
+ int waiting_for_delay = (slot->retry_delay_seconds > 0);
+
+ if (waiting_for_delay) {
+ warning(_("rate limited, waiting %ld seconds before retry"), slot->retry_delay_seconds);
+ start_time = slot->retry_delay_start;
+ }
slot->finished = &finished;
- while (!finished) {
+ while (waiting_for_delay || !finished) {
+ if (waiting_for_delay) {
+ gettimeofday(¤t_time, NULL);
+ elapsed_time.tv_sec = current_time.tv_sec - start_time.tv_sec;
+ elapsed_time.tv_usec = current_time.tv_usec - start_time.tv_usec;
+ if (elapsed_time.tv_usec < 0) {
+ elapsed_time.tv_sec--;
+ elapsed_time.tv_usec += 1000000;
+ }
+
+ if (elapsed_time.tv_sec >= slot->retry_delay_seconds) {
+ slot->retry_delay_seconds = -1;
+ waiting_for_delay = 0;
+
+ if (slot_not_started)
+ return;
+ }
+ }
+
step_active_slots();
- if (slot->in_use) {
- long curl_timeout;
- curl_multi_timeout(curlm, &curl_timeout);
- if (curl_timeout == 0) {
+ if (!waiting_for_delay && !slot->in_use)
+ continue;
+
+ curl_multi_timeout(curlm, &curl_timeout);
+ if (curl_timeout == 0) {
+ if (!waiting_for_delay)
continue;
- } else if (curl_timeout == -1) {
- select_timeout.tv_sec = 0;
- select_timeout.tv_usec = 50000;
+ select_timeout.tv_sec = 0;
+ select_timeout.tv_usec = 50000; /* 50ms */
+ } else if (curl_timeout == -1) {
+ select_timeout.tv_sec = 0;
+ select_timeout.tv_usec = 50000;
+ } else {
+ long curl_timeout_sec = curl_timeout / 1000;
+ long curl_timeout_usec = (curl_timeout % 1000) * 1000;
+
+ if (waiting_for_delay) {
+ remaining_seconds = slot->retry_delay_seconds - elapsed_time.tv_sec;
+ if (curl_timeout_sec < remaining_seconds) {
+ select_timeout.tv_sec = curl_timeout_sec;
+ select_timeout.tv_usec = curl_timeout_usec;
+ } else {
+ select_timeout.tv_sec = remaining_seconds;
+ select_timeout.tv_usec = 0;
+ }
} else {
- select_timeout.tv_sec = curl_timeout / 1000;
- select_timeout.tv_usec = (curl_timeout % 1000) * 1000;
+ select_timeout.tv_sec = curl_timeout_sec;
+ select_timeout.tv_usec = curl_timeout_usec;
}
+ }
- max_fd = -1;
- FD_ZERO(&readfds);
- FD_ZERO(&writefds);
- FD_ZERO(&excfds);
- curl_multi_fdset(curlm, &readfds, &writefds, &excfds, &max_fd);
+ max_fd = -1;
+ FD_ZERO(&readfds);
+ FD_ZERO(&writefds);
+ FD_ZERO(&excfds);
+ curl_multi_fdset(curlm, &readfds, &writefds, &excfds, &max_fd);
- /*
- * It can happen that curl_multi_timeout returns a pathologically
- * long timeout when curl_multi_fdset returns no file descriptors
- * to read. See commit message for more details.
- */
- if (max_fd < 0 &&
- (select_timeout.tv_sec > 0 ||
- select_timeout.tv_usec > 50000)) {
- select_timeout.tv_sec = 0;
- select_timeout.tv_usec = 50000;
- }
+ /*
+ * It can happen that curl_multi_timeout returns a pathologically
+ * long timeout when curl_multi_fdset returns no file descriptors
+ * to read. See commit message for more details.
+ */
+ if (max_fd < 0 &&
+ (select_timeout.tv_sec > 0 ||
+ select_timeout.tv_usec > 50000)) {
+ select_timeout.tv_sec = 0;
+ select_timeout.tv_usec = 50000;
+ }
- select(max_fd+1, &readfds, &writefds, &excfds, &select_timeout);
+ /*
+ * If curl_multi_fdset returns no file descriptors but we have
+ * a timeout, still use select() to wait for the timeout period.
+ */
+ if (max_fd < 0) {
+ /* No file descriptors, just wait for timeout */
+ select(0, NULL, NULL, NULL, &select_timeout);
+ } else {
+ select(max_fd + 1, &readfds, &writefds, &excfds, &select_timeout);
}
}
@@ -1871,6 +1994,8 @@ static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
credential_reject(the_repository, &proxy_auth);
@@ -1886,6 +2011,14 @@ int run_one_slot(struct active_request_slot *slot,
struct slot_results *results)
{
slot->results = results;
+ /* Initialize retry_after to -1 (not set) */
+ results->retry_after = -1;
+
+ /* If there's a retry delay, wait for it before starting the slot */
+ if (slot->retry_delay_seconds > 0) {
+ run_active_slot(slot);
+ }
+
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
@@ -2117,9 +2250,13 @@ static void http_opt_request_remainder(CURL *curl, off_t pos)
#define HTTP_REQUEST_STRBUF 0
#define HTTP_REQUEST_FILE 1
+static void sleep_for_retry(struct active_request_slot *slot, long retry_after);
+
static int http_request(const char *url,
void *result, int target,
- const struct http_get_options *options)
+ const struct http_get_options *options,
+ long *retry_after_out,
+ long retry_delay)
{
struct active_request_slot *slot;
struct slot_results results;
@@ -2129,6 +2266,10 @@ static int http_request(const char *url,
int ret;
slot = get_active_slot();
+ /* Mark slot for delay if retry delay is provided */
+ if (retry_delay > 0) {
+ sleep_for_retry(slot, retry_delay);
+ }
curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1L);
if (!result) {
@@ -2148,7 +2289,8 @@ static int http_request(const char *url,
fwrite_buffer);
}
- curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_headers);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
accept_language = http_get_accept_language_header();
@@ -2183,6 +2325,10 @@ static int http_request(const char *url,
ret = run_one_slot(slot, &results);
+ /* Store retry_after from slot results if output parameter provided */
+ if (retry_after_out)
+ *retry_after_out = results.retry_after;
+
if (options && options->content_type) {
struct strbuf raw = STRBUF_INIT;
curlinfo_strbuf(slot->curl, CURLINFO_CONTENT_TYPE, &raw);
@@ -2253,21 +2399,90 @@ static int update_url_from_redirect(struct strbuf *base,
return 1;
}
-static int http_request_reauth(const char *url,
+/*
+ * Mark slot to be delayed for retry. The actual delay will be handled
+ * in run_active_slot when the slot is executed.
+ */
+static void sleep_for_retry(struct active_request_slot *slot, long retry_after)
+{
+ if (retry_after > 0 && slot) {
+ warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
+ slot->retry_delay_seconds = retry_after;
+ gettimeofday(&slot->retry_delay_start, NULL);
+ }
+}
+
+/*
+ * Handle rate limiting retry logic for HTTP 429 responses.
+ * Uses slot-specific retry_after value to support concurrent slots.
+ * Returns a negative value if retries are exhausted or configuration is invalid,
+ * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
+ */
+static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
+{
+ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
+ if (*rate_limit_retries <= 0) {
+ /* Retries are disabled or exhausted */
+ if (http_max_retries > 0) {
+ error(_("too many rate limit retries, giving up"));
+ }
+ return -1;
+ }
+
+ /* Decrement retries counter */
+ (*rate_limit_retries)--;
+
+ /* Use the slot-specific retry_after value or configured default */
+ if (slot_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
+ if (slot_retry_after > http_max_retry_time) {
+ error(_("rate limited (HTTP 429) requested %ld second delay, "
+ "exceeds http.maxRetryTime of %ld seconds"),
+ slot_retry_after, http_max_retry_time);
+ return -1;
+ }
+ return slot_retry_after;
+ } else {
+ /* No Retry-After header provided */
+ if (http_retry_after < 0) {
+ /* Not configured - exit with error */
+ error(_("rate limited (HTTP 429) and no Retry-After header provided. "
+ "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
+ return -1;
+ }
+ /* Check if configured default exceeds maximum allowed */
+ if (http_retry_after > http_max_retry_time) {
+ error(_("configured http.retryAfter (%ld seconds) exceeds "
+ "http.maxRetryTime (%ld seconds)"),
+ http_retry_after, http_max_retry_time);
+ return -1;
+ }
+
+ return http_retry_after;
+ }
+}
+
+static int http_request_recoverable(const char *url,
void *result, int target,
struct http_get_options *options)
{
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
+ long slot_retry_after = -1; /* Per-slot retry_after value */
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after, -1);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
+ /* If retries are disabled and we got a 429, fail immediately */
+ if (ret == HTTP_RATE_LIMITED && http_max_retries == 0)
+ return HTTP_ERROR;
+
if (options && options->effective_url && options->base_url) {
if (update_url_from_redirect(options->base_url,
url, options->effective_url)) {
@@ -2276,7 +2491,8 @@ static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
+ while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
+ long retry_delay = -1;
/*
* The previous request may have put cruft into our output stream; we
* should clear it out before making our next request.
@@ -2301,10 +2517,16 @@ static int http_request_reauth(const char *url,
default:
BUG("Unknown http_request target");
}
+ if (ret == HTTP_RATE_LIMITED) {
+ retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
+ if (retry_delay < 0)
+ return HTTP_ERROR;
+ slot_retry_after = -1; /* Reset after use */
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
- credential_fill(the_repository, &http_auth, 1);
-
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after, retry_delay);
}
return ret;
}
@@ -2313,7 +2535,7 @@ int http_get_strbuf(const char *url,
struct strbuf *result,
struct http_get_options *options)
{
- return http_request_reauth(url, result, HTTP_REQUEST_STRBUF, options);
+ return http_request_recoverable(url, result, HTTP_REQUEST_STRBUF, options);
}
/*
@@ -2337,7 +2559,7 @@ int http_get_file(const char *url, const char *filename,
goto cleanup;
}
- ret = http_request_reauth(url, result, HTTP_REQUEST_FILE, options);
+ ret = http_request_recoverable(url, result, HTTP_REQUEST_FILE, options);
fclose(result);
if (ret == HTTP_OK && finalize_object_file(the_repository, tmpfile.buf, filename))
diff --git a/http.h b/http.h
index f9d4593404..6ee809ec01 100644
--- a/http.h
+++ b/http.h
@@ -20,6 +20,7 @@ struct slot_results {
long http_code;
long auth_avail;
long http_connectcode;
+ long retry_after;
};
struct active_request_slot {
@@ -32,6 +33,8 @@ struct active_request_slot {
void *callback_data;
void (*callback_func)(void *data);
struct active_request_slot *next;
+ long retry_delay_seconds;
+ struct timeval retry_delay_start;
};
struct buffer {
@@ -167,6 +170,7 @@ struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
#define HTTP_NOMATCHPUBLICKEY 6
+#define HTTP_RATE_LIMITED 7
/*
* Requests a URL and stores the result in a strbuf.
diff --git a/remote-curl.c b/remote-curl.c
index 69f919454a..c122dcedaa 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -367,23 +367,25 @@ static void free_discovery(struct discovery *d)
}
}
-static int show_http_message(struct strbuf *type, struct strbuf *charset,
- struct strbuf *msg)
+static NORETURN void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
+ struct strbuf *msg, const char *fmt, ...)
{
const char *p, *eol;
+ va_list ap;
+ report_fn die_message_routine = get_die_message_routine();
/*
* We only show text/plain parts, as other types are likely
* to be ugly to look at on the user's terminal.
*/
if (strcmp(type->buf, "text/plain"))
- return -1;
+ goto out;
if (charset->len)
strbuf_reencode(msg, charset->buf, get_log_output_encoding());
strbuf_trim(msg);
if (!msg->len)
- return -1;
+ goto out;
p = msg->buf;
do {
@@ -391,7 +393,16 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
p = eol + 1;
} while(*eol);
- return 0;
+
+out:
+ strbuf_release(type);
+ strbuf_release(charset);
+ strbuf_release(msg);
+
+ va_start(ap, fmt);
+ die_message_routine(fmt, ap);
+ va_end(ap);
+ exit(128);
}
static int get_protocol_http_header(enum protocol_version version,
@@ -518,21 +529,25 @@ static struct discovery *discover_refs(const char *service, int for_push)
case HTTP_OK:
break;
case HTTP_MISSING_TARGET:
- show_http_message(&type, &charset, &buffer);
- die(_("repository '%s' not found"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("repository '%s' not found"),
+ transport_anonymize_url(url.buf));
case HTTP_NOAUTH:
- show_http_message(&type, &charset, &buffer);
- die(_("Authentication failed for '%s'"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("Authentication failed for '%s'"),
+ transport_anonymize_url(url.buf));
case HTTP_NOMATCHPUBLICKEY:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("rate limited by '%s', please try again later"),
+ transport_anonymize_url(url.buf));
default:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s': %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s': %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
}
if (options.verbosity && !starts_with(refs_url.buf, url.buf)) {
diff --git a/strbuf.c b/strbuf.c
index 6c3851a7f8..1d3860869e 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
if (!out)
return -1;
- strbuf_attach(sb, out, len, len);
+ strbuf_attach(sb, out, len, len + 1);
return 0;
}
diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
index 5091db949b..8a43261ffc 100644
--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
@@ -167,6 +167,7 @@ prepare_httpd() {
install_script error.sh
install_script apply-one-time-script.sh
install_script nph-custom-auth.sh
+ install_script http-429.sh
ln -s "$LIB_HTTPD_MODULE_PATH" "$HTTPD_ROOT_PATH/modules"
diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index e631ab0eb5..6bdef603cd 100644
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -139,6 +139,10 @@ SetEnv PERL_PATH ${PERL_PATH}
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
</LocationMatch>
+<LocationMatch /http_429/>
+ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
+ SetEnv GIT_HTTP_EXPORT_ALL
+</LocationMatch>
<LocationMatch /smart_v0/>
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
@@ -160,6 +164,7 @@ ScriptAlias /broken_smart/ broken-smart-http.sh/
ScriptAlias /error_smart/ error-smart-http.sh/
ScriptAlias /error/ error.sh/
ScriptAliasMatch /one_time_script/(.*) apply-one-time-script.sh/$1
+ScriptAliasMatch /http_429/(.*) http-429.sh/$1
ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Directory ${GIT_EXEC_PATH}>
Options FollowSymlinks
@@ -185,6 +190,9 @@ ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Files apply-one-time-script.sh>
Options ExecCGI
</Files>
+<Files http-429.sh>
+ Options ExecCGI
+</Files>
<Files ${GIT_EXEC_PATH}/git-http-backend>
Options ExecCGI
</Files>
diff --git a/t/lib-httpd/http-429.sh b/t/lib-httpd/http-429.sh
new file mode 100644
index 0000000000..c97b16145b
--- /dev/null
+++ b/t/lib-httpd/http-429.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Script to return HTTP 429 Too Many Requests responses for testing retry logic.
+# Usage: /http_429/<test-context>/<retry-after-value>/<repo-path>
+#
+# The test-context is a unique identifier for each test to isolate state files.
+# The retry-after-value can be:
+# - A number (e.g., "1", "2", "100") - sets Retry-After header to that many seconds
+# - "none" - no Retry-After header
+# - "invalid" - invalid Retry-After format
+# - "permanent" - always return 429 (never succeed)
+# - An HTTP-date string (RFC 2822 format) - sets Retry-After to that date
+#
+# On first call, returns 429. On subsequent calls (after retry), forwards to git-http-backend
+# unless retry-after-value is "permanent".
+
+# Extract test context, retry-after value and repo path from PATH_INFO
+# PATH_INFO format: /<test-context>/<retry-after-value>/<repo-path>
+path_info="${PATH_INFO#/}" # Remove leading slash
+test_context="${path_info%%/*}" # Get first component (test context)
+remaining="${path_info#*/}" # Get rest
+retry_after="${remaining%%/*}" # Get second component (retry-after value)
+repo_path="${remaining#*/}" # Get rest (repo path)
+
+# Extract repository name from repo_path (e.g., "repo.git" from "repo.git/info/refs")
+# The repo name is the first component before any "/"
+repo_name="${repo_path%%/*}"
+
+# Use current directory (HTTPD_ROOT_PATH) for state file
+# Create a safe filename from test_context, retry_after and repo_name
+# This ensures all requests for the same test context share the same state file
+safe_name=$(echo "${test_context}-${retry_after}-${repo_name}" | tr '/' '_' | tr -cd 'a-zA-Z0-9_-')
+state_file="http-429-state-${safe_name}"
+
+# Check if this is the first call (no state file exists)
+if test -f "$state_file"
+then
+ # Already returned 429 once, forward to git-http-backend
+ # Set PATH_INFO to just the repo path (without retry-after value)
+ # Set GIT_PROJECT_ROOT so git-http-backend can find the repository
+ # Use exec to replace this process so git-http-backend gets the updated environment
+ PATH_INFO="/$repo_path"
+ export PATH_INFO
+ # GIT_PROJECT_ROOT points to the document root where repositories are stored
+ # The script runs from HTTPD_ROOT_PATH, and www/ is the document root
+ if test -z "$GIT_PROJECT_ROOT"
+ then
+ # Construct path: current directory (HTTPD_ROOT_PATH) + /www
+ GIT_PROJECT_ROOT="$(pwd)/www"
+ export GIT_PROJECT_ROOT
+ fi
+ exec "$GIT_EXEC_PATH/git-http-backend"
+fi
+
+# Mark that we've returned 429
+touch "$state_file"
+
+# Output HTTP 429 response
+printf "Status: 429 Too Many Requests\r\n"
+
+# Set Retry-After header based on retry_after value
+case "$retry_after" in
+ none)
+ # No Retry-After header
+ ;;
+ invalid)
+ printf "Retry-After: invalid-format-123abc\r\n"
+ ;;
+ permanent)
+ # Always return 429, don't set state file for success
+ rm -f "$state_file"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Permanently rate limited\n"
+ exit 0
+ ;;
+ *)
+ # Check if it's a number
+ case "$retry_after" in
+ [0-9]*)
+ # Numeric value
+ printf "Retry-After: %s\r\n" "$retry_after"
+ ;;
+ *)
+ # Assume it's an HTTP-date format (passed as-is, URL decoded)
+ # Apache may URL-encode the path, so decode common URL-encoded characters
+ # %20 = space, %2C = comma, %3A = colon
+ retry_value=$(echo "$retry_after" | sed -e 's/%20/ /g' -e 's/%2C/,/g' -e 's/%3A/:/g')
+ printf "Retry-After: %s\r\n" "$retry_value"
+ ;;
+ esac
+ ;;
+esac
+
+printf "Content-Type: text/plain\r\n"
+printf "\r\n"
+printf "Rate limited\n"
diff --git a/t/meson.build b/t/meson.build
index 459c52a489..ee82450333 100644
--- a/t/meson.build
+++ b/t/meson.build
@@ -700,6 +700,7 @@ integration_tests = [
't5581-http-curl-verbose.sh',
't5582-fetch-negative-refspec.sh',
't5583-push-branches.sh',
+ 't5584-http-429-retry.sh',
't5600-clone-fail-cleanup.sh',
't5601-clone.sh',
't5602-clone-remote-exec.sh',
diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
new file mode 100755
index 0000000000..c0d30c5387
--- /dev/null
+++ b/t/t5584-http-429-retry.sh
@@ -0,0 +1,286 @@
+#!/bin/sh
+
+test_description='test HTTP 429 Too Many Requests retry logic'
+
+. ./test-lib.sh
+
+. "$TEST_DIRECTORY"/lib-httpd.sh
+
+start_httpd
+
+test_expect_success 'setup test repository' '
+ test_commit initial &&
+ git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
+ git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
+'
+
+# This test suite uses a special HTTP 429 endpoint at /http_429/ that simulates
+# rate limiting. The endpoint format is:
+# /http_429/<test-context>/<retry-after-value>/<repo-path>
+# The http-429.sh script (in t/lib-httpd) returns a 429 response with the
+# specified Retry-After header on the first request for each test context,
+# then forwards subsequent requests to git-http-backend. Each test context
+# is isolated, allowing multiple tests to run independently.
+
+test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
+ # Set maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Should fail immediately without any retry attempt
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retries-disabled/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message in stderr)
+ test_grep ! -i "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 permanent should fail after max retries' '
+ # Enable retries with a limit
+ test_config http.maxRetries 2 &&
+
+ # Git should retry but eventually fail when 429 persists
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/permanent-fail/permanent/repo.git" 2>err
+'
+
+test_expect_success 'HTTP 429 with Retry-After is retried and succeeds' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry after receiving 429 and eventually succeed
+ git ls-remote "$HTTPD_URL/http_429/retry-succeeds/1/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 without Retry-After uses configured default' '
+ # Enable retries and configure default delay
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Git should retry using configured default and succeed
+ git ls-remote "$HTTPD_URL/http_429/no-retry-after-header/none/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 retry delays are respected' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
+ test "$duration" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
+ # Configure max retry time to 3 seconds (much less than requested 100)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
+ start=$(date +%s) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (less than 2 seconds, no 100 second wait)
+ test "$duration" -lt 2 &&
+ test_grep "exceeds http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
+ # Test misconfiguration: retryAfter > maxRetryTime
+ # Configure retryAfter larger than maxRetryTime
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 100 &&
+ test_config http.maxRetryTime 5 &&
+
+ # Should fail immediately with configuration error
+ start=$(date +%s) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly
+ test "$duration" -lt 2 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with Retry-After HTTP-date format' '
+ # Test HTTP-date format (RFC 2822) in Retry-After header
+ # Generate a date 2 seconds in the future
+ future_date=$(TZ=GMT date -d "+2 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ TZ=GMT date -v+2S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ echo "skip") &&
+
+ if test "$future_date" = "skip"
+ then
+ skip_all="date command does not support required format" &&
+ test_done
+ fi &&
+
+ # URL-encode the date (replace spaces with %20)
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/http_429/http-date-format/$future_date_encoded/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
+ test "$duration" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
+ # Generate a date 200 seconds in the future
+ future_date=$(TZ=GMT date -d "+200 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ TZ=GMT date -v+200S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ echo "skip") &&
+
+ if test "$future_date" = "skip"
+ then
+ skip_all="date command does not support required format" &&
+ test_done
+ fi &&
+
+ # URL-encode the date (replace spaces with %20)
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Configure max retry time much less than the 200 second delay
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 10 &&
+
+ # Should fail immediately without waiting 200 seconds
+ start=$(date +%s) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/http-date-exceeds-max-time/$future_date_encoded/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (not wait 200 seconds)
+ test "$duration" -lt 2 &&
+ test_grep "exceeds http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
+ past_date=$(TZ=GMT date -d "-10 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ TZ=GMT date -v-10S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
+ echo "skip") &&
+
+ if test "$past_date" = "skip"
+ then
+ skip_all="date command does not support required format" &&
+ test_done
+ fi &&
+
+ # URL-encode the date (replace spaces with %20)
+ past_date_encoded=$(echo "$past_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should complete quickly (less than 2 seconds)
+ test "$duration" -lt 2 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with invalid Retry-After format uses configured default' '
+ # Configure default retry-after
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
+ start=$(date +%s) &&
+ git ls-remote "$HTTPD_URL/http_429/invalid-retry-after-format/invalid/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should take at least 1 second (the configured default)
+ test "$duration" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 will not be retried without config' '
+ # Default config means http.maxRetries=0 (retries disabled)
+ # When 429 is received, it should fail immediately without retry
+ # Do NOT configure anything - use defaults (http.maxRetries defaults to 0)
+
+ # Should fail immediately without retry
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/no-retry-without-config/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message)
+ test_grep ! -i "waiting.*retry" err &&
+
+ # Should get 429 error
+ test_grep "429" err
+'
+
+test_expect_success 'GIT_HTTP_RETRY_AFTER overrides http.retryAfter config' '
+ # Configure retryAfter to 10 seconds
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
+ start=$(date +%s) &&
+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/http_429/env-retry-after-override/none/repo.git" >output 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should use env var (1 second), not config (10 seconds)
+ test "$duration" -ge 1 &&
+ test "$duration" -lt 5 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRIES overrides http.maxRetries config' '
+ # Configure maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Override with environment variable to enable retries
+ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/http_429/env-max-retries-override/1/repo.git" >output 2>err &&
+
+ # Should retry (env var enables it despite config saying disabled)
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRY_TIME overrides http.maxRetryTime config' '
+ # Configure maxRetryTime to 100 seconds (would accept 50 second delay)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 100 &&
+
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
+ start=$(date +%s) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
+ git ls-remote "$HTTPD_URL/http_429/env-max-retry-time-override/50/repo.git" 2>err &&
+ end=$(date +%s) &&
+ duration=$((end - start)) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ test "$duration" -lt 5 &&
+ test_grep "exceeds http.maxRetryTime" err
+'
+
+test_expect_success 'verify normal repository access still works' '
+ git ls-remote "$HTTPD_URL/smart/repo.git" >output &&
+ test_grep "refs/heads/" output
+'
+
+test_done
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v2 2/2] http: add trace2 logging for retry operations
2025-12-18 14:44 ` [PATCH v2 0/2] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 1/2] " Vaidas Pilkauskas via GitGitGadget
@ 2025-12-18 14:44 ` Vaidas Pilkauskas via GitGitGadget
2026-02-11 1:06 ` Taylor Blau
2026-02-17 11:08 ` [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2025-12-18 14:44 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add trace2 instrumentation to HTTP 429 retry operations to enable
monitoring and debugging of rate limit scenarios in production
environments.
The trace2 logging captures:
* Retry attempt numbers (http/429-retry-attempt) to track retry
progression and identify how many attempts were needed
* Retry-After header values (http/429-retry-after) from server
responses to understand server-requested delays
* Actual sleep durations (http/retry-sleep-seconds) within trace2
regions (http/retry-sleep) to measure time spent waiting
* Error conditions (http/429-error) such as "retries-exhausted",
"exceeds-max-retry-time", "no-retry-after-config", and
"config-exceeds-max-retry-time" for diagnosing failures
* Retry source (http/429-retry-source) indicating whether delay
came from server header or config default
This instrumentation provides complete visibility into retry behavior,
enabling operators to monitor rate limiting patterns, diagnose retry
failures, and optimize retry configuration based on real-world data.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
http.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/http.c b/http.c
index 60e0364f57..ded791af87 100644
--- a/http.c
+++ b/http.c
@@ -23,6 +23,7 @@
#include "odb.h"
#include "tempfile.h"
#include "date.h"
+#include "trace2.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -1738,6 +1739,8 @@ void run_active_slot(struct active_request_slot *slot)
if (waiting_for_delay) {
warning(_("rate limited, waiting %ld seconds before retry"), slot->retry_delay_seconds);
+ trace2_data_intmax("http", the_repository, "http/retry-sleep-seconds",
+ slot->retry_delay_seconds);
start_time = slot->retry_delay_start;
}
@@ -1753,6 +1756,7 @@ void run_active_slot(struct active_request_slot *slot)
}
if (elapsed_time.tv_sec >= slot->retry_delay_seconds) {
+ trace2_region_leave("http", "retry-sleep", the_repository);
slot->retry_delay_seconds = -1;
waiting_for_delay = 0;
@@ -1995,6 +1999,8 @@ static int handle_curl_result(struct slot_results *results)
return HTTP_REAUTH;
}
} else if (results->http_code == 429) {
+ trace2_data_intmax("http", the_repository, "http/429-retry-after",
+ results->retry_after);
return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
@@ -2421,10 +2427,16 @@ static void sleep_for_retry(struct active_request_slot *slot, long retry_after)
static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
{
int retry_attempt = http_max_retries - *rate_limit_retries + 1;
+
+ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
+ retry_attempt);
+
if (*rate_limit_retries <= 0) {
/* Retries are disabled or exhausted */
if (http_max_retries > 0) {
error(_("too many rate limit retries, giving up"));
+ trace2_data_string("http", the_repository,
+ "http/429-error", "retries-exhausted");
}
return -1;
}
@@ -2439,6 +2451,10 @@ static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_aft
error(_("rate limited (HTTP 429) requested %ld second delay, "
"exceeds http.maxRetryTime of %ld seconds"),
slot_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "exceeds-max-retry-time");
+ trace2_data_intmax("http", the_repository,
+ "http/429-requested-delay", slot_retry_after);
return -1;
}
return slot_retry_after;
@@ -2448,6 +2464,8 @@ static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_aft
/* Not configured - exit with error */
error(_("rate limited (HTTP 429) and no Retry-After header provided. "
"Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
+ trace2_data_string("http", the_repository,
+ "http/429-error", "no-retry-after-config");
return -1;
}
/* Check if configured default exceeds maximum allowed */
@@ -2455,9 +2473,12 @@ static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_aft
error(_("configured http.retryAfter (%ld seconds) exceeds "
"http.maxRetryTime (%ld seconds)"),
http_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "config-exceeds-max-retry-time");
return -1;
}
-
+ trace2_data_string("http", the_repository,
+ "http/429-retry-source", "config-default");
return http_retry_after;
}
}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH v2 1/2] http: add support for HTTP 429 rate limit retries
2025-12-18 14:44 ` [PATCH v2 1/2] " Vaidas Pilkauskas via GitGitGadget
@ 2026-02-11 1:05 ` Taylor Blau
2026-02-11 9:13 ` Jeff King
2026-02-13 13:30 ` Vaidas Pilkauskas
0 siblings, 2 replies; 49+ messages in thread
From: Taylor Blau @ 2026-02-11 1:05 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget; +Cc: git, Vaidas Pilkauskas, Jeff King
On Thu, Dec 18, 2025 at 02:44:47PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
>
> Add retry logic for HTTP 429 (Too Many Requests) responses to handle
> server-side rate limiting gracefully. When Git's HTTP client receives
> a 429 response, it can now automatically retry the request after an
> appropriate delay, respecting the server's rate limits.
>
> The implementation supports the RFC-compliant Retry-After header in
> both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
> past date is provided, Git retries immediately without waiting.
>
> Retry behavior is controlled by three new configuration options
> (http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
> documented in git-config(1).
>
> The retry logic implements a fail-fast approach: if any delay
> (whether from server header or configuration) exceeds maxRetryTime,
> Git fails immediately with a clear error message rather than capping
> the delay. This provides better visibility into rate limiting issues.
>
> The implementation includes extensive test coverage for basic retry
> behavior, Retry-After header formats (integer and HTTP-date),
> configuration combinations, maxRetryTime limits, invalid header
> handling, environment variable overrides, and edge cases.
> +http.retryAfter::
> + Default wait time in seconds before retrying when a server returns
> + HTTP 429 (Too Many Requests) without a Retry-After header. If set
> + to -1 (the default), Git will fail immediately when encountering
While reviewing, I originally wrote:
Setting the default as "-1" makes sense to me. The current behavior is
to give up when we receive a HTTP 429 response with or without a
Retry-After header, so retaining that behavior makes sense and seems
like a sensible path.
, but I'm not sure that I am sold on that line of thinking. This is
controlling how long we'll wait after a 429 response before retrying,
not how many times we'll retry (which is `http.maxRetries` below).
Should the default here be zero? We would "retry" immediately, but that
retry would fail since the maximum retries is set to "zero" by default.
> diff --git a/http-push.c b/http-push.c
> index 60a9b75620..ddb9948352 100644
> --- a/http-push.c
> +++ b/http-push.c
> @@ -716,6 +716,10 @@ static int fetch_indices(void)
> case HTTP_MISSING_TARGET:
> ret = 0;
> break;
> + case HTTP_RATE_LIMITED:
> + error(_("rate limited by '%s', please try again later"), repo->url);
> + ret = -1;
> + break;
> default:
> ret = -1;
> }
> @@ -1548,6 +1552,10 @@ static int remote_exists(const char *path)
> case HTTP_MISSING_TARGET:
> ret = 0;
> break;
> + case HTTP_RATE_LIMITED:
> + error(_("rate limited by '%s', please try again later"), url);
> + ret = -1;
> + break;
I wonder if there is an opportunity to DRY this up a bit? I think the
case in fetch_indices() is very similar to remote_Exists(), and ditto
for fetch_indices() in the http-walker.c code.
The only exception I could see is http-walker.c's fetch_indices() needs
to also set repo->got_indices, but I think that could be done as a
separate pass.
If you end up going in that direction, I would suggest pulling out a
function as a preparatory commit before introducing the changes in this
patch so that you when you are ready to add the "rate limited by '%s'"
error(), you only have to do so once.
> -static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
> +static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p)
Thanks for making this change. I think that handling both
www-authenticate and retry-after headers in the same function makes a
lot of sense, and the new name reflects that appropriately.
> {
> size_t size = eltsize * nmemb;
> struct strvec *values = &http_auth.wwwauth_headers;
> struct strbuf buf = STRBUF_INIT;
> const char *val;
> size_t val_len;
> + struct active_request_slot *slot = (struct active_request_slot *)p;
>
> /*
> * Header lines may not come NULL-terminated from libcurl so we must
> @@ -257,6 +264,47 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
> goto exit;
> }
>
> + /* Parse Retry-After header for rate limiting */
> + if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
> + strbuf_add(&buf, val, val_len);
> + strbuf_trim(&buf);
> +
> + if (slot && slot->results) {
> + /* Parse the retry-after value (delay-seconds or HTTP-date) */
> + char *endptr;
> + long retry_after;
> +
> + errno = 0;
> + retry_after = strtol(buf.buf, &endptr, 10);
> +
> + /* Check if it's a valid integer (delay-seconds format) */
> + if (endptr != buf.buf && *endptr == '\0' &&
> + errno != ERANGE && retry_after > 0) {
Should we handle "Retry-After: 0" here? I think that this means "retry
immediately", so I imagine that we should change this to read "&&
retry_after >= 0" instead.
> + slot->results->retry_after = retry_after;
> + } else {
> + /* Try parsing as HTTP-date format */
> + timestamp_t timestamp;
> + int offset;
> + if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
> + /* Successfully parsed as date, calculate delay from now */
> + timestamp_t now = time(NULL);
> + if (timestamp > now) {
> + slot->results->retry_after = (long)(timestamp - now);
> + } else {
> + /* Past date means retry immediately */
> + slot->results->retry_after = 0;
> + }
> + } else {
> + /* Failed to parse as either delay-seconds or HTTP-date */
> + warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
> + }
> + }
> + }
> +
> + http_auth.header_is_last_match = 1;
Could you help me understand why we're setting header_is_last_match
here? I think since we immediately "goto exit" this line isn't strictly
necessary.
As a separate but related note, I don't know if this function properly
handles header continuations for Retry-After headers, but in practice I
suspect it doesn't matter, as servers should not be continuing
Retry-After headers across multiple lines.
> @@ -1660,44 +1729,98 @@ void run_active_slot(struct active_request_slot *slot)
> fd_set excfds;
> int max_fd;
> struct timeval select_timeout;
> + long curl_timeout;
> + struct timeval start_time = {0}, current_time, elapsed_time = {0};
> + long remaining_seconds;
> int finished = 0;
> + int slot_not_started = (slot->finished == NULL);
> + int waiting_for_delay = (slot->retry_delay_seconds > 0);
> +
> + if (waiting_for_delay) {
> + warning(_("rate limited, waiting %ld seconds before retry"), slot->retry_delay_seconds);
> + start_time = slot->retry_delay_start;
> + }
>
> slot->finished = &finished;
> - while (!finished) {
> + while (waiting_for_delay || !finished) {
> + if (waiting_for_delay) {
> + gettimeofday(¤t_time, NULL);
> + elapsed_time.tv_sec = current_time.tv_sec - start_time.tv_sec;
> + elapsed_time.tv_usec = current_time.tv_usec - start_time.tv_usec;
> + if (elapsed_time.tv_usec < 0) {
> + elapsed_time.tv_sec--;
> + elapsed_time.tv_usec += 1000000;
> + }
> +
> + if (elapsed_time.tv_sec >= slot->retry_delay_seconds) {
> + slot->retry_delay_seconds = -1;
> + waiting_for_delay = 0;
> +
> + if (slot_not_started)
> + return;
I wonder if run_active_slot() is the right place for these changes or if
it should be handled separately. I think it may be somewhat surprising
for run_active_slot() to return without actually running the slot, even
if the slot is marked as "active" but just waiting for a delay.
OTOH, like I mentioned earlier, I am far from an expert in this part of
the code, so perhaps this is totally OK. shortlog says that Peff (CC'd)
is among the most active contributors to this file in the past year, so
I'll be curious what he thinks as well.
> @@ -1871,6 +1994,8 @@ static int handle_curl_result(struct slot_results *results)
> }
> return HTTP_REAUTH;
> }
> + } else if (results->http_code == 429) {
> + return HTTP_RATE_LIMITED;
> } else {
> if (results->http_connectcode == 407)
> credential_reject(the_repository, &proxy_auth);
> @@ -1886,6 +2011,14 @@ int run_one_slot(struct active_request_slot *slot,
> struct slot_results *results)
> {
> slot->results = results;
> + /* Initialize retry_after to -1 (not set) */
> + results->retry_after = -1;
> +
> + /* If there's a retry delay, wait for it before starting the slot */
> + if (slot->retry_delay_seconds > 0) {
> + run_active_slot(slot);
> + }
This is a nitpick, but the curly braces here are unnecessary for a
single-line if statement. Documentation/CodingGuidelines has more
details here.
> +
> if (!start_active_slot(slot)) {
> xsnprintf(curl_errorstr, sizeof(curl_errorstr),
> "failed to start HTTP request");
> @@ -2117,9 +2250,13 @@ static void http_opt_request_remainder(CURL *curl, off_t pos)
> #define HTTP_REQUEST_STRBUF 0
> #define HTTP_REQUEST_FILE 1
>
> +static void sleep_for_retry(struct active_request_slot *slot, long retry_after);
> +
> static int http_request(const char *url,
> void *result, int target,
> - const struct http_get_options *options)
> + const struct http_get_options *options,
> + long *retry_after_out,
> + long retry_delay)
> {
> struct active_request_slot *slot;
> struct slot_results results;
> @@ -2129,6 +2266,10 @@ static int http_request(const char *url,
> int ret;
>
> slot = get_active_slot();
> + /* Mark slot for delay if retry delay is provided */
> + if (retry_delay > 0) {
> + sleep_for_retry(slot, retry_delay);
> + }
Same note here as above.
> +/*
> + * Handle rate limiting retry logic for HTTP 429 responses.
> + * Uses slot-specific retry_after value to support concurrent slots.
> + * Returns a negative value if retries are exhausted or configuration is invalid,
> + * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
> + */
> +static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
> +{
> + int retry_attempt = http_max_retries - *rate_limit_retries + 1;
> + if (*rate_limit_retries <= 0) {
> + /* Retries are disabled or exhausted */
> + if (http_max_retries > 0) {
> + error(_("too many rate limit retries, giving up"));
> + }
Here as well.
> + return -1;
> + }
> +
> + /* Decrement retries counter */
> + (*rate_limit_retries)--;
> +
> + /* Use the slot-specific retry_after value or configured default */
> + if (slot_retry_after >= 0) {
> + /* Check if retry delay exceeds maximum allowed */
> + if (slot_retry_after > http_max_retry_time) {
> + error(_("rate limited (HTTP 429) requested %ld second delay, "
> + "exceeds http.maxRetryTime of %ld seconds"),
> + slot_retry_after, http_max_retry_time);
> + return -1;
> + }
> + return slot_retry_after;
> + } else {
> + /* No Retry-After header provided */
> + if (http_retry_after < 0) {
> + /* Not configured - exit with error */
> + error(_("rate limited (HTTP 429) and no Retry-After header provided. "
> + "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
> + return -1;
> + }
> + /* Check if configured default exceeds maximum allowed */
> + if (http_retry_after > http_max_retry_time) {
> + error(_("configured http.retryAfter (%ld seconds) exceeds "
> + "http.maxRetryTime (%ld seconds)"),
> + http_retry_after, http_max_retry_time);
> + return -1;
> + }
As a general note on these error()s, I wonder if it would be worth
shortening them up a bit. For example, the first one reads:
"rate limited (HTTP 429) requested %ld second delay, exceeds http.maxRetryTime of %ld seconds"
Perhaps we could shorten this to something like:
"response requested a delay greater than http.maxRetryTime (%ld > %ld seconds)"
I feel like we could get it even shorter, but I think that this is a
good starting point.
As an additional note, I think we generally try and avoid putting
instructions like "Configure http.retryAfter or [...]" in error()
messages. Those would be good advise() messages, enabling the user to
turn them off if they are not relevant to their situation, whereas
error() messages are fixed.
> +static int http_request_recoverable(const char *url,
> void *result, int target,
> struct http_get_options *options)
> {
> int i = 3;
> int ret;
> + int rate_limit_retries = http_max_retries;
> + long slot_retry_after = -1; /* Per-slot retry_after value */
>
> if (always_auth_proactively())
> credential_fill(the_repository, &http_auth, 1);
>
> - ret = http_request(url, result, target, options);
> + ret = http_request(url, result, target, options, &slot_retry_after, -1);
>
> - if (ret != HTTP_OK && ret != HTTP_REAUTH)
> + if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
> return ret;
>
> + /* If retries are disabled and we got a 429, fail immediately */
> + if (ret == HTTP_RATE_LIMITED && http_max_retries == 0)
Another minor CodingGuidelines nit, but we generally do not write "x ==
0", and instead prefer "!x".
> + return HTTP_ERROR;
> +
> if (options && options->effective_url && options->base_url) {
> if (update_url_from_redirect(options->base_url,
> url, options->effective_url)) {
> @@ -2276,7 +2491,8 @@ static int http_request_reauth(const char *url,
> }
> }
>
> - while (ret == HTTP_REAUTH && --i) {
> + while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
I had to re-read this line, since I wasn't sure that decrementing i was
the right thing to do for both reauth and rate limited responses. But it
is, since we pass a pointer to rate_limit_retries down to
handle_rate_limit_retry() which will decrement it and eventually cause
it to return -1 when retries are exhausted, causing this loop to exit.
> static int get_protocol_http_header(enum protocol_version version,
> @@ -518,21 +529,25 @@ static struct discovery *discover_refs(const char *service, int for_push)
> case HTTP_OK:
> break;
> case HTTP_MISSING_TARGET:
> - show_http_message(&type, &charset, &buffer);
> - die(_("repository '%s' not found"),
> - transport_anonymize_url(url.buf));
> + show_http_message_fatal(&type, &charset, &buffer,
> + _("repository '%s' not found"),
> + transport_anonymize_url(url.buf));
Thanks for taking my suggestion here as well. I think that the end
result reads much cleaner, though I do think that introducing the new
show_http_message_fatal() function and rewriting the existing code
should happen in a preparatory commit before this one to more clearly
separate the changes.
> diff --git a/strbuf.c b/strbuf.c
> index 6c3851a7f8..1d3860869e 100644
> --- a/strbuf.c
> +++ b/strbuf.c
> @@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
> if (!out)
> return -1;
>
> - strbuf_attach(sb, out, len, len);
> + strbuf_attach(sb, out, len, len + 1);
Not sure that I'm following this change.
> diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
> index 5091db949b..8a43261ffc 100644
> --- a/t/lib-httpd.sh
> +++ b/t/lib-httpd.sh
I may solicit Peff's input here on the remainder of the test changes,
since he is much more familiar with the lib-httpd parts of the suite
than I am.
Thanks,
Taylor
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 2/2] http: add trace2 logging for retry operations
2025-12-18 14:44 ` [PATCH v2 2/2] http: add trace2 logging for retry operations Vaidas Pilkauskas via GitGitGadget
@ 2026-02-11 1:06 ` Taylor Blau
0 siblings, 0 replies; 49+ messages in thread
From: Taylor Blau @ 2026-02-11 1:06 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget; +Cc: git, Vaidas Pilkauskas
On Thu, Dec 18, 2025 at 02:44:48PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> ---
> http.c | 23 ++++++++++++++++++++++-
> 1 file changed, 22 insertions(+), 1 deletion(-)
These changes all look reasonable to me. I think you could reaosnably
squash this into the previous commit, especially since that commit will
likely shrink as you move some hunks out into preparatory patches.
Thanks,
Taylor
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 1/2] http: add support for HTTP 429 rate limit retries
2026-02-11 1:05 ` Taylor Blau
@ 2026-02-11 9:13 ` Jeff King
2026-02-13 13:41 ` Vaidas Pilkauskas
2026-02-13 13:30 ` Vaidas Pilkauskas
1 sibling, 1 reply; 49+ messages in thread
From: Jeff King @ 2026-02-11 9:13 UTC (permalink / raw)
To: Taylor Blau; +Cc: Vaidas Pilkauskas via GitGitGadget, git, Vaidas Pilkauskas
On Tue, Feb 10, 2026 at 08:05:29PM -0500, Taylor Blau wrote:
> > diff --git a/http-push.c b/http-push.c
> > index 60a9b75620..ddb9948352 100644
> > --- a/http-push.c
> > +++ b/http-push.c
> > @@ -716,6 +716,10 @@ static int fetch_indices(void)
> > case HTTP_MISSING_TARGET:
> > ret = 0;
> > break;
> > + case HTTP_RATE_LIMITED:
> > + error(_("rate limited by '%s', please try again later"), repo->url);
> > + ret = -1;
> > + break;
> > default:
> > ret = -1;
> > }
> > @@ -1548,6 +1552,10 @@ static int remote_exists(const char *path)
> > case HTTP_MISSING_TARGET:
> > ret = 0;
> > break;
> > + case HTTP_RATE_LIMITED:
> > + error(_("rate limited by '%s', please try again later"), url);
> > + ret = -1;
> > + break;
>
> I wonder if there is an opportunity to DRY this up a bit? I think the
> case in fetch_indices() is very similar to remote_Exists(), and ditto
> for fetch_indices() in the http-walker.c code.
IMHO it is not worth trying to clean up http-push here. It's the dumb
push-over-webdav implementation that nobody uses. I'd actually be happy
to see it ripped out, but am too lazy to go through the effort of a big
deprecation period myself.
So I would actually consider not touching this code at all, and letting
it continue to behave as it did before (returning -1 and not producing
any specialized message). Though I suppose in remote_exists() we'd fail
to even print the curl error anymore, which would be a regression.
Ditto for http-walker.c's fetch_indices() function. It is used only for
dumb-http fetches (which are forbidden by most forges). And if not
touched at all, it would continue to function in the same way (not
producing any specialized message).
> As a separate but related note, I don't know if this function properly
> handles header continuations for Retry-After headers, but in practice I
> suspect it doesn't matter, as servers should not be continuing
> Retry-After headers across multiple lines.
Yeah, I noticed that, too. And all of the parsing actually makes me
nervous. Surely curl can do some of this for us?
...studies some manpages...
Ah, indeed. How about:
curl_off_t wait = 0;
curl_easy_getinfo(slot->curl, CURLINFO_RETRY_AFTER, &wait);
You can see how we already dig out similar info in finish_active_slot().
And more extended (but optional) info in http_request(). It looks like
CURLINFO_RETRY_AFTER was added in 7.66.0, so this would have to be a
conditional feature at build-time. But that seems like a reasonable
trade-off.
Side note: the obvious question is why we need fwrite_wwwauth() in the
first place. And the answer is that curl does not provide structured
access to the information from those headers. It does make me wonder
if we could be using curl_easy_header() to get rid of all of this
manual parsing and continuation code. That was introduced in 7.83.0,
which would again make it conditional. But it seems like a nicer path
forward for us. Anyway, way out of scope for this patch.
> > @@ -1660,44 +1729,98 @@ void run_active_slot(struct active_request_slot *slot)
> [...]
> > - while (!finished) {
> > + while (waiting_for_delay || !finished) {
> > + if (waiting_for_delay) {
> > + gettimeofday(¤t_time, NULL);
> > + elapsed_time.tv_sec = current_time.tv_sec - start_time.tv_sec;
> > + elapsed_time.tv_usec = current_time.tv_usec - start_time.tv_usec;
> > + if (elapsed_time.tv_usec < 0) {
> > + elapsed_time.tv_sec--;
> > + elapsed_time.tv_usec += 1000000;
> > + }
> > +
> > + if (elapsed_time.tv_sec >= slot->retry_delay_seconds) {
> > + slot->retry_delay_seconds = -1;
> > + waiting_for_delay = 0;
> > +
> > + if (slot_not_started)
> > + return;
>
> I wonder if run_active_slot() is the right place for these changes or if
> it should be handled separately. I think it may be somewhat surprising
> for run_active_slot() to return without actually running the slot, even
> if the slot is marked as "active" but just waiting for a delay.
Yeah, I agree. The point of run_active_slot() is to run the slot to
completion (I think; it has been a while since I've had to dig into any
of this). So I'd either expect it to handle the retry and delay itself
internally, or to return the failed request to the caller, who will then
delay and initiate the retry.
That's all assuming we're making one request at a time (which I think is
mostly all that run_active_slot() handles). There's a much more
complicated question when we have multiple simultaneous requests, which
we'd do only with the dumb protocol (trying to fetch multiple objects at
once). In that case we need to be queuing requests. And I _think_ that
might be what this code is trying to do. But I'm not sure if it would
actually work, as we try to advance those via step_active_slots().
> OTOH, like I mentioned earlier, I am far from an expert in this part of
> the code, so perhaps this is totally OK. shortlog says that Peff (CC'd)
> is among the most active contributors to this file in the past year, so
> I'll be curious what he thinks as well.
Most of the details of this active slot stuff have long been paged out
of my memory. It's all _so_ messy because of the desire for the
dumb-http code to handle multiple requests. But for smart-http (and I
would be perfectly content for this feature to only apply there), we
could probably just focus on run_one_slot(), I'd think.
I.e., what I'd expect the simplest form of the patch to look like is
roughly:
- teach handle_curl_result() to recognize 429 and pull out the
retry-after value, returning HTTP_RETRY
- in run_one_slot(), recognize HTTP_RETRY and if appropriate, sleep
and retry
I do wonder if even that might be too low-level, though. For a real
large request, we'll be streaming data into the request, and I'm not
sure we _can_ retry. We send a probe_rpc() first in that case to try to
resolve issues like credential-filling. But there's nothing to say that
we can't get a 200 on the probe and a 429 on the real request.
Which I guess implies to me that http_request_reauth() should be where
the magic happens. And it somewhat does in this patch, but...why not do
the sleeping there, and why push it all the way down into
run_active_slot()?
I know I'm kind of talking in circles here, which is indicative of my
confusion (and the general complexity of the http code). But as the
patch stands, I'm not really convinced which cases it is trying to cover
(single requests vs multi, repeatable requests vs streaming POSTs), how
well it covers them, and that it is doing it as simply as possible (or
at least keeping the logic together).
> > @@ -518,21 +529,25 @@ static struct discovery *discover_refs(const char *service, int for_push)
> > case HTTP_OK:
> > break;
> > case HTTP_MISSING_TARGET:
> > - show_http_message(&type, &charset, &buffer);
> > - die(_("repository '%s' not found"),
> > - transport_anonymize_url(url.buf));
> > + show_http_message_fatal(&type, &charset, &buffer,
> > + _("repository '%s' not found"),
> > + transport_anonymize_url(url.buf));
>
> Thanks for taking my suggestion here as well. I think that the end
> result reads much cleaner, though I do think that introducing the new
> show_http_message_fatal() function and rewriting the existing code
> should happen in a preparatory commit before this one to more clearly
> separate the changes.
Yeah, I had the same thought.
> > diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
> > index 5091db949b..8a43261ffc 100644
> > --- a/t/lib-httpd.sh
> > +++ b/t/lib-httpd.sh
>
> I may solicit Peff's input here on the remainder of the test changes,
> since he is much more familiar with the lib-httpd parts of the suite
> than I am.
The lib-httpd parts looked about as I'd expect (and I found the use of
custom URL components to encode the retry parameters quite clever).
There were lots of uses of "date" that I suspect may give us portability
problems. "+%s" is not even in POSIX, but maybe it is universal enough.
But stuff like '-d "+2 seconds"' seems likely to be a GNU-ism.
Using "test-tool date" might get around some of that. We even understand
relative dates like "2 seconds ago", but I think only in the past. :-/
So you'd probably have to do:
now=$(test-tool date timestamp now | cut -d' ' -f3)
then=$((now + 2))
test-tool date show:rfc2822 $then
or something.
-Peff
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 1/2] http: add support for HTTP 429 rate limit retries
2026-02-11 1:05 ` Taylor Blau
2026-02-11 9:13 ` Jeff King
@ 2026-02-13 13:30 ` Vaidas Pilkauskas
1 sibling, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas @ 2026-02-13 13:30 UTC (permalink / raw)
To: Taylor Blau; +Cc: Vaidas Pilkauskas via GitGitGadget, git, Jeff King
On Wed, Feb 11, 2026 at 3:05 AM Taylor Blau <me@ttaylorr.com> wrote:
> > +http.retryAfter::
> > + Default wait time in seconds before retrying when a server returns
> > + HTTP 429 (Too Many Requests) without a Retry-After header. If set
> > + to -1 (the default), Git will fail immediately when encountering
>
> While reviewing, I originally wrote:
>
> Setting the default as "-1" makes sense to me. The current behavior is
> to give up when we receive a HTTP 429 response with or without a
> Retry-After header, so retaining that behavior makes sense and seems
> like a sensible path.
>
> , but I'm not sure that I am sold on that line of thinking. This is
> controlling how long we'll wait after a 429 response before retrying,
> not how many times we'll retry (which is `http.maxRetries` below).
>
> Should the default here be zero? We would "retry" immediately, but that
> retry would fail since the maximum retries is set to "zero" by default.
I think the only reason I was using "-1" is to have an opportunity to advise
on existing configuration for retries, but I guess we can live without advising
as I expect folks who are willing to configure retry handling will be advanced
users who are aware of the options. I'll switch to "0".
> > diff --git a/http-push.c b/http-push.c
> > index 60a9b75620..ddb9948352 100644
> > --- a/http-push.c
> > +++ b/http-push.c
> > @@ -716,6 +716,10 @@ static int fetch_indices(void)
> > + case HTTP_RATE_LIMITED:
> > + error(_("rate limited by '%s', please try again later"), url);
> > + ret = -1;
> > + break;
>
> I wonder if there is an opportunity to DRY this up a bit? I think the
> case in fetch_indices() is very similar to remote_Exists(), and ditto
> for fetch_indices() in the http-walker.c code.
I'll leave this code unchanged as per Peff's suggestion.
>
> > + slot->results->retry_after = retry_after;
> > + } else {
> > + /* Try parsing as HTTP-date format */
> > + timestamp_t timestamp;
> > + int offset;
> > + if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
> > + /* Successfully parsed as date, calculate delay from now */
> > + timestamp_t now = time(NULL);
> > + if (timestamp > now) {
> > + slot->results->retry_after = (long)(timestamp - now);
> > + } else {
> > + /* Past date means retry immediately */
> > + slot->results->retry_after = 0;
> > + }
> > + } else {
> > + /* Failed to parse as either delay-seconds or HTTP-date */
> > + warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
> > + }
> > + }
> > + }
> > +
> > + http_auth.header_is_last_match = 1;
>
> Could you help me understand why we're setting header_is_last_match
> here? I think since we immediately "goto exit" this line isn't strictly
> necessary.
Yes, this should not be needed - I'll remove the statement.
> As a separate but related note, I don't know if this function properly
> handles header continuations for Retry-After headers, but in practice I
> suspect it doesn't matter, as servers should not be continuing
> Retry-After headers across multiple lines.
Yes, I assume it's not applicable to Retry-After, so I'm not handling
continuations.
> > @@ -1660,44 +1729,98 @@ void run_active_slot(struct active_request_slot *slot)
> I wonder if run_active_slot() is the right place for these changes or if
> it should be handled separately. I think it may be somewhat surprising
> for run_active_slot() to return without actually running the slot, even
> if the slot is marked as "active" but just waiting for a delay.
>
> OTOH, like I mentioned earlier, I am far from an expert in this part of
> the code, so perhaps this is totally OK. shortlog says that Peff (CC'd)
> is among the most active contributors to this file in the past year, so
> I'll be curious what he thinks as well.
I'll follow Peff's review for this part.
> > diff --git a/strbuf.c b/strbuf.c
> > index 6c3851a7f8..1d3860869e 100644
> > --- a/strbuf.c
> > +++ b/strbuf.c
> > @@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
> > if (!out)
> > return -1;
> >
> > - strbuf_attach(sb, out, len, len);
> > + strbuf_attach(sb, out, len, len + 1);
Sorry, I totally forgot about this change. I still got leak reported
from CI, so I
narrowed it down to this line. I'll make a separate commit to discuss it.
> Not sure that I'm following this change.
> Thanks,
> Taylor
Thanks, Taylor, for the review!
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 1/2] http: add support for HTTP 429 rate limit retries
2026-02-11 9:13 ` Jeff King
@ 2026-02-13 13:41 ` Vaidas Pilkauskas
2026-02-15 9:13 ` Jeff King
0 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas @ 2026-02-13 13:41 UTC (permalink / raw)
To: Jeff King; +Cc: Taylor Blau, Vaidas Pilkauskas via GitGitGadget, git
On Wed, Feb 11, 2026 at 11:13 AM Jeff King <peff@peff.net> wrote:
> Yeah, I noticed that, too. And all of the parsing actually makes me
> nervous. Surely curl can do some of this for us?
>
> ...studies some manpages...
>
> Ah, indeed. How about:
>
> curl_off_t wait = 0;
> curl_easy_getinfo(slot->curl, CURLINFO_RETRY_AFTER, &wait);
>
> You can see how we already dig out similar info in finish_active_slot().
> And more extended (but optional) info in http_request(). It looks like
> CURLINFO_RETRY_AFTER was added in 7.66.0, so this would have to be a
> conditional feature at build-time. But that seems like a reasonable
> trade-off.
I'll add parsing with libcurl under conditional feature.
> Most of the details of this active slot stuff have long been paged out
> of my memory. It's all _so_ messy because of the desire for the
> dumb-http code to handle multiple requests. But for smart-http (and I
> would be perfectly content for this feature to only apply there), we
> could probably just focus on run_one_slot(), I'd think.
>
> I.e., what I'd expect the simplest form of the patch to look like is
> roughly:
>
> - teach handle_curl_result() to recognize 429 and pull out the
> retry-after value, returning HTTP_RETRY
>
> - in run_one_slot(), recognize HTTP_RETRY and if appropriate, sleep
> and retry
>
This greatly simplifies implementation. I think following similar pattern like
auth handling does makes a lot of sense. So, instead of sleeping in
run_one_slot(), I think it makes sense to sleep in http_request_recoverable()
where HTTP_REAUTH is handled.
> > I may solicit Peff's input here on the remainder of the test changes,
> > since he is much more familiar with the lib-httpd parts of the suite
> > than I am.
>
> The lib-httpd parts looked about as I'd expect (and I found the use of
> custom URL components to encode the retry parameters quite clever).
>
> There were lots of uses of "date" that I suspect may give us portability
> problems. "+%s" is not even in POSIX, but maybe it is universal enough.
> But stuff like '-d "+2 seconds"' seems likely to be a GNU-ism.
>
> Using "test-tool date" might get around some of that. We even understand
> relative dates like "2 seconds ago", but I think only in the past. :-/
> So you'd probably have to do:
>
> now=$(test-tool date timestamp now | cut -d' ' -f3)
> then=$((now + 2))
> test-tool date show:rfc2822 $then
>
> or something.
I was not aware about test-tool, thanks!
> -Peff
Thanks, Peff, for the review!
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v2 1/2] http: add support for HTTP 429 rate limit retries
2026-02-13 13:41 ` Vaidas Pilkauskas
@ 2026-02-15 9:13 ` Jeff King
0 siblings, 0 replies; 49+ messages in thread
From: Jeff King @ 2026-02-15 9:13 UTC (permalink / raw)
To: Vaidas Pilkauskas; +Cc: Taylor Blau, Vaidas Pilkauskas via GitGitGadget, git
On Fri, Feb 13, 2026 at 03:41:55PM +0200, Vaidas Pilkauskas wrote:
> > There were lots of uses of "date" that I suspect may give us portability
> > problems. "+%s" is not even in POSIX, but maybe it is universal enough.
> > But stuff like '-d "+2 seconds"' seems likely to be a GNU-ism.
> >
> > Using "test-tool date" might get around some of that. We even understand
> > relative dates like "2 seconds ago", but I think only in the past. :-/
> > So you'd probably have to do:
> >
> > now=$(test-tool date timestamp now | cut -d' ' -f3)
> > then=$((now + 2))
> > test-tool date show:rfc2822 $then
> >
> > or something.
>
> I was not aware about test-tool, thanks!
It might be a little awkward to bend it to your will, especially since
it likes to print "input -> output" instead of just the output you want.
If it gets too hairy, I wouldn't be opposed to teaching it a new option
or even a new command-mode for doing this kind of computed date stuff.
-Peff
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries
2025-12-18 14:44 ` [PATCH v2 0/2] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 1/2] " Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 2/2] http: add trace2 logging for retry operations Vaidas Pilkauskas via GitGitGadget
@ 2026-02-17 11:08 ` Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
` (3 more replies)
2 siblings, 4 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-17 11:08 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Jeff King, Vaidas Pilkauskas
Changes since v2:
* New preparatory patch: Introduced show_http_message_fatal() helper
function to reduce code duplication in remote-curl.c (suggested by Taylor
Blau)
* Removed specific HTTP_RATE_LIMITED error handling from http-push.c and
http-walker.c for the obsolete "dumb" protocol, allowing generic error
handling to take over (suggested by Jeff King)
* Added support for CURLINFO_RETRY_AFTER on curl >= 7.66.0, falling back to
manual header parsing on older versions
* Simplified retry/delay architecture: replaced complex non-blocking
"delayed slot" mechanism with simple blocking sleep() call in the retry
loop, removing ~66 lines of timing logic (suggested by Jeff King)
* Fixed Retry-After: 0 handling to allow immediate retry as specified by
RFC 9110
* Changed http.retryAfter default from -1 to 0, so Git will retry
immediately when encountering HTTP 429 without a Retry-After header,
rather than failing with a configuration error
* Improved error messages: shortened to be more concise
* Fixed coding style issues: removed unnecessary curly braces, changed x ==
0 to !x (per CodingGuidelines)
* Improved test portability: replaced non-portable date(1) commands with
test-tool date, added nanosecond-precision timing with getnanos, replaced
cut(1) with POSIX shell parameter expansion
* Split out strbuf.c bugfix into separate preparatory patch (the
strbuf_reencode alloc size fix is unrelated to HTTP 429 support)
* Squashed separate trace2 logging patch into main HTTP 429 retry support
commit
* Kept header_is_last_match assignment for Retry-After to prevent incorrect
handling of HTTP header continuation lines
The implementation includes:
1. A bug fix in strbuf_reencode() that corrects the allocation size passed
to strbuf_attach(), ensuring proper memory management.
2. A refactoring in remote-curl.c that introduces a
show_http_message_fatal() helper to reduce code duplication when
handling fatal HTTP errors.
3. The main feature: HTTP 429 retry logic with support for the Retry-After
header (both delay-seconds and HTTP-date formats), configurable via
http.maxRetries, http.retryAfter, and http.maxRetryTime options.
Vaidas Pilkauskas (3):
strbuf: fix incorrect alloc size in strbuf_reencode()
remote-curl: introduce show_http_message_fatal() helper
http: add support for HTTP 429 rate limit retries
Documentation/config/http.adoc | 23 +++
git-curl-compat.h | 8 +
http.c | 190 +++++++++++++++++++++--
http.h | 2 +
remote-curl.c | 49 +++---
strbuf.c | 2 +-
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
11 files changed, 618 insertions(+), 30 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
base-commit: 852829b3dd2fe4e7c7fc4d8badde644cf1b66c74
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-2008%2Fvaidas-shopify%2Fretry-after-v3
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-2008/vaidas-shopify/retry-after-v3
Pull-Request: https://github.com/gitgitgadget/git/pull/2008
Range-diff vs v2:
-: ---------- > 1: 821043c664 strbuf: fix incorrect alloc size in strbuf_reencode()
-: ---------- > 2: 3653067f0e remote-curl: introduce show_http_message_fatal() helper
1: d80ce07703 ! 3: 3cece62a63 http: add support for HTTP 429 rate limit retries
@@ Documentation/config/http.adoc: http.keepAliveCount::
+http.retryAfter::
+ Default wait time in seconds before retrying when a server returns
-+ HTTP 429 (Too Many Requests) without a Retry-After header. If set
-+ to -1 (the default), Git will fail immediately when encountering
-+ a 429 response without a Retry-After header. When a Retry-After
-+ header is present, its value takes precedence over this setting.
-+ Can be overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
++ HTTP 429 (Too Many Requests) without a Retry-After header.
++ Defaults to 0 (retry immediately). When a Retry-After header is
++ present, its value takes precedence over this setting. Can be
++ overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
@@ Documentation/config/http.adoc: http.keepAliveCount::
A boolean which disables using of EPSV ftp command by curl.
This can be helpful with some "poor" ftp servers which don't
- ## http-push.c ##
-@@ http-push.c: static int fetch_indices(void)
- case HTTP_MISSING_TARGET:
- ret = 0;
- break;
-+ case HTTP_RATE_LIMITED:
-+ error(_("rate limited by '%s', please try again later"), repo->url);
-+ ret = -1;
-+ break;
- default:
- ret = -1;
- }
-@@ http-push.c: static int remote_exists(const char *path)
- case HTTP_MISSING_TARGET:
- ret = 0;
- break;
-+ case HTTP_RATE_LIMITED:
-+ error(_("rate limited by '%s', please try again later"), url);
-+ ret = -1;
-+ break;
- case HTTP_ERROR:
- error("unable to access '%s': %s", url, curl_errorstr);
- /* fallthrough */
-
- ## http-walker.c ##
-@@ http-walker.c: static int fetch_indices(struct walker *walker, struct alt_base *repo)
- repo->got_indices = 1;
- ret = 0;
- break;
-+ case HTTP_RATE_LIMITED:
-+ error("rate limited by '%s', please try again later", repo->base);
-+ repo->got_indices = 0;
-+ ret = -1;
-+ break;
- default:
- repo->got_indices = 0;
- ret = -1;
+ ## git-curl-compat.h ##
+@@
+ #define GIT_CURL_NEED_TRANSFER_ENCODING_HEADER
+ #endif
+
++/**
++ * CURLINFO_RETRY_AFTER was added in 7.66.0, released in September 2019.
++ * It allows curl to automatically parse Retry-After headers.
++ */
++#if LIBCURL_VERSION_NUM >= 0x074200
++#define GIT_CURL_HAVE_CURLINFO_RETRY_AFTER 1
++#endif
++
+ /**
+ * CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR were added in 7.85.0,
+ * released in August 2022.
## http.c ##
@@
@@ http.c
#include "odb.h"
#include "tempfile.h"
+#include "date.h"
++#include "trace2.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ http.c: static char *cached_accept_language;
static int http_schannel_check_revoke = 1;
+
-+static long http_retry_after = -1;
++static long http_retry_after = 0;
+static long http_max_retries = 0;
+static long http_max_retry_time = 300;
+
@@ http.c: static inline int is_hdr_continuation(const char *ptr, const size_t size
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
-+static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p)
++static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
- struct strbuf buf = STRBUF_INIT;
- const char *val;
- size_t val_len;
-+ struct active_request_slot *slot = (struct active_request_slot *)p;
-
- /*
- * Header lines may not come NULL-terminated from libcurl so we must
@@ http.c: static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
goto exit;
}
-+ /* Parse Retry-After header for rate limiting */
++#ifndef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
++ /* Parse Retry-After header for rate limiting (for curl < 7.66.0) */
+ if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
++ struct active_request_slot *slot = (struct active_request_slot *)p;
++
+ strbuf_add(&buf, val, val_len);
+ strbuf_trim(&buf);
+
@@ http.c: static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, vo
+ errno = 0;
+ retry_after = strtol(buf.buf, &endptr, 10);
+
-+ /* Check if it's a valid integer (delay-seconds format) */
-+ if (endptr != buf.buf && *endptr == '\0' &&
-+ errno != ERANGE && retry_after > 0) {
-+ slot->results->retry_after = retry_after;
-+ } else {
++ /* Check if it's a valid integer (delay-seconds format) */
++ if (endptr != buf.buf && *endptr == '\0' &&
++ errno != ERANGE && retry_after >= 0) {
++ slot->results->retry_after = retry_after;
++ } else {
+ /* Try parsing as HTTP-date format */
+ timestamp_t timestamp;
+ int offset;
@@ http.c: static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, vo
+ }
+ }
+
-+ http_auth.header_is_last_match = 1;
+ goto exit;
+ }
++#endif
+
/*
* This line could be a continuation of the previously matched header
* field. If this is the case then we should append this value to the
+@@ http.c: static void finish_active_slot(struct active_request_slot *slot)
+
+ curl_easy_getinfo(slot->curl, CURLINFO_HTTP_CONNECTCODE,
+ &slot->results->http_connectcode);
++
++#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
++ if (slot->results->http_code == 429) {
++ curl_off_t retry_after;
++ CURLcode res = curl_easy_getinfo(slot->curl,
++ CURLINFO_RETRY_AFTER,
++ &retry_after);
++ if (res == CURLE_OK && retry_after > 0)
++ slot->results->retry_after = (long)retry_after;
++ }
++#endif
+ }
+
+ /* Run callback if appropriate */
@@ http.c: static int http_options(const char *var, const char *value,
return 0;
}
@@ http.c: void http_init(struct remote *remote, const char *url, int proactive_aut
curl_default = get_curl_handle();
}
-@@ http.c: struct active_request_slot *get_active_slot(void)
- slot->finished = NULL;
- slot->callback_data = NULL;
- slot->callback_func = NULL;
-+ slot->retry_delay_seconds = -1;
-+ memset(&slot->retry_delay_start, 0, sizeof(slot->retry_delay_start));
-
- if (curl_cookie_file && !strcmp(curl_cookie_file, "-")) {
- warning(_("refusing to read cookies from http.cookiefile '-'"));
-@@ http.c: void run_active_slot(struct active_request_slot *slot)
- fd_set excfds;
- int max_fd;
- struct timeval select_timeout;
-+ long curl_timeout;
-+ struct timeval start_time = {0}, current_time, elapsed_time = {0};
-+ long remaining_seconds;
- int finished = 0;
-+ int slot_not_started = (slot->finished == NULL);
-+ int waiting_for_delay = (slot->retry_delay_seconds > 0);
-+
-+ if (waiting_for_delay) {
-+ warning(_("rate limited, waiting %ld seconds before retry"), slot->retry_delay_seconds);
-+ start_time = slot->retry_delay_start;
-+ }
-
- slot->finished = &finished;
-- while (!finished) {
-+ while (waiting_for_delay || !finished) {
-+ if (waiting_for_delay) {
-+ gettimeofday(¤t_time, NULL);
-+ elapsed_time.tv_sec = current_time.tv_sec - start_time.tv_sec;
-+ elapsed_time.tv_usec = current_time.tv_usec - start_time.tv_usec;
-+ if (elapsed_time.tv_usec < 0) {
-+ elapsed_time.tv_sec--;
-+ elapsed_time.tv_usec += 1000000;
-+ }
-+
-+ if (elapsed_time.tv_sec >= slot->retry_delay_seconds) {
-+ slot->retry_delay_seconds = -1;
-+ waiting_for_delay = 0;
-+
-+ if (slot_not_started)
-+ return;
-+ }
-+ }
-+
- step_active_slots();
-
-- if (slot->in_use) {
-- long curl_timeout;
-- curl_multi_timeout(curlm, &curl_timeout);
-- if (curl_timeout == 0) {
-+ if (!waiting_for_delay && !slot->in_use)
-+ continue;
-+
-+ curl_multi_timeout(curlm, &curl_timeout);
-+ if (curl_timeout == 0) {
-+ if (!waiting_for_delay)
- continue;
-- } else if (curl_timeout == -1) {
-- select_timeout.tv_sec = 0;
-- select_timeout.tv_usec = 50000;
-+ select_timeout.tv_sec = 0;
-+ select_timeout.tv_usec = 50000; /* 50ms */
-+ } else if (curl_timeout == -1) {
-+ select_timeout.tv_sec = 0;
-+ select_timeout.tv_usec = 50000;
-+ } else {
-+ long curl_timeout_sec = curl_timeout / 1000;
-+ long curl_timeout_usec = (curl_timeout % 1000) * 1000;
-+
-+ if (waiting_for_delay) {
-+ remaining_seconds = slot->retry_delay_seconds - elapsed_time.tv_sec;
-+ if (curl_timeout_sec < remaining_seconds) {
-+ select_timeout.tv_sec = curl_timeout_sec;
-+ select_timeout.tv_usec = curl_timeout_usec;
-+ } else {
-+ select_timeout.tv_sec = remaining_seconds;
-+ select_timeout.tv_usec = 0;
-+ }
- } else {
-- select_timeout.tv_sec = curl_timeout / 1000;
-- select_timeout.tv_usec = (curl_timeout % 1000) * 1000;
-+ select_timeout.tv_sec = curl_timeout_sec;
-+ select_timeout.tv_usec = curl_timeout_usec;
- }
-+ }
-
-- max_fd = -1;
-- FD_ZERO(&readfds);
-- FD_ZERO(&writefds);
-- FD_ZERO(&excfds);
-- curl_multi_fdset(curlm, &readfds, &writefds, &excfds, &max_fd);
-+ max_fd = -1;
-+ FD_ZERO(&readfds);
-+ FD_ZERO(&writefds);
-+ FD_ZERO(&excfds);
-+ curl_multi_fdset(curlm, &readfds, &writefds, &excfds, &max_fd);
-
-- /*
-- * It can happen that curl_multi_timeout returns a pathologically
-- * long timeout when curl_multi_fdset returns no file descriptors
-- * to read. See commit message for more details.
-- */
-- if (max_fd < 0 &&
-- (select_timeout.tv_sec > 0 ||
-- select_timeout.tv_usec > 50000)) {
-- select_timeout.tv_sec = 0;
-- select_timeout.tv_usec = 50000;
-- }
-+ /*
-+ * It can happen that curl_multi_timeout returns a pathologically
-+ * long timeout when curl_multi_fdset returns no file descriptors
-+ * to read. See commit message for more details.
-+ */
-+ if (max_fd < 0 &&
-+ (select_timeout.tv_sec > 0 ||
-+ select_timeout.tv_usec > 50000)) {
-+ select_timeout.tv_sec = 0;
-+ select_timeout.tv_usec = 50000;
-+ }
-
-- select(max_fd+1, &readfds, &writefds, &excfds, &select_timeout);
-+ /*
-+ * If curl_multi_fdset returns no file descriptors but we have
-+ * a timeout, still use select() to wait for the timeout period.
-+ */
-+ if (max_fd < 0) {
-+ /* No file descriptors, just wait for timeout */
-+ select(0, NULL, NULL, NULL, &select_timeout);
-+ } else {
-+ select(max_fd + 1, &readfds, &writefds, &excfds, &select_timeout);
- }
- }
-
@@ http.c: static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
++ trace2_data_intmax("http", the_repository, "http/429-retry-after",
++ results->retry_after);
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
@@ http.c: int run_one_slot(struct active_request_slot *slot,
slot->results = results;
+ /* Initialize retry_after to -1 (not set) */
+ results->retry_after = -1;
-+
-+ /* If there's a retry delay, wait for it before starting the slot */
-+ if (slot->retry_delay_seconds > 0) {
-+ run_active_slot(slot);
-+ }
+
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
@@ http.c: static void http_opt_request_remainder(CURL *curl, off_t pos)
- #define HTTP_REQUEST_STRBUF 0
- #define HTTP_REQUEST_FILE 1
-+static void sleep_for_retry(struct active_request_slot *slot, long retry_after);
-+
static int http_request(const char *url,
void *result, int target,
- const struct http_get_options *options)
+ const struct http_get_options *options,
-+ long *retry_after_out,
-+ long retry_delay)
++ long *retry_after_out)
{
struct active_request_slot *slot;
struct slot_results results;
-@@ http.c: static int http_request(const char *url,
- int ret;
-
- slot = get_active_slot();
-+ /* Mark slot for delay if retry delay is provided */
-+ if (retry_delay > 0) {
-+ sleep_for_retry(slot, retry_delay);
-+ }
- curl_easy_setopt(slot->curl, CURLOPT_HTTPGET, 1L);
-
- if (!result) {
@@ http.c: static int http_request(const char *url,
fwrite_buffer);
}
@@ http.c: static int update_url_from_redirect(struct strbuf *base,
-static int http_request_reauth(const char *url,
+/*
-+ * Mark slot to be delayed for retry. The actual delay will be handled
-+ * in run_active_slot when the slot is executed.
-+ */
-+static void sleep_for_retry(struct active_request_slot *slot, long retry_after)
-+{
-+ if (retry_after > 0 && slot) {
-+ warning(_("rate limited, waiting %ld seconds before retry"), retry_after);
-+ slot->retry_delay_seconds = retry_after;
-+ gettimeofday(&slot->retry_delay_start, NULL);
-+ }
-+}
-+
-+/*
+ * Handle rate limiting retry logic for HTTP 429 responses.
-+ * Uses slot-specific retry_after value to support concurrent slots.
+ * Returns a negative value if retries are exhausted or configuration is invalid,
+ * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
+ */
+static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
+{
+ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
++
++ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
++ retry_attempt);
++
+ if (*rate_limit_retries <= 0) {
+ /* Retries are disabled or exhausted */
+ if (http_max_retries > 0) {
+ error(_("too many rate limit retries, giving up"));
++ trace2_data_string("http", the_repository,
++ "http/429-error", "retries-exhausted");
+ }
+ return -1;
+ }
+
-+ /* Decrement retries counter */
+ (*rate_limit_retries)--;
+
+ /* Use the slot-specific retry_after value or configured default */
+ if (slot_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
+ if (slot_retry_after > http_max_retry_time) {
-+ error(_("rate limited (HTTP 429) requested %ld second delay, "
-+ "exceeds http.maxRetryTime of %ld seconds"),
++ error(_("response requested a delay greater than http.maxRetryTime (%ld > %ld seconds)"),
+ slot_retry_after, http_max_retry_time);
++ trace2_data_string("http", the_repository,
++ "http/429-error", "exceeds-max-retry-time");
++ trace2_data_intmax("http", the_repository,
++ "http/429-requested-delay", slot_retry_after);
+ return -1;
+ }
+ return slot_retry_after;
+ } else {
-+ /* No Retry-After header provided */
-+ if (http_retry_after < 0) {
-+ /* Not configured - exit with error */
-+ error(_("rate limited (HTTP 429) and no Retry-After header provided. "
-+ "Configure http.retryAfter or set GIT_HTTP_RETRY_AFTER."));
-+ return -1;
-+ }
-+ /* Check if configured default exceeds maximum allowed */
++ /* No Retry-After header provided, use configured default */
+ if (http_retry_after > http_max_retry_time) {
-+ error(_("configured http.retryAfter (%ld seconds) exceeds "
-+ "http.maxRetryTime (%ld seconds)"),
++ error(_("configured http.retryAfter exceeds http.maxRetryTime (%ld > %ld seconds)"),
+ http_retry_after, http_max_retry_time);
++ trace2_data_string("http", the_repository,
++ "http/429-error", "config-exceeds-max-retry-time");
+ return -1;
+ }
-+
++ trace2_data_string("http", the_repository,
++ "http/429-retry-source", "config-default");
+ return http_retry_after;
+ }
+}
@@ http.c: static int update_url_from_redirect(struct strbuf *base,
credential_fill(the_repository, &http_auth, 1);
- ret = http_request(url, result, target, options);
-+ ret = http_request(url, result, target, options, &slot_retry_after, -1);
++ ret = http_request(url, result, target, options, &slot_retry_after);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
+ /* If retries are disabled and we got a 429, fail immediately */
-+ if (ret == HTTP_RATE_LIMITED && http_max_retries == 0)
++ if (ret == HTTP_RATE_LIMITED && !http_max_retries)
+ return HTTP_ERROR;
+
if (options && options->effective_url && options->base_url) {
@@ http.c: static int http_request_reauth(const char *url,
+ retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
+ if (retry_delay < 0)
+ return HTTP_ERROR;
++
++ if (retry_delay > 0) {
++ warning(_("rate limited, waiting %ld seconds before retry"), retry_delay);
++ trace2_data_intmax("http", the_repository,
++ "http/retry-sleep-seconds", retry_delay);
++ sleep(retry_delay);
++ }
+ slot_retry_after = -1; /* Reset after use */
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
@@ http.c: static int http_request_reauth(const char *url,
- credential_fill(the_repository, &http_auth, 1);
-
- ret = http_request(url, result, target, options);
-+ ret = http_request(url, result, target, options, &slot_retry_after, retry_delay);
++ ret = http_request(url, result, target, options, &slot_retry_after);
}
return ret;
}
@@ http.h: struct slot_results {
};
struct active_request_slot {
-@@ http.h: struct active_request_slot {
- void *callback_data;
- void (*callback_func)(void *data);
- struct active_request_slot *next;
-+ long retry_delay_seconds;
-+ struct timeval retry_delay_start;
- };
-
- struct buffer {
@@ http.h: struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
@@ http.h: struct http_get_options {
* Requests a URL and stores the result in a strbuf.
## remote-curl.c ##
-@@ remote-curl.c: static void free_discovery(struct discovery *d)
- }
- }
-
--static int show_http_message(struct strbuf *type, struct strbuf *charset,
-- struct strbuf *msg)
-+static NORETURN void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
-+ struct strbuf *msg, const char *fmt, ...)
- {
- const char *p, *eol;
-+ va_list ap;
-+ report_fn die_message_routine = get_die_message_routine();
-
- /*
- * We only show text/plain parts, as other types are likely
- * to be ugly to look at on the user's terminal.
- */
- if (strcmp(type->buf, "text/plain"))
-- return -1;
-+ goto out;
- if (charset->len)
- strbuf_reencode(msg, charset->buf, get_log_output_encoding());
-
- strbuf_trim(msg);
- if (!msg->len)
-- return -1;
-+ goto out;
-
- p = msg->buf;
- do {
-@@ remote-curl.c: static int show_http_message(struct strbuf *type, struct strbuf *charset,
- fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
- p = eol + 1;
- } while(*eol);
-- return 0;
-+
-+out:
-+ strbuf_release(type);
-+ strbuf_release(charset);
-+ strbuf_release(msg);
-+
-+ va_start(ap, fmt);
-+ die_message_routine(fmt, ap);
-+ va_end(ap);
-+ exit(128);
- }
-
- static int get_protocol_http_header(enum protocol_version version,
@@ remote-curl.c: static struct discovery *discover_refs(const char *service, int for_push)
- case HTTP_OK:
- break;
- case HTTP_MISSING_TARGET:
-- show_http_message(&type, &charset, &buffer);
-- die(_("repository '%s' not found"),
-- transport_anonymize_url(url.buf));
-+ show_http_message_fatal(&type, &charset, &buffer,
-+ _("repository '%s' not found"),
-+ transport_anonymize_url(url.buf));
- case HTTP_NOAUTH:
-- show_http_message(&type, &charset, &buffer);
-- die(_("Authentication failed for '%s'"),
-- transport_anonymize_url(url.buf));
-+ show_http_message_fatal(&type, &charset, &buffer,
-+ _("Authentication failed for '%s'"),
-+ transport_anonymize_url(url.buf));
- case HTTP_NOMATCHPUBLICKEY:
-- show_http_message(&type, &charset, &buffer);
-- die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
-- transport_anonymize_url(url.buf), curl_errorstr);
-+ show_http_message_fatal(&type, &charset, &buffer,
-+ _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
-+ transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("rate limited by '%s', please try again later"),
+ transport_anonymize_url(url.buf));
default:
-- show_http_message(&type, &charset, &buffer);
-- die(_("unable to access '%s': %s"),
-- transport_anonymize_url(url.buf), curl_errorstr);
-+ show_http_message_fatal(&type, &charset, &buffer,
-+ _("unable to access '%s': %s"),
-+ transport_anonymize_url(url.buf), curl_errorstr);
- }
-
- if (options.verbosity && !starts_with(refs_url.buf, url.buf)) {
-
- ## strbuf.c ##
-@@ strbuf.c: int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
- if (!out)
- return -1;
-
-- strbuf_attach(sb, out, len, len);
-+ strbuf_attach(sb, out, len, len + 1);
- return 0;
- }
-
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s': %s"),
## t/lib-httpd.sh ##
@@ t/lib-httpd.sh: prepare_httpd() {
@@ t/t5584-http-429-retry.sh (new)
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
-+ test "$duration" -ge 1 &&
++ duration_int=${duration%.*} &&
++ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
@@ t/t5584-http-429-retry.sh (new)
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (less than 2 seconds, no 100 second wait)
-+ test "$duration" -lt 2 &&
-+ test_grep "exceeds http.maxRetryTime" err
++ duration_int=${duration%.*} &&
++ test "$duration_int" -lt 2 &&
++ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
@@ t/t5584-http-429-retry.sh (new)
+ test_config http.maxRetryTime 5 &&
+
+ # Should fail immediately with configuration error
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly
-+ test "$duration" -lt 2 &&
++ duration_int=${duration%.*} &&
++ test "$duration_int" -lt 2 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with Retry-After HTTP-date format' '
+ # Test HTTP-date format (RFC 2822) in Retry-After header
-+ # Generate a date 2 seconds in the future
-+ future_date=$(TZ=GMT date -d "+2 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
-+ TZ=GMT date -v+2S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
-+ echo "skip") &&
-+
-+ if test "$future_date" = "skip"
-+ then
-+ skip_all="date command does not support required format" &&
-+ test_done
-+ fi &&
-+
-+ # URL-encode the date (replace spaces with %20)
++ raw=$(test-tool date timestamp now) &&
++ now="${raw#* -> }" &&
++ future_time=$((now + 2)) &&
++ raw=$(test-tool date show:rfc2822 $future_time) &&
++ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/http-date-format/$future_date_encoded/repo.git" >output 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
-+ test "$duration" -ge 1 &&
++ duration_int=${duration%.*} &&
++ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
-+ # Generate a date 200 seconds in the future
-+ future_date=$(TZ=GMT date -d "+200 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
-+ TZ=GMT date -v+200S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
-+ echo "skip") &&
-+
-+ if test "$future_date" = "skip"
-+ then
-+ skip_all="date command does not support required format" &&
-+ test_done
-+ fi &&
-+
-+ # URL-encode the date (replace spaces with %20)
++ raw=$(test-tool date timestamp now) &&
++ now="${raw#* -> }" &&
++ future_time=$((now + 200)) &&
++ raw=$(test-tool date show:rfc2822 $future_time) &&
++ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Configure max retry time much less than the 200 second delay
@@ t/t5584-http-429-retry.sh (new)
+ test_config http.maxRetryTime 10 &&
+
+ # Should fail immediately without waiting 200 seconds
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/http-date-exceeds-max-time/$future_date_encoded/repo.git" 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 200 seconds)
-+ test "$duration" -lt 2 &&
-+ test_grep "exceeds http.maxRetryTime" err
++ duration_int=${duration%.*} &&
++ test "$duration_int" -lt 2 &&
++ test_grep "http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
-+ past_date=$(TZ=GMT date -d "-10 seconds" "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
-+ TZ=GMT date -v-10S "+%a, %d %b %Y %H:%M:%S GMT" 2>/dev/null || \
-+ echo "skip") &&
-+
-+ if test "$past_date" = "skip"
-+ then
-+ skip_all="date command does not support required format" &&
-+ test_done
-+ fi &&
-+
-+ # URL-encode the date (replace spaces with %20)
++ raw=$(test-tool date timestamp now) &&
++ now="${raw#* -> }" &&
++ past_time=$((now - 10)) &&
++ raw=$(test-tool date show:rfc2822 $past_time) &&
++ past_date="${raw#* -> }" &&
+ past_date_encoded=$(echo "$past_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should complete quickly (less than 2 seconds)
-+ test "$duration" -lt 2 &&
++ duration_int=${duration%.*} &&
++ test "$duration_int" -lt 2 &&
+ test_grep "refs/heads/" output
+'
+
@@ t/t5584-http-429-retry.sh (new)
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/invalid-retry-after-format/invalid/repo.git" >output 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (the configured default)
-+ test "$duration" -ge 1 &&
++ duration_int=${duration%.*} &&
++ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
@@ t/t5584-http-429-retry.sh (new)
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/http_429/env-retry-after-override/none/repo.git" >output 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should use env var (1 second), not config (10 seconds)
-+ test "$duration" -ge 1 &&
-+ test "$duration" -lt 5 &&
++ duration_int=${duration%.*} &&
++ test "$duration_int" -ge 1 &&
++ test "$duration_int" -lt 5 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
@@ t/t5584-http-429-retry.sh (new)
+ test_config http.maxRetryTime 100 &&
+
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
-+ start=$(date +%s) &&
++ start=$(test-tool date getnanos) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
+ git ls-remote "$HTTPD_URL/http_429/env-max-retry-time-override/50/repo.git" 2>err &&
-+ end=$(date +%s) &&
-+ duration=$((end - start)) &&
++ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
-+ test "$duration" -lt 5 &&
-+ test_grep "exceeds http.maxRetryTime" err
++ duration_int=${duration%.*} &&
++ test "$duration_int" -lt 5 &&
++ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'verify normal repository access still works' '
2: ad4495fc94 < -: ---------- http: add trace2 logging for retry operations
--
gitgitgadget
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode()
2026-02-17 11:08 ` [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2026-02-17 11:08 ` Vaidas Pilkauskas via GitGitGadget
2026-02-17 20:51 ` Junio C Hamano
2026-02-17 11:08 ` [PATCH v3 2/3] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
` (2 subsequent siblings)
3 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-17 11:08 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Jeff King, Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
The strbuf_reencode() function incorrectly passes the string length
as the allocation size to strbuf_attach(), when it should pass
length + 1 to account for the null terminator.
The reencode_string_len() function allocates len + 1 bytes (including
the null terminator) and returns the string length (excluding the null
terminator) via the len parameter. However, strbuf_reencode() then
calls strbuf_attach() with this length value as both the len and alloc
parameters:
strbuf_attach(sb, out, len, len);
This is incorrect because strbuf_attach()'s alloc parameter should
reflect the actual allocated buffer size, which includes space for the
null terminator. This could lead to incorrect memory management in code
that relies on sb->alloc being accurate.
Fix by passing len + 1 as the alloc parameter:
strbuf_attach(sb, out, len, len + 1);
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
strbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/strbuf.c b/strbuf.c
index 3939863cf3..3e04addc22 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
if (!out)
return -1;
- strbuf_attach(sb, out, len, len);
+ strbuf_attach(sb, out, len, len + 1);
return 0;
}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v3 2/3] remote-curl: introduce show_http_message_fatal() helper
2026-02-17 11:08 ` [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
@ 2026-02-17 11:08 ` Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 3/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
3 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-17 11:08 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Jeff King, Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Several code paths in remote-curl.c follow the same pattern of calling
show_http_message() to display server error messages followed by die()
to terminate with an error. This duplication makes the code more verbose
and harder to maintain.
Introduce a new show_http_message_fatal() helper function that combines
these two operations. This function:
1. Displays any HTTP error message from the server via show_http_message()
2. Calls die() with the provided error message
3. Returns NORETURN to help the compiler with control flow analysis
Refactor existing call sites in remote-curl.c to use this new helper,
reducing code duplication and improving readability. This pattern will
also be used by upcoming HTTP 429 rate limiting support.
Suggested-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
remote-curl.c | 45 ++++++++++++++++++++++++++++-----------------
1 file changed, 28 insertions(+), 17 deletions(-)
diff --git a/remote-curl.c b/remote-curl.c
index 92e40bb682..21c96f2ca9 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -367,23 +367,25 @@ static void free_discovery(struct discovery *d)
}
}
-static int show_http_message(struct strbuf *type, struct strbuf *charset,
- struct strbuf *msg)
+static NORETURN void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
+ struct strbuf *msg, const char *fmt, ...)
{
const char *p, *eol;
+ va_list ap;
+ report_fn die_message_routine = get_die_message_routine();
/*
* We only show text/plain parts, as other types are likely
* to be ugly to look at on the user's terminal.
*/
if (strcmp(type->buf, "text/plain"))
- return -1;
+ goto out;
if (charset->len)
strbuf_reencode(msg, charset->buf, get_log_output_encoding());
strbuf_trim(msg);
if (!msg->len)
- return -1;
+ goto out;
p = msg->buf;
do {
@@ -391,7 +393,16 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
p = eol + 1;
} while(*eol);
- return 0;
+
+out:
+ strbuf_release(type);
+ strbuf_release(charset);
+ strbuf_release(msg);
+
+ va_start(ap, fmt);
+ die_message_routine(fmt, ap);
+ va_end(ap);
+ exit(128);
}
static int get_protocol_http_header(enum protocol_version version,
@@ -518,21 +529,21 @@ static struct discovery *discover_refs(const char *service, int for_push)
case HTTP_OK:
break;
case HTTP_MISSING_TARGET:
- show_http_message(&type, &charset, &buffer);
- die(_("repository '%s' not found"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("repository '%s' not found"),
+ transport_anonymize_url(url.buf));
case HTTP_NOAUTH:
- show_http_message(&type, &charset, &buffer);
- die(_("Authentication failed for '%s'"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("Authentication failed for '%s'"),
+ transport_anonymize_url(url.buf));
case HTTP_NOMATCHPUBLICKEY:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
default:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s': %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s': %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
}
if (options.verbosity && !starts_with(refs_url.buf, url.buf)) {
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v3 3/3] http: add support for HTTP 429 rate limit retries
2026-02-17 11:08 ` [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 2/3] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
@ 2026-02-17 11:08 ` Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
3 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-17 11:08 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Jeff King, Vaidas Pilkauskas, Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add retry logic for HTTP 429 (Too Many Requests) responses to handle
server-side rate limiting gracefully. When Git's HTTP client receives
a 429 response, it can now automatically retry the request after an
appropriate delay, respecting the server's rate limits.
The implementation supports the RFC-compliant Retry-After header in
both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
past date is provided, Git retries immediately without waiting.
Retry behavior is controlled by three new configuration options
(http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
documented in git-config(1).
The retry logic implements a fail-fast approach: if any delay
(whether from server header or configuration) exceeds maxRetryTime,
Git fails immediately with a clear error message rather than capping
the delay. This provides better visibility into rate limiting issues.
The implementation includes extensive test coverage for basic retry
behavior, Retry-After header formats (integer and HTTP-date),
configuration combinations, maxRetryTime limits, invalid header
handling, environment variable overrides, and edge cases.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
Documentation/config/http.adoc | 23 +++
git-curl-compat.h | 8 +
http.c | 190 +++++++++++++++++++++--
http.h | 2 +
remote-curl.c | 4 +
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
10 files changed, 589 insertions(+), 12 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
diff --git a/Documentation/config/http.adoc b/Documentation/config/http.adoc
index 9da5c298cc..7d9a90dcba 100644
--- a/Documentation/config/http.adoc
+++ b/Documentation/config/http.adoc
@@ -315,6 +315,29 @@ http.keepAliveCount::
unset, curl's default value is used. Can be overridden by the
`GIT_HTTP_KEEPALIVE_COUNT` environment variable.
+http.retryAfter::
+ Default wait time in seconds before retrying when a server returns
+ HTTP 429 (Too Many Requests) without a Retry-After header.
+ Defaults to 0 (retry immediately). When a Retry-After header is
+ present, its value takes precedence over this setting. Can be
+ overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
+ Maximum number of times to retry after receiving HTTP 429 (Too Many
+ Requests) responses. Set to 0 (the default) to disable retries.
+ Can be overridden by the `GIT_HTTP_MAX_RETRIES` environment variable.
+ See also `http.retryAfter` and `http.maxRetryTime`.
+
+http.maxRetryTime::
+ Maximum time in seconds to wait for a single retry attempt when
+ handling HTTP 429 (Too Many Requests) responses. If the server
+ requests a delay (via Retry-After header) or if `http.retryAfter`
+ is configured with a value that exceeds this maximum, Git will fail
+ immediately rather than waiting. Default is 300 seconds (5 minutes).
+ Can be overridden by the `GIT_HTTP_MAX_RETRY_TIME` environment
+ variable. See also `http.retryAfter` and `http.maxRetries`.
+
http.noEPSV::
A boolean which disables using of EPSV ftp command by curl.
This can be helpful with some "poor" ftp servers which don't
diff --git a/git-curl-compat.h b/git-curl-compat.h
index 659e5a3875..dccdd4d6e5 100644
--- a/git-curl-compat.h
+++ b/git-curl-compat.h
@@ -37,6 +37,14 @@
#define GIT_CURL_NEED_TRANSFER_ENCODING_HEADER
#endif
+/**
+ * CURLINFO_RETRY_AFTER was added in 7.66.0, released in September 2019.
+ * It allows curl to automatically parse Retry-After headers.
+ */
+#if LIBCURL_VERSION_NUM >= 0x074200
+#define GIT_CURL_HAVE_CURLINFO_RETRY_AFTER 1
+#endif
+
/**
* CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR were added in 7.85.0,
* released in August 2022.
diff --git a/http.c b/http.c
index 7815f144de..11ea9f38f7 100644
--- a/http.c
+++ b/http.c
@@ -22,6 +22,8 @@
#include "object-file.h"
#include "odb.h"
#include "tempfile.h"
+#include "date.h"
+#include "trace2.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -149,6 +151,11 @@ static char *cached_accept_language;
static char *http_ssl_backend;
static int http_schannel_check_revoke = 1;
+
+static long http_retry_after = 0;
+static long http_max_retries = 0;
+static long http_max_retry_time = 300;
+
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ -209,7 +216,7 @@ static inline int is_hdr_continuation(const char *ptr, const size_t size)
return size && (*ptr == ' ' || *ptr == '\t');
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
+static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
@@ -257,6 +264,50 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
goto exit;
}
+#ifndef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
+ /* Parse Retry-After header for rate limiting (for curl < 7.66.0) */
+ if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
+ struct active_request_slot *slot = (struct active_request_slot *)p;
+
+ strbuf_add(&buf, val, val_len);
+ strbuf_trim(&buf);
+
+ if (slot && slot->results) {
+ /* Parse the retry-after value (delay-seconds or HTTP-date) */
+ char *endptr;
+ long retry_after;
+
+ errno = 0;
+ retry_after = strtol(buf.buf, &endptr, 10);
+
+ /* Check if it's a valid integer (delay-seconds format) */
+ if (endptr != buf.buf && *endptr == '\0' &&
+ errno != ERANGE && retry_after >= 0) {
+ slot->results->retry_after = retry_after;
+ } else {
+ /* Try parsing as HTTP-date format */
+ timestamp_t timestamp;
+ int offset;
+ if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
+ /* Successfully parsed as date, calculate delay from now */
+ timestamp_t now = time(NULL);
+ if (timestamp > now) {
+ slot->results->retry_after = (long)(timestamp - now);
+ } else {
+ /* Past date means retry immediately */
+ slot->results->retry_after = 0;
+ }
+ } else {
+ /* Failed to parse as either delay-seconds or HTTP-date */
+ warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
+ }
+ }
+ }
+
+ goto exit;
+ }
+#endif
+
/*
* This line could be a continuation of the previously matched header
* field. If this is the case then we should append this value to the
@@ -342,6 +393,17 @@ static void finish_active_slot(struct active_request_slot *slot)
curl_easy_getinfo(slot->curl, CURLINFO_HTTP_CONNECTCODE,
&slot->results->http_connectcode);
+
+#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
+ if (slot->results->http_code == 429) {
+ curl_off_t retry_after;
+ CURLcode res = curl_easy_getinfo(slot->curl,
+ CURLINFO_RETRY_AFTER,
+ &retry_after);
+ if (res == CURLE_OK && retry_after > 0)
+ slot->results->retry_after = (long)retry_after;
+ }
+#endif
}
/* Run callback if appropriate */
@@ -575,6 +637,21 @@ static int http_options(const char *var, const char *value,
return 0;
}
+ if (!strcmp("http.retryafter", var)) {
+ http_retry_after = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretries", var)) {
+ http_max_retries = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretrytime", var)) {
+ http_max_retry_time = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
/* Fall back on the default ones */
return git_default_config(var, value, ctx, data);
}
@@ -1422,6 +1499,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
+ set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
+ set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
+ set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
+
curl_default = get_curl_handle();
}
@@ -1871,6 +1952,10 @@ static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
+ trace2_data_intmax("http", the_repository, "http/429-retry-after",
+ results->retry_after);
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
credential_reject(the_repository, &proxy_auth);
@@ -1886,6 +1971,9 @@ int run_one_slot(struct active_request_slot *slot,
struct slot_results *results)
{
slot->results = results;
+ /* Initialize retry_after to -1 (not set) */
+ results->retry_after = -1;
+
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
@@ -2119,7 +2207,8 @@ static void http_opt_request_remainder(CURL *curl, off_t pos)
static int http_request(const char *url,
void *result, int target,
- const struct http_get_options *options)
+ const struct http_get_options *options,
+ long *retry_after_out)
{
struct active_request_slot *slot;
struct slot_results results;
@@ -2148,7 +2237,8 @@ static int http_request(const char *url,
fwrite_buffer);
}
- curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_headers);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
accept_language = http_get_accept_language_header();
@@ -2183,6 +2273,10 @@ static int http_request(const char *url,
ret = run_one_slot(slot, &results);
+ /* Store retry_after from slot results if output parameter provided */
+ if (retry_after_out)
+ *retry_after_out = results.retry_after;
+
if (options && options->content_type) {
struct strbuf raw = STRBUF_INIT;
curlinfo_strbuf(slot->curl, CURLINFO_CONTENT_TYPE, &raw);
@@ -2253,21 +2347,79 @@ static int update_url_from_redirect(struct strbuf *base,
return 1;
}
-static int http_request_reauth(const char *url,
+/*
+ * Handle rate limiting retry logic for HTTP 429 responses.
+ * Returns a negative value if retries are exhausted or configuration is invalid,
+ * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
+ */
+static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
+{
+ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
+
+ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
+ retry_attempt);
+
+ if (*rate_limit_retries <= 0) {
+ /* Retries are disabled or exhausted */
+ if (http_max_retries > 0) {
+ error(_("too many rate limit retries, giving up"));
+ trace2_data_string("http", the_repository,
+ "http/429-error", "retries-exhausted");
+ }
+ return -1;
+ }
+
+ (*rate_limit_retries)--;
+
+ /* Use the slot-specific retry_after value or configured default */
+ if (slot_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
+ if (slot_retry_after > http_max_retry_time) {
+ error(_("response requested a delay greater than http.maxRetryTime (%ld > %ld seconds)"),
+ slot_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "exceeds-max-retry-time");
+ trace2_data_intmax("http", the_repository,
+ "http/429-requested-delay", slot_retry_after);
+ return -1;
+ }
+ return slot_retry_after;
+ } else {
+ /* No Retry-After header provided, use configured default */
+ if (http_retry_after > http_max_retry_time) {
+ error(_("configured http.retryAfter exceeds http.maxRetryTime (%ld > %ld seconds)"),
+ http_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "config-exceeds-max-retry-time");
+ return -1;
+ }
+ trace2_data_string("http", the_repository,
+ "http/429-retry-source", "config-default");
+ return http_retry_after;
+ }
+}
+
+static int http_request_recoverable(const char *url,
void *result, int target,
struct http_get_options *options)
{
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
+ long slot_retry_after = -1; /* Per-slot retry_after value */
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
+ /* If retries are disabled and we got a 429, fail immediately */
+ if (ret == HTTP_RATE_LIMITED && !http_max_retries)
+ return HTTP_ERROR;
+
if (options && options->effective_url && options->base_url) {
if (update_url_from_redirect(options->base_url,
url, options->effective_url)) {
@@ -2276,7 +2428,8 @@ static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
+ while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
+ long retry_delay = -1;
/*
* The previous request may have put cruft into our output stream; we
* should clear it out before making our next request.
@@ -2301,10 +2454,23 @@ static int http_request_reauth(const char *url,
default:
BUG("Unknown http_request target");
}
+ if (ret == HTTP_RATE_LIMITED) {
+ retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
+ if (retry_delay < 0)
+ return HTTP_ERROR;
+
+ if (retry_delay > 0) {
+ warning(_("rate limited, waiting %ld seconds before retry"), retry_delay);
+ trace2_data_intmax("http", the_repository,
+ "http/retry-sleep-seconds", retry_delay);
+ sleep(retry_delay);
+ }
+ slot_retry_after = -1; /* Reset after use */
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
- credential_fill(the_repository, &http_auth, 1);
-
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after);
}
return ret;
}
@@ -2313,7 +2479,7 @@ int http_get_strbuf(const char *url,
struct strbuf *result,
struct http_get_options *options)
{
- return http_request_reauth(url, result, HTTP_REQUEST_STRBUF, options);
+ return http_request_recoverable(url, result, HTTP_REQUEST_STRBUF, options);
}
/*
@@ -2337,7 +2503,7 @@ int http_get_file(const char *url, const char *filename,
goto cleanup;
}
- ret = http_request_reauth(url, result, HTTP_REQUEST_FILE, options);
+ ret = http_request_recoverable(url, result, HTTP_REQUEST_FILE, options);
fclose(result);
if (ret == HTTP_OK && finalize_object_file(the_repository, tmpfile.buf, filename))
diff --git a/http.h b/http.h
index f9d4593404..eb40456450 100644
--- a/http.h
+++ b/http.h
@@ -20,6 +20,7 @@ struct slot_results {
long http_code;
long auth_avail;
long http_connectcode;
+ long retry_after;
};
struct active_request_slot {
@@ -167,6 +168,7 @@ struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
#define HTTP_NOMATCHPUBLICKEY 6
+#define HTTP_RATE_LIMITED 7
/*
* Requests a URL and stores the result in a strbuf.
diff --git a/remote-curl.c b/remote-curl.c
index 21c96f2ca9..b80d2adb95 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -540,6 +540,10 @@ static struct discovery *discover_refs(const char *service, int for_push)
show_http_message_fatal(&type, &charset, &buffer,
_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("rate limited by '%s', please try again later"),
+ transport_anonymize_url(url.buf));
default:
show_http_message_fatal(&type, &charset, &buffer,
_("unable to access '%s': %s"),
diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
index 5091db949b..8a43261ffc 100644
--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
@@ -167,6 +167,7 @@ prepare_httpd() {
install_script error.sh
install_script apply-one-time-script.sh
install_script nph-custom-auth.sh
+ install_script http-429.sh
ln -s "$LIB_HTTPD_MODULE_PATH" "$HTTPD_ROOT_PATH/modules"
diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index e631ab0eb5..6bdef603cd 100644
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -139,6 +139,10 @@ SetEnv PERL_PATH ${PERL_PATH}
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
</LocationMatch>
+<LocationMatch /http_429/>
+ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
+ SetEnv GIT_HTTP_EXPORT_ALL
+</LocationMatch>
<LocationMatch /smart_v0/>
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
@@ -160,6 +164,7 @@ ScriptAlias /broken_smart/ broken-smart-http.sh/
ScriptAlias /error_smart/ error-smart-http.sh/
ScriptAlias /error/ error.sh/
ScriptAliasMatch /one_time_script/(.*) apply-one-time-script.sh/$1
+ScriptAliasMatch /http_429/(.*) http-429.sh/$1
ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Directory ${GIT_EXEC_PATH}>
Options FollowSymlinks
@@ -185,6 +190,9 @@ ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Files apply-one-time-script.sh>
Options ExecCGI
</Files>
+<Files http-429.sh>
+ Options ExecCGI
+</Files>
<Files ${GIT_EXEC_PATH}/git-http-backend>
Options ExecCGI
</Files>
diff --git a/t/lib-httpd/http-429.sh b/t/lib-httpd/http-429.sh
new file mode 100644
index 0000000000..c97b16145b
--- /dev/null
+++ b/t/lib-httpd/http-429.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Script to return HTTP 429 Too Many Requests responses for testing retry logic.
+# Usage: /http_429/<test-context>/<retry-after-value>/<repo-path>
+#
+# The test-context is a unique identifier for each test to isolate state files.
+# The retry-after-value can be:
+# - A number (e.g., "1", "2", "100") - sets Retry-After header to that many seconds
+# - "none" - no Retry-After header
+# - "invalid" - invalid Retry-After format
+# - "permanent" - always return 429 (never succeed)
+# - An HTTP-date string (RFC 2822 format) - sets Retry-After to that date
+#
+# On first call, returns 429. On subsequent calls (after retry), forwards to git-http-backend
+# unless retry-after-value is "permanent".
+
+# Extract test context, retry-after value and repo path from PATH_INFO
+# PATH_INFO format: /<test-context>/<retry-after-value>/<repo-path>
+path_info="${PATH_INFO#/}" # Remove leading slash
+test_context="${path_info%%/*}" # Get first component (test context)
+remaining="${path_info#*/}" # Get rest
+retry_after="${remaining%%/*}" # Get second component (retry-after value)
+repo_path="${remaining#*/}" # Get rest (repo path)
+
+# Extract repository name from repo_path (e.g., "repo.git" from "repo.git/info/refs")
+# The repo name is the first component before any "/"
+repo_name="${repo_path%%/*}"
+
+# Use current directory (HTTPD_ROOT_PATH) for state file
+# Create a safe filename from test_context, retry_after and repo_name
+# This ensures all requests for the same test context share the same state file
+safe_name=$(echo "${test_context}-${retry_after}-${repo_name}" | tr '/' '_' | tr -cd 'a-zA-Z0-9_-')
+state_file="http-429-state-${safe_name}"
+
+# Check if this is the first call (no state file exists)
+if test -f "$state_file"
+then
+ # Already returned 429 once, forward to git-http-backend
+ # Set PATH_INFO to just the repo path (without retry-after value)
+ # Set GIT_PROJECT_ROOT so git-http-backend can find the repository
+ # Use exec to replace this process so git-http-backend gets the updated environment
+ PATH_INFO="/$repo_path"
+ export PATH_INFO
+ # GIT_PROJECT_ROOT points to the document root where repositories are stored
+ # The script runs from HTTPD_ROOT_PATH, and www/ is the document root
+ if test -z "$GIT_PROJECT_ROOT"
+ then
+ # Construct path: current directory (HTTPD_ROOT_PATH) + /www
+ GIT_PROJECT_ROOT="$(pwd)/www"
+ export GIT_PROJECT_ROOT
+ fi
+ exec "$GIT_EXEC_PATH/git-http-backend"
+fi
+
+# Mark that we've returned 429
+touch "$state_file"
+
+# Output HTTP 429 response
+printf "Status: 429 Too Many Requests\r\n"
+
+# Set Retry-After header based on retry_after value
+case "$retry_after" in
+ none)
+ # No Retry-After header
+ ;;
+ invalid)
+ printf "Retry-After: invalid-format-123abc\r\n"
+ ;;
+ permanent)
+ # Always return 429, don't set state file for success
+ rm -f "$state_file"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Permanently rate limited\n"
+ exit 0
+ ;;
+ *)
+ # Check if it's a number
+ case "$retry_after" in
+ [0-9]*)
+ # Numeric value
+ printf "Retry-After: %s\r\n" "$retry_after"
+ ;;
+ *)
+ # Assume it's an HTTP-date format (passed as-is, URL decoded)
+ # Apache may URL-encode the path, so decode common URL-encoded characters
+ # %20 = space, %2C = comma, %3A = colon
+ retry_value=$(echo "$retry_after" | sed -e 's/%20/ /g' -e 's/%2C/,/g' -e 's/%3A/:/g')
+ printf "Retry-After: %s\r\n" "$retry_value"
+ ;;
+ esac
+ ;;
+esac
+
+printf "Content-Type: text/plain\r\n"
+printf "\r\n"
+printf "Rate limited\n"
diff --git a/t/meson.build b/t/meson.build
index a04a7a86cf..1e8f270408 100644
--- a/t/meson.build
+++ b/t/meson.build
@@ -703,6 +703,7 @@ integration_tests = [
't5581-http-curl-verbose.sh',
't5582-fetch-negative-refspec.sh',
't5583-push-branches.sh',
+ 't5584-http-429-retry.sh',
't5600-clone-fail-cleanup.sh',
't5601-clone.sh',
't5602-clone-remote-exec.sh',
diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
new file mode 100755
index 0000000000..f3a9439f51
--- /dev/null
+++ b/t/t5584-http-429-retry.sh
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+test_description='test HTTP 429 Too Many Requests retry logic'
+
+. ./test-lib.sh
+
+. "$TEST_DIRECTORY"/lib-httpd.sh
+
+start_httpd
+
+test_expect_success 'setup test repository' '
+ test_commit initial &&
+ git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
+ git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
+'
+
+# This test suite uses a special HTTP 429 endpoint at /http_429/ that simulates
+# rate limiting. The endpoint format is:
+# /http_429/<test-context>/<retry-after-value>/<repo-path>
+# The http-429.sh script (in t/lib-httpd) returns a 429 response with the
+# specified Retry-After header on the first request for each test context,
+# then forwards subsequent requests to git-http-backend. Each test context
+# is isolated, allowing multiple tests to run independently.
+
+test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
+ # Set maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Should fail immediately without any retry attempt
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retries-disabled/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message in stderr)
+ test_grep ! -i "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 permanent should fail after max retries' '
+ # Enable retries with a limit
+ test_config http.maxRetries 2 &&
+
+ # Git should retry but eventually fail when 429 persists
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/permanent-fail/permanent/repo.git" 2>err
+'
+
+test_expect_success 'HTTP 429 with Retry-After is retried and succeeds' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry after receiving 429 and eventually succeed
+ git ls-remote "$HTTPD_URL/http_429/retry-succeeds/1/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 without Retry-After uses configured default' '
+ # Enable retries and configure default delay
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Git should retry using configured default and succeed
+ git ls-remote "$HTTPD_URL/http_429/no-retry-after-header/none/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 retry delays are respected' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
+ # Configure max retry time to 3 seconds (much less than requested 100)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (less than 2 seconds, no 100 second wait)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
+ # Test misconfiguration: retryAfter > maxRetryTime
+ # Configure retryAfter larger than maxRetryTime
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 100 &&
+ test_config http.maxRetryTime 5 &&
+
+ # Should fail immediately with configuration error
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with Retry-After HTTP-date format' '
+ # Test HTTP-date format (RFC 2822) in Retry-After header
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 2)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/http-date-format/$future_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 200)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Configure max retry time much less than the 200 second delay
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 10 &&
+
+ # Should fail immediately without waiting 200 seconds
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/http-date-exceeds-max-time/$future_date_encoded/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 200 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ past_time=$((now - 10)) &&
+ raw=$(test-tool date show:rfc2822 $past_time) &&
+ past_date="${raw#* -> }" &&
+ past_date_encoded=$(echo "$past_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should complete quickly (less than 2 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with invalid Retry-After format uses configured default' '
+ # Configure default retry-after
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/invalid-retry-after-format/invalid/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (the configured default)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 will not be retried without config' '
+ # Default config means http.maxRetries=0 (retries disabled)
+ # When 429 is received, it should fail immediately without retry
+ # Do NOT configure anything - use defaults (http.maxRetries defaults to 0)
+
+ # Should fail immediately without retry
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/no-retry-without-config/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message)
+ test_grep ! -i "waiting.*retry" err &&
+
+ # Should get 429 error
+ test_grep "429" err
+'
+
+test_expect_success 'GIT_HTTP_RETRY_AFTER overrides http.retryAfter config' '
+ # Configure retryAfter to 10 seconds
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
+ start=$(test-tool date getnanos) &&
+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/http_429/env-retry-after-override/none/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should use env var (1 second), not config (10 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test "$duration_int" -lt 5 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRIES overrides http.maxRetries config' '
+ # Configure maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Override with environment variable to enable retries
+ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/http_429/env-max-retries-override/1/repo.git" >output 2>err &&
+
+ # Should retry (env var enables it despite config saying disabled)
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRY_TIME overrides http.maxRetryTime config' '
+ # Configure maxRetryTime to 100 seconds (would accept 50 second delay)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 100 &&
+
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
+ start=$(test-tool date getnanos) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
+ git ls-remote "$HTTPD_URL/http_429/env-max-retry-time-override/50/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 5 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'verify normal repository access still works' '
+ git ls-remote "$HTTPD_URL/smart/repo.git" >output &&
+ test_grep "refs/heads/" output
+'
+
+test_done
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode()
2026-02-17 11:08 ` [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
@ 2026-02-17 20:51 ` Junio C Hamano
2026-02-18 13:43 ` Vaidas Pilkauskas
0 siblings, 1 reply; 49+ messages in thread
From: Junio C Hamano @ 2026-02-17 20:51 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget
Cc: git, Taylor Blau, Jeff King, Vaidas Pilkauskas
"Vaidas Pilkauskas via GitGitGadget" <gitgitgadget@gmail.com>
writes:
> From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
>
> The strbuf_reencode() function incorrectly passes the string length
> as the allocation size to strbuf_attach(), when it should pass
> length + 1 to account for the null terminator.
>
> The reencode_string_len() function allocates len + 1 bytes (including
> the null terminator) and returns the string length (excluding the null
> terminator) via the len parameter. However, strbuf_reencode() then
> calls strbuf_attach() with this length value as both the len and alloc
> parameters:
>
> strbuf_attach(sb, out, len, len);
>
> This is incorrect because strbuf_attach()'s alloc parameter should
> reflect the actual allocated buffer size, which includes space for the
> null terminator. This could lead to incorrect memory management in code
> that relies on sb->alloc being accurate.
I do agree that setting the correct number to .alloc member is a
good thing to do, but I am afraid that the above characterization of
a potential problem is incorrect.
If we were to extend the resulting strbuf further (by e.g.,
appending to it), we might end up reallocating the buffer a bit
prematurely by one byte before it actually fills up, but the
reallocation would be done by giving the piece of memory pointed at
by "out" here to realloc(3), so the wrong value of "alloc" would not
lead to incorrect memory management at all.
Upon further inspection, we see something else interesting. The
strbuf_attach() function, immediately after initializing sb with the
new values of buf/len/alloc, calls strbuf_grow(sb, 0) and triggers
the ALLOC_GROW() growth thanks to this under specification. By the
time the control returns to the caller, the sb->alloc would be
(((len)+16)*3/2), not (len+1), and it records the actual allocation
size. So there is no "could lead to incorrect memory management" at
all, but this incorrect number forces us to always reallocate
immediately after the strbuf_attach() call, which is a waste when we
are not going to further extend the strbuf returned by this function.
And that is a very good reason to make this fix worth doing.
> Fix by passing len + 1 as the alloc parameter:
>
> strbuf_attach(sb, out, len, len + 1);
I wonder how widespread this off-by-one error is. Shouldn't
strbuf_attach() be doing some sanity checking of its parameters?
void strbuf_attach(struct strbuf *sb, void *buf, size_t len, size_t alloc)
{
strbuf_release(sb);
sb->buf = buf;
sb->len = len;
sb->alloc = alloc;
strbuf_grow(sb, 0);
sb->buf[sb->len] = '\0';
}
Given the above code, it is clear that alloc must be at least as big
as (len + 1), and the strbuf_grow(sb, 0) in between is papering over
problems (at least it is doing so here for the caller you corrected).
Perhaps we want to replace the call to strbuf_grow(sb, 0) with
something like
if (alloc <= len)
BUG("alloc must be larger than len");
instead? The log message of 917c9a71 (New strbuf APIs: splice and
attach., 2007-09-15) is worth reading, but it is an iffy logic that
depends too much (at least for my taste) on what strbuf_grow(sb, 0)
actually does ;-).
> Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
> ---
> strbuf.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/strbuf.c b/strbuf.c
> index 3939863cf3..3e04addc22 100644
> --- a/strbuf.c
> +++ b/strbuf.c
> @@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
> if (!out)
> return -1;
>
> - strbuf_attach(sb, out, len, len);
> + strbuf_attach(sb, out, len, len + 1);
> return 0;
> }
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode()
2026-02-17 20:51 ` Junio C Hamano
@ 2026-02-18 13:43 ` Vaidas Pilkauskas
0 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas @ 2026-02-18 13:43 UTC (permalink / raw)
To: Junio C Hamano
Cc: Vaidas Pilkauskas via GitGitGadget, git, Taylor Blau, Jeff King
On Tue, Feb 17, 2026 at 10:51 PM Junio C Hamano <gitster@pobox.com> wrote:
> > From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
> >
> > The strbuf_reencode() function incorrectly passes the string length
> > as the allocation size to strbuf_attach(), when it should pass
> > length + 1 to account for the null terminator.
> >
> > The reencode_string_len() function allocates len + 1 bytes (including
> > the null terminator) and returns the string length (excluding the null
> > terminator) via the len parameter. However, strbuf_reencode() then
> > calls strbuf_attach() with this length value as both the len and alloc
> > parameters:
> >
> > strbuf_attach(sb, out, len, len);
> >
> > This is incorrect because strbuf_attach()'s alloc parameter should
> > reflect the actual allocated buffer size, which includes space for the
> > null terminator. This could lead to incorrect memory management in code
> > that relies on sb->alloc being accurate.
>
> I do agree that setting the correct number to .alloc member is a
> good thing to do, but I am afraid that the above characterization of
> a potential problem is incorrect.
>
> If we were to extend the resulting strbuf further (by e.g.,
> appending to it), we might end up reallocating the buffer a bit
> prematurely by one byte before it actually fills up, but the
> reallocation would be done by giving the piece of memory pointed at
> by "out" here to realloc(3), so the wrong value of "alloc" would not
> lead to incorrect memory management at all.
>
> Upon further inspection, we see something else interesting. The
> strbuf_attach() function, immediately after initializing sb with the
> new values of buf/len/alloc, calls strbuf_grow(sb, 0) and triggers
> the ALLOC_GROW() growth thanks to this under specification. By the
> time the control returns to the caller, the sb->alloc would be
> (((len)+16)*3/2), not (len+1), and it records the actual allocation
> size. So there is no "could lead to incorrect memory management" at
> all, but this incorrect number forces us to always reallocate
> immediately after the strbuf_attach() call, which is a waste when we
> are not going to further extend the strbuf returned by this function.
>
> And that is a very good reason to make this fix worth doing.
I agree that this is incorrect characterization. What about something like this:
strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
reencode_string_len() allocates len+1 bytes (including the NUL) and
returns the string length in len. strbuf_reencode() was calling
strbuf_attach(sb, out, len, len), so alloc was one byte too small.
strbuf_attach() then calls strbuf_grow(sb, 0). With alloc < len+1,
ALLOC_GROW always reallocates, so we reallocated immediately after
attach even when the strbuf was not extended further. Pass len+1 as
the alloc argument so the existing buffer is reused and the
reallocation is avoided.
> > Fix by passing len + 1 as the alloc parameter:
> >
> > strbuf_attach(sb, out, len, len + 1);
>
> I wonder how widespread this off-by-one error is. Shouldn't
> strbuf_attach() be doing some sanity checking of its parameters?
>
> void strbuf_attach(struct strbuf *sb, void *buf, size_t len, size_t alloc)
> {
>
> strbuf_release(sb);
> sb->buf = buf;
> sb->len = len;
> sb->alloc = alloc;
> strbuf_grow(sb, 0);
> sb->buf[sb->len] = '\0';
> }
>
> Given the above code, it is clear that alloc must be at least as big
> as (len + 1), and the strbuf_grow(sb, 0) in between is papering over
> problems (at least it is doing so here for the caller you corrected).
>
> Perhaps we want to replace the call to strbuf_grow(sb, 0) with
> something like
>
> if (alloc <= len)
> BUG("alloc must be larger than len");
>
> instead? The log message of 917c9a71 (New strbuf APIs: splice and
> attach., 2007-09-15) is worth reading, but it is an iffy logic that
> depends too much (at least for my taste) on what strbuf_grow(sb, 0)
> actually does ;-).
I'll send patches, one to clean up call sites (there aren't too many - 7 places)
and another to add BUG() check to enforce the contract.
Thanks, Junio, for the review!
>
> > Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
> > ---
> > strbuf.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/strbuf.c b/strbuf.c
> > index 3939863cf3..3e04addc22 100644
> > --- a/strbuf.c
> > +++ b/strbuf.c
> > @@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
> > if (!out)
> > return -1;
> >
> > - strbuf_attach(sb, out, len, len);
> > + strbuf_attach(sb, out, len, len + 1);
> > return 0;
> > }
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v4 0/5] http: add support for HTTP 429 rate limit retries
2026-02-17 11:08 ` [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
` (2 preceding siblings ...)
2026-02-17 11:08 ` [PATCH v3 3/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2026-02-18 14:09 ` Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 1/5] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
` (5 more replies)
3 siblings, 6 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-18 14:09 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas
Changes since v3:
* Clean up of all strbuf_attach() call sites
* Add strbuf_attach() contract enforcement via BUG()
Changes since v2:
* New preparatory patch: Introduced show_http_message_fatal() helper
function to reduce code duplication in remote-curl.c (suggested by Taylor
Blau)
* Removed specific HTTP_RATE_LIMITED error handling from http-push.c and
http-walker.c for the obsolete "dumb" protocol, allowing generic error
handling to take over (suggested by Jeff King)
* Added support for CURLINFO_RETRY_AFTER on curl >= 7.66.0, falling back to
manual header parsing on older versions
* Simplified retry/delay architecture: replaced complex non-blocking
"delayed slot" mechanism with simple blocking sleep() call in the retry
loop, removing ~66 lines of timing logic (suggested by Jeff King)
* Fixed Retry-After: 0 handling to allow immediate retry as specified by
RFC 9110
* Changed http.retryAfter default from -1 to 0, so Git will retry
immediately when encountering HTTP 429 without a Retry-After header,
rather than failing with a configuration error
* Improved error messages: shortened to be more concise
* Fixed coding style issues: removed unnecessary curly braces, changed x ==
0 to !x (per CodingGuidelines)
* Improved test portability: replaced non-portable date(1) commands with
test-tool date, added nanosecond-precision timing with getnanos, replaced
cut(1) with POSIX shell parameter expansion
* Split out strbuf.c bugfix into separate preparatory patch (the
strbuf_reencode alloc size fix is unrelated to HTTP 429 support)
* Squashed separate trace2 logging patch into main HTTP 429 retry support
commit
* Kept header_is_last_match assignment for Retry-After to prevent incorrect
handling of HTTP header continuation lines
The implementation includes:
1. A bug fix in strbuf_reencode() that corrects the allocation size passed
to strbuf_attach(), passing len+1 instead of len so that the existing
buffer is reused rather than immediately reallocated.
2. A cleanup of all strbuf_attach() call sites that were passing alloc ==
len, leaving no room for the NUL terminator. Sites with a
known-NUL-terminated buffer now pass len+1; sites where the source
buffer has no trailing NUL (ll_merge output) are converted to use
strbuf_add() instead.
3. A hardening of strbuf_attach() itself: the internal strbuf_grow() that
silently papered over incorrect alloc values is replaced with an
explicit BUG() check, enforcing the documented contract that alloc must
be greater than len.
4. A new show_http_message_fatal() helper in remote-curl.c that combines
the repeated pattern of show_http_message() followed by die() into a
single NORETURN function, reducing boilerplate at existing call sites
and providing a clean hook for the retry logic.
5. The main feature: HTTP 429 retry logic with support for the Retry-After
header (both delay-seconds and HTTP-date formats), configurable via
http.maxRetries, http.retryAfter, and http.maxRetryTime options. If any
computed delay exceeds maxRetryTime the request fails immediately with a
clear diagnostic rather than capping and retrying silently.
Vaidas Pilkauskas (5):
strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
strbuf_attach: fix all call sites to pass correct alloc
strbuf: replace strbuf_grow() in strbuf_attach() with BUG() check
remote-curl: introduce show_http_message_fatal() helper
http: add support for HTTP 429 rate limit retries
Documentation/config/http.adoc | 23 +++
apply.c | 3 +-
builtin/am.c | 2 +-
builtin/fast-import.c | 2 +-
git-curl-compat.h | 8 +
http.c | 190 +++++++++++++++++++++--
http.h | 2 +
mailinfo.c | 2 +-
refs/files-backend.c | 2 +-
remote-curl.c | 49 +++---
rerere.c | 3 +-
strbuf.c | 5 +-
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
trailer.c | 2 +-
18 files changed, 629 insertions(+), 38 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
base-commit: 73fd77805fc6406f31c36212846d9e2541d19321
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-2008%2Fvaidas-shopify%2Fretry-after-v4
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-2008/vaidas-shopify/retry-after-v4
Pull-Request: https://github.com/gitgitgadget/git/pull/2008
Range-diff vs v3:
1: 821043c664 ! 1: a3386f5b56 strbuf: fix incorrect alloc size in strbuf_reencode()
@@ Metadata
Author: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
## Commit message ##
- strbuf: fix incorrect alloc size in strbuf_reencode()
+ strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
- The strbuf_reencode() function incorrectly passes the string length
- as the allocation size to strbuf_attach(), when it should pass
- length + 1 to account for the null terminator.
+ reencode_string_len() allocates len+1 bytes (including the NUL) and
+ returns the string length in len. strbuf_reencode() was calling
+ strbuf_attach(sb, out, len, len), so alloc was one byte too small.
- The reencode_string_len() function allocates len + 1 bytes (including
- the null terminator) and returns the string length (excluding the null
- terminator) via the len parameter. However, strbuf_reencode() then
- calls strbuf_attach() with this length value as both the len and alloc
- parameters:
-
- strbuf_attach(sb, out, len, len);
-
- This is incorrect because strbuf_attach()'s alloc parameter should
- reflect the actual allocated buffer size, which includes space for the
- null terminator. This could lead to incorrect memory management in code
- that relies on sb->alloc being accurate.
-
- Fix by passing len + 1 as the alloc parameter:
-
- strbuf_attach(sb, out, len, len + 1);
+ strbuf_attach() then calls strbuf_grow(sb, 0). With alloc < len+1,
+ ALLOC_GROW always reallocates, so we reallocated immediately after
+ attach even when the strbuf was not extended further. Pass len+1 as
+ the alloc argument so the existing buffer is reused and the
+ reallocation is avoided.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
-: ---------- > 2: f48b1f07c4 strbuf_attach: fix all call sites to pass correct alloc
-: ---------- > 3: 557fd77444 strbuf: replace strbuf_grow() in strbuf_attach() with BUG() check
2: 3653067f0e = 4: 3a39dc9e39 remote-curl: introduce show_http_message_fatal() helper
3: 3cece62a63 = 5: 5e0f4a56ef http: add support for HTTP 429 rate limit retries
--
gitgitgadget
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v4 1/5] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
@ 2026-02-18 14:09 ` Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 2/5] strbuf_attach: fix all call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
` (4 subsequent siblings)
5 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-18 14:09 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
reencode_string_len() allocates len+1 bytes (including the NUL) and
returns the string length in len. strbuf_reencode() was calling
strbuf_attach(sb, out, len, len), so alloc was one byte too small.
strbuf_attach() then calls strbuf_grow(sb, 0). With alloc < len+1,
ALLOC_GROW always reallocates, so we reallocated immediately after
attach even when the strbuf was not extended further. Pass len+1 as
the alloc argument so the existing buffer is reused and the
reallocation is avoided.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
strbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/strbuf.c b/strbuf.c
index 3939863cf3..3e04addc22 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
if (!out)
return -1;
- strbuf_attach(sb, out, len, len);
+ strbuf_attach(sb, out, len, len + 1);
return 0;
}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v4 2/5] strbuf_attach: fix all call sites to pass correct alloc
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 1/5] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
@ 2026-02-18 14:09 ` Vaidas Pilkauskas via GitGitGadget
2026-02-20 22:55 ` Junio C Hamano
2026-02-18 14:09 ` [PATCH v4 3/5] strbuf: replace strbuf_grow() in strbuf_attach() with BUG() check Vaidas Pilkauskas via GitGitGadget
` (3 subsequent siblings)
5 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-18 14:09 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
strbuf_attach(sb, buf, len, alloc) requires alloc > len (the buffer
must have at least len+1 bytes to hold the NUL). Several call sites
passed alloc == len, relying on strbuf_grow(sb, 0) inside strbuf_attach
to reallocate. Prepare for changing that by fixing call sites to pass
the correct alloc.
- mailinfo, am, refs/files-backend, fast-import, trailer: pass len+1
when the buffer is a NUL-terminated string (or from strbuf_detach).
- rerere, apply: ll_merge returns a buffer with exactly result.size
bytes (no extra NUL). Use strbuf_add() to copy and NUL-terminate
into the strbuf, then free the merge result, so alloc is correct.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
apply.c | 3 ++-
builtin/am.c | 2 +-
builtin/fast-import.c | 2 +-
mailinfo.c | 2 +-
refs/files-backend.c | 2 +-
rerere.c | 3 ++-
trailer.c | 2 +-
7 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/apply.c b/apply.c
index e4c4bf7af9..d67d86bce4 100644
--- a/apply.c
+++ b/apply.c
@@ -3589,7 +3589,8 @@ static int three_way_merge(struct apply_state *state,
return -1;
}
image_clear(image);
- strbuf_attach(&image->buf, result.ptr, result.size, result.size);
+ strbuf_add(&image->buf, result.ptr, result.size);
+ free(result.ptr);
return status;
}
diff --git a/builtin/am.c b/builtin/am.c
index e0c767e223..c439f868dc 100644
--- a/builtin/am.c
+++ b/builtin/am.c
@@ -1188,7 +1188,7 @@ static void am_append_signoff(struct am_state *state)
{
struct strbuf sb = STRBUF_INIT;
- strbuf_attach(&sb, state->msg, state->msg_len, state->msg_len);
+ strbuf_attach(&sb, state->msg, state->msg_len, state->msg_len + 1);
append_signoff(&sb, 0, 0);
state->msg = strbuf_detach(&sb, &state->msg_len);
}
diff --git a/builtin/fast-import.c b/builtin/fast-import.c
index b8a7757cfd..164d8a6198 100644
--- a/builtin/fast-import.c
+++ b/builtin/fast-import.c
@@ -3246,7 +3246,7 @@ static void cat_blob(struct object_entry *oe, struct object_id *oid)
cat_blob_write("\n", 1);
if (oe && oe->pack_id == pack_id) {
last_blob.offset = oe->idx.offset;
- strbuf_attach(&last_blob.data, buf, size, size);
+ strbuf_attach(&last_blob.data, buf, size, size + 1);
last_blob.depth = oe->depth;
} else
free(buf);
diff --git a/mailinfo.c b/mailinfo.c
index a2f06dbd96..13949ff31e 100644
--- a/mailinfo.c
+++ b/mailinfo.c
@@ -470,7 +470,7 @@ static int convert_to_utf8(struct mailinfo *mi,
return error("cannot convert from %s to %s",
charset, mi->metainfo_charset);
}
- strbuf_attach(line, out, out_len, out_len);
+ strbuf_attach(line, out, out_len, out_len + 1);
return 0;
}
diff --git a/refs/files-backend.c b/refs/files-backend.c
index b1b13b41f6..6baba11f96 100644
--- a/refs/files-backend.c
+++ b/refs/files-backend.c
@@ -1806,7 +1806,7 @@ static int commit_ref(struct ref_lock *lock)
size_t len = strlen(path);
struct strbuf sb_path = STRBUF_INIT;
- strbuf_attach(&sb_path, path, len, len);
+ strbuf_attach(&sb_path, path, len, len + 1);
/*
* If this fails, commit_lock_file() will also fail
diff --git a/rerere.c b/rerere.c
index 6ec55964e2..2f4809a310 100644
--- a/rerere.c
+++ b/rerere.c
@@ -1031,7 +1031,8 @@ static int handle_cache(struct index_state *istate,
else
io.io.output = NULL;
strbuf_init(&io.input, 0);
- strbuf_attach(&io.input, result.ptr, result.size, result.size);
+ strbuf_add(&io.input, result.ptr, result.size);
+ free(result.ptr);
/*
* Grab the conflict ID and optionally write the original
diff --git a/trailer.c b/trailer.c
index 911a81ed99..3afe368db0 100644
--- a/trailer.c
+++ b/trailer.c
@@ -1009,7 +1009,7 @@ static struct trailer_block *trailer_block_get(const struct process_trailer_opti
for (ptr = trailer_lines; *ptr; ptr++) {
if (last && isspace((*ptr)->buf[0])) {
struct strbuf sb = STRBUF_INIT;
- strbuf_attach(&sb, *last, strlen(*last), strlen(*last));
+ strbuf_attach(&sb, *last, strlen(*last), strlen(*last) + 1);
strbuf_addbuf(&sb, *ptr);
*last = strbuf_detach(&sb, NULL);
continue;
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v4 3/5] strbuf: replace strbuf_grow() in strbuf_attach() with BUG() check
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 1/5] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 2/5] strbuf_attach: fix all call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
@ 2026-02-18 14:09 ` Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 4/5] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
` (2 subsequent siblings)
5 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-18 14:09 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
strbuf_attach() documents that alloc must be larger than len, as the
buffer must have room for the NUL terminator. Replace the strbuf_grow(sb, 0)
call, which was silently reallocating when alloc <= len, with an explicit
BUG() to enforce this contract and write the NUL terminator directly.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
strbuf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/strbuf.c b/strbuf.c
index 3e04addc22..0abed40c91 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -95,11 +95,12 @@ char *strbuf_detach(struct strbuf *sb, size_t *sz)
void strbuf_attach(struct strbuf *sb, void *buf, size_t len, size_t alloc)
{
+ if (alloc <= len)
+ BUG("alloc must be larger than len");
strbuf_release(sb);
sb->buf = buf;
sb->len = len;
sb->alloc = alloc;
- strbuf_grow(sb, 0);
sb->buf[sb->len] = '\0';
}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v4 4/5] remote-curl: introduce show_http_message_fatal() helper
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
` (2 preceding siblings ...)
2026-02-18 14:09 ` [PATCH v4 3/5] strbuf: replace strbuf_grow() in strbuf_attach() with BUG() check Vaidas Pilkauskas via GitGitGadget
@ 2026-02-18 14:09 ` Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 5/5] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
5 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-18 14:09 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Several code paths in remote-curl.c follow the same pattern of calling
show_http_message() to display server error messages followed by die()
to terminate with an error. This duplication makes the code more verbose
and harder to maintain.
Introduce a new show_http_message_fatal() helper function that combines
these two operations. This function:
1. Displays any HTTP error message from the server via show_http_message()
2. Calls die() with the provided error message
3. Returns NORETURN to help the compiler with control flow analysis
Refactor existing call sites in remote-curl.c to use this new helper,
reducing code duplication and improving readability. This pattern will
also be used by upcoming HTTP 429 rate limiting support.
Suggested-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
remote-curl.c | 45 ++++++++++++++++++++++++++++-----------------
1 file changed, 28 insertions(+), 17 deletions(-)
diff --git a/remote-curl.c b/remote-curl.c
index 92e40bb682..21c96f2ca9 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -367,23 +367,25 @@ static void free_discovery(struct discovery *d)
}
}
-static int show_http_message(struct strbuf *type, struct strbuf *charset,
- struct strbuf *msg)
+static NORETURN void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
+ struct strbuf *msg, const char *fmt, ...)
{
const char *p, *eol;
+ va_list ap;
+ report_fn die_message_routine = get_die_message_routine();
/*
* We only show text/plain parts, as other types are likely
* to be ugly to look at on the user's terminal.
*/
if (strcmp(type->buf, "text/plain"))
- return -1;
+ goto out;
if (charset->len)
strbuf_reencode(msg, charset->buf, get_log_output_encoding());
strbuf_trim(msg);
if (!msg->len)
- return -1;
+ goto out;
p = msg->buf;
do {
@@ -391,7 +393,16 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
p = eol + 1;
} while(*eol);
- return 0;
+
+out:
+ strbuf_release(type);
+ strbuf_release(charset);
+ strbuf_release(msg);
+
+ va_start(ap, fmt);
+ die_message_routine(fmt, ap);
+ va_end(ap);
+ exit(128);
}
static int get_protocol_http_header(enum protocol_version version,
@@ -518,21 +529,21 @@ static struct discovery *discover_refs(const char *service, int for_push)
case HTTP_OK:
break;
case HTTP_MISSING_TARGET:
- show_http_message(&type, &charset, &buffer);
- die(_("repository '%s' not found"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("repository '%s' not found"),
+ transport_anonymize_url(url.buf));
case HTTP_NOAUTH:
- show_http_message(&type, &charset, &buffer);
- die(_("Authentication failed for '%s'"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("Authentication failed for '%s'"),
+ transport_anonymize_url(url.buf));
case HTTP_NOMATCHPUBLICKEY:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
default:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s': %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s': %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
}
if (options.verbosity && !starts_with(refs_url.buf, url.buf)) {
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v4 5/5] http: add support for HTTP 429 rate limit retries
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
` (3 preceding siblings ...)
2026-02-18 14:09 ` [PATCH v4 4/5] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
@ 2026-02-18 14:09 ` Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
5 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-18 14:09 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add retry logic for HTTP 429 (Too Many Requests) responses to handle
server-side rate limiting gracefully. When Git's HTTP client receives
a 429 response, it can now automatically retry the request after an
appropriate delay, respecting the server's rate limits.
The implementation supports the RFC-compliant Retry-After header in
both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
past date is provided, Git retries immediately without waiting.
Retry behavior is controlled by three new configuration options
(http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
documented in git-config(1).
The retry logic implements a fail-fast approach: if any delay
(whether from server header or configuration) exceeds maxRetryTime,
Git fails immediately with a clear error message rather than capping
the delay. This provides better visibility into rate limiting issues.
The implementation includes extensive test coverage for basic retry
behavior, Retry-After header formats (integer and HTTP-date),
configuration combinations, maxRetryTime limits, invalid header
handling, environment variable overrides, and edge cases.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
Documentation/config/http.adoc | 23 +++
git-curl-compat.h | 8 +
http.c | 190 +++++++++++++++++++++--
http.h | 2 +
remote-curl.c | 4 +
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
10 files changed, 589 insertions(+), 12 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
diff --git a/Documentation/config/http.adoc b/Documentation/config/http.adoc
index 9da5c298cc..7d9a90dcba 100644
--- a/Documentation/config/http.adoc
+++ b/Documentation/config/http.adoc
@@ -315,6 +315,29 @@ http.keepAliveCount::
unset, curl's default value is used. Can be overridden by the
`GIT_HTTP_KEEPALIVE_COUNT` environment variable.
+http.retryAfter::
+ Default wait time in seconds before retrying when a server returns
+ HTTP 429 (Too Many Requests) without a Retry-After header.
+ Defaults to 0 (retry immediately). When a Retry-After header is
+ present, its value takes precedence over this setting. Can be
+ overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
+ Maximum number of times to retry after receiving HTTP 429 (Too Many
+ Requests) responses. Set to 0 (the default) to disable retries.
+ Can be overridden by the `GIT_HTTP_MAX_RETRIES` environment variable.
+ See also `http.retryAfter` and `http.maxRetryTime`.
+
+http.maxRetryTime::
+ Maximum time in seconds to wait for a single retry attempt when
+ handling HTTP 429 (Too Many Requests) responses. If the server
+ requests a delay (via Retry-After header) or if `http.retryAfter`
+ is configured with a value that exceeds this maximum, Git will fail
+ immediately rather than waiting. Default is 300 seconds (5 minutes).
+ Can be overridden by the `GIT_HTTP_MAX_RETRY_TIME` environment
+ variable. See also `http.retryAfter` and `http.maxRetries`.
+
http.noEPSV::
A boolean which disables using of EPSV ftp command by curl.
This can be helpful with some "poor" ftp servers which don't
diff --git a/git-curl-compat.h b/git-curl-compat.h
index 659e5a3875..dccdd4d6e5 100644
--- a/git-curl-compat.h
+++ b/git-curl-compat.h
@@ -37,6 +37,14 @@
#define GIT_CURL_NEED_TRANSFER_ENCODING_HEADER
#endif
+/**
+ * CURLINFO_RETRY_AFTER was added in 7.66.0, released in September 2019.
+ * It allows curl to automatically parse Retry-After headers.
+ */
+#if LIBCURL_VERSION_NUM >= 0x074200
+#define GIT_CURL_HAVE_CURLINFO_RETRY_AFTER 1
+#endif
+
/**
* CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR were added in 7.85.0,
* released in August 2022.
diff --git a/http.c b/http.c
index 7815f144de..11ea9f38f7 100644
--- a/http.c
+++ b/http.c
@@ -22,6 +22,8 @@
#include "object-file.h"
#include "odb.h"
#include "tempfile.h"
+#include "date.h"
+#include "trace2.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -149,6 +151,11 @@ static char *cached_accept_language;
static char *http_ssl_backend;
static int http_schannel_check_revoke = 1;
+
+static long http_retry_after = 0;
+static long http_max_retries = 0;
+static long http_max_retry_time = 300;
+
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ -209,7 +216,7 @@ static inline int is_hdr_continuation(const char *ptr, const size_t size)
return size && (*ptr == ' ' || *ptr == '\t');
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
+static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
@@ -257,6 +264,50 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
goto exit;
}
+#ifndef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
+ /* Parse Retry-After header for rate limiting (for curl < 7.66.0) */
+ if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
+ struct active_request_slot *slot = (struct active_request_slot *)p;
+
+ strbuf_add(&buf, val, val_len);
+ strbuf_trim(&buf);
+
+ if (slot && slot->results) {
+ /* Parse the retry-after value (delay-seconds or HTTP-date) */
+ char *endptr;
+ long retry_after;
+
+ errno = 0;
+ retry_after = strtol(buf.buf, &endptr, 10);
+
+ /* Check if it's a valid integer (delay-seconds format) */
+ if (endptr != buf.buf && *endptr == '\0' &&
+ errno != ERANGE && retry_after >= 0) {
+ slot->results->retry_after = retry_after;
+ } else {
+ /* Try parsing as HTTP-date format */
+ timestamp_t timestamp;
+ int offset;
+ if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
+ /* Successfully parsed as date, calculate delay from now */
+ timestamp_t now = time(NULL);
+ if (timestamp > now) {
+ slot->results->retry_after = (long)(timestamp - now);
+ } else {
+ /* Past date means retry immediately */
+ slot->results->retry_after = 0;
+ }
+ } else {
+ /* Failed to parse as either delay-seconds or HTTP-date */
+ warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
+ }
+ }
+ }
+
+ goto exit;
+ }
+#endif
+
/*
* This line could be a continuation of the previously matched header
* field. If this is the case then we should append this value to the
@@ -342,6 +393,17 @@ static void finish_active_slot(struct active_request_slot *slot)
curl_easy_getinfo(slot->curl, CURLINFO_HTTP_CONNECTCODE,
&slot->results->http_connectcode);
+
+#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
+ if (slot->results->http_code == 429) {
+ curl_off_t retry_after;
+ CURLcode res = curl_easy_getinfo(slot->curl,
+ CURLINFO_RETRY_AFTER,
+ &retry_after);
+ if (res == CURLE_OK && retry_after > 0)
+ slot->results->retry_after = (long)retry_after;
+ }
+#endif
}
/* Run callback if appropriate */
@@ -575,6 +637,21 @@ static int http_options(const char *var, const char *value,
return 0;
}
+ if (!strcmp("http.retryafter", var)) {
+ http_retry_after = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretries", var)) {
+ http_max_retries = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretrytime", var)) {
+ http_max_retry_time = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
/* Fall back on the default ones */
return git_default_config(var, value, ctx, data);
}
@@ -1422,6 +1499,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
+ set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
+ set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
+ set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
+
curl_default = get_curl_handle();
}
@@ -1871,6 +1952,10 @@ static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
+ trace2_data_intmax("http", the_repository, "http/429-retry-after",
+ results->retry_after);
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
credential_reject(the_repository, &proxy_auth);
@@ -1886,6 +1971,9 @@ int run_one_slot(struct active_request_slot *slot,
struct slot_results *results)
{
slot->results = results;
+ /* Initialize retry_after to -1 (not set) */
+ results->retry_after = -1;
+
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
@@ -2119,7 +2207,8 @@ static void http_opt_request_remainder(CURL *curl, off_t pos)
static int http_request(const char *url,
void *result, int target,
- const struct http_get_options *options)
+ const struct http_get_options *options,
+ long *retry_after_out)
{
struct active_request_slot *slot;
struct slot_results results;
@@ -2148,7 +2237,8 @@ static int http_request(const char *url,
fwrite_buffer);
}
- curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_headers);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
accept_language = http_get_accept_language_header();
@@ -2183,6 +2273,10 @@ static int http_request(const char *url,
ret = run_one_slot(slot, &results);
+ /* Store retry_after from slot results if output parameter provided */
+ if (retry_after_out)
+ *retry_after_out = results.retry_after;
+
if (options && options->content_type) {
struct strbuf raw = STRBUF_INIT;
curlinfo_strbuf(slot->curl, CURLINFO_CONTENT_TYPE, &raw);
@@ -2253,21 +2347,79 @@ static int update_url_from_redirect(struct strbuf *base,
return 1;
}
-static int http_request_reauth(const char *url,
+/*
+ * Handle rate limiting retry logic for HTTP 429 responses.
+ * Returns a negative value if retries are exhausted or configuration is invalid,
+ * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
+ */
+static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
+{
+ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
+
+ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
+ retry_attempt);
+
+ if (*rate_limit_retries <= 0) {
+ /* Retries are disabled or exhausted */
+ if (http_max_retries > 0) {
+ error(_("too many rate limit retries, giving up"));
+ trace2_data_string("http", the_repository,
+ "http/429-error", "retries-exhausted");
+ }
+ return -1;
+ }
+
+ (*rate_limit_retries)--;
+
+ /* Use the slot-specific retry_after value or configured default */
+ if (slot_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
+ if (slot_retry_after > http_max_retry_time) {
+ error(_("response requested a delay greater than http.maxRetryTime (%ld > %ld seconds)"),
+ slot_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "exceeds-max-retry-time");
+ trace2_data_intmax("http", the_repository,
+ "http/429-requested-delay", slot_retry_after);
+ return -1;
+ }
+ return slot_retry_after;
+ } else {
+ /* No Retry-After header provided, use configured default */
+ if (http_retry_after > http_max_retry_time) {
+ error(_("configured http.retryAfter exceeds http.maxRetryTime (%ld > %ld seconds)"),
+ http_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "config-exceeds-max-retry-time");
+ return -1;
+ }
+ trace2_data_string("http", the_repository,
+ "http/429-retry-source", "config-default");
+ return http_retry_after;
+ }
+}
+
+static int http_request_recoverable(const char *url,
void *result, int target,
struct http_get_options *options)
{
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
+ long slot_retry_after = -1; /* Per-slot retry_after value */
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
+ /* If retries are disabled and we got a 429, fail immediately */
+ if (ret == HTTP_RATE_LIMITED && !http_max_retries)
+ return HTTP_ERROR;
+
if (options && options->effective_url && options->base_url) {
if (update_url_from_redirect(options->base_url,
url, options->effective_url)) {
@@ -2276,7 +2428,8 @@ static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
+ while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
+ long retry_delay = -1;
/*
* The previous request may have put cruft into our output stream; we
* should clear it out before making our next request.
@@ -2301,10 +2454,23 @@ static int http_request_reauth(const char *url,
default:
BUG("Unknown http_request target");
}
+ if (ret == HTTP_RATE_LIMITED) {
+ retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
+ if (retry_delay < 0)
+ return HTTP_ERROR;
+
+ if (retry_delay > 0) {
+ warning(_("rate limited, waiting %ld seconds before retry"), retry_delay);
+ trace2_data_intmax("http", the_repository,
+ "http/retry-sleep-seconds", retry_delay);
+ sleep(retry_delay);
+ }
+ slot_retry_after = -1; /* Reset after use */
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
- credential_fill(the_repository, &http_auth, 1);
-
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after);
}
return ret;
}
@@ -2313,7 +2479,7 @@ int http_get_strbuf(const char *url,
struct strbuf *result,
struct http_get_options *options)
{
- return http_request_reauth(url, result, HTTP_REQUEST_STRBUF, options);
+ return http_request_recoverable(url, result, HTTP_REQUEST_STRBUF, options);
}
/*
@@ -2337,7 +2503,7 @@ int http_get_file(const char *url, const char *filename,
goto cleanup;
}
- ret = http_request_reauth(url, result, HTTP_REQUEST_FILE, options);
+ ret = http_request_recoverable(url, result, HTTP_REQUEST_FILE, options);
fclose(result);
if (ret == HTTP_OK && finalize_object_file(the_repository, tmpfile.buf, filename))
diff --git a/http.h b/http.h
index f9d4593404..eb40456450 100644
--- a/http.h
+++ b/http.h
@@ -20,6 +20,7 @@ struct slot_results {
long http_code;
long auth_avail;
long http_connectcode;
+ long retry_after;
};
struct active_request_slot {
@@ -167,6 +168,7 @@ struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
#define HTTP_NOMATCHPUBLICKEY 6
+#define HTTP_RATE_LIMITED 7
/*
* Requests a URL and stores the result in a strbuf.
diff --git a/remote-curl.c b/remote-curl.c
index 21c96f2ca9..b80d2adb95 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -540,6 +540,10 @@ static struct discovery *discover_refs(const char *service, int for_push)
show_http_message_fatal(&type, &charset, &buffer,
_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("rate limited by '%s', please try again later"),
+ transport_anonymize_url(url.buf));
default:
show_http_message_fatal(&type, &charset, &buffer,
_("unable to access '%s': %s"),
diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
index 5091db949b..8a43261ffc 100644
--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
@@ -167,6 +167,7 @@ prepare_httpd() {
install_script error.sh
install_script apply-one-time-script.sh
install_script nph-custom-auth.sh
+ install_script http-429.sh
ln -s "$LIB_HTTPD_MODULE_PATH" "$HTTPD_ROOT_PATH/modules"
diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index e631ab0eb5..6bdef603cd 100644
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -139,6 +139,10 @@ SetEnv PERL_PATH ${PERL_PATH}
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
</LocationMatch>
+<LocationMatch /http_429/>
+ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
+ SetEnv GIT_HTTP_EXPORT_ALL
+</LocationMatch>
<LocationMatch /smart_v0/>
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
@@ -160,6 +164,7 @@ ScriptAlias /broken_smart/ broken-smart-http.sh/
ScriptAlias /error_smart/ error-smart-http.sh/
ScriptAlias /error/ error.sh/
ScriptAliasMatch /one_time_script/(.*) apply-one-time-script.sh/$1
+ScriptAliasMatch /http_429/(.*) http-429.sh/$1
ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Directory ${GIT_EXEC_PATH}>
Options FollowSymlinks
@@ -185,6 +190,9 @@ ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Files apply-one-time-script.sh>
Options ExecCGI
</Files>
+<Files http-429.sh>
+ Options ExecCGI
+</Files>
<Files ${GIT_EXEC_PATH}/git-http-backend>
Options ExecCGI
</Files>
diff --git a/t/lib-httpd/http-429.sh b/t/lib-httpd/http-429.sh
new file mode 100644
index 0000000000..c97b16145b
--- /dev/null
+++ b/t/lib-httpd/http-429.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Script to return HTTP 429 Too Many Requests responses for testing retry logic.
+# Usage: /http_429/<test-context>/<retry-after-value>/<repo-path>
+#
+# The test-context is a unique identifier for each test to isolate state files.
+# The retry-after-value can be:
+# - A number (e.g., "1", "2", "100") - sets Retry-After header to that many seconds
+# - "none" - no Retry-After header
+# - "invalid" - invalid Retry-After format
+# - "permanent" - always return 429 (never succeed)
+# - An HTTP-date string (RFC 2822 format) - sets Retry-After to that date
+#
+# On first call, returns 429. On subsequent calls (after retry), forwards to git-http-backend
+# unless retry-after-value is "permanent".
+
+# Extract test context, retry-after value and repo path from PATH_INFO
+# PATH_INFO format: /<test-context>/<retry-after-value>/<repo-path>
+path_info="${PATH_INFO#/}" # Remove leading slash
+test_context="${path_info%%/*}" # Get first component (test context)
+remaining="${path_info#*/}" # Get rest
+retry_after="${remaining%%/*}" # Get second component (retry-after value)
+repo_path="${remaining#*/}" # Get rest (repo path)
+
+# Extract repository name from repo_path (e.g., "repo.git" from "repo.git/info/refs")
+# The repo name is the first component before any "/"
+repo_name="${repo_path%%/*}"
+
+# Use current directory (HTTPD_ROOT_PATH) for state file
+# Create a safe filename from test_context, retry_after and repo_name
+# This ensures all requests for the same test context share the same state file
+safe_name=$(echo "${test_context}-${retry_after}-${repo_name}" | tr '/' '_' | tr -cd 'a-zA-Z0-9_-')
+state_file="http-429-state-${safe_name}"
+
+# Check if this is the first call (no state file exists)
+if test -f "$state_file"
+then
+ # Already returned 429 once, forward to git-http-backend
+ # Set PATH_INFO to just the repo path (without retry-after value)
+ # Set GIT_PROJECT_ROOT so git-http-backend can find the repository
+ # Use exec to replace this process so git-http-backend gets the updated environment
+ PATH_INFO="/$repo_path"
+ export PATH_INFO
+ # GIT_PROJECT_ROOT points to the document root where repositories are stored
+ # The script runs from HTTPD_ROOT_PATH, and www/ is the document root
+ if test -z "$GIT_PROJECT_ROOT"
+ then
+ # Construct path: current directory (HTTPD_ROOT_PATH) + /www
+ GIT_PROJECT_ROOT="$(pwd)/www"
+ export GIT_PROJECT_ROOT
+ fi
+ exec "$GIT_EXEC_PATH/git-http-backend"
+fi
+
+# Mark that we've returned 429
+touch "$state_file"
+
+# Output HTTP 429 response
+printf "Status: 429 Too Many Requests\r\n"
+
+# Set Retry-After header based on retry_after value
+case "$retry_after" in
+ none)
+ # No Retry-After header
+ ;;
+ invalid)
+ printf "Retry-After: invalid-format-123abc\r\n"
+ ;;
+ permanent)
+ # Always return 429, don't set state file for success
+ rm -f "$state_file"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Permanently rate limited\n"
+ exit 0
+ ;;
+ *)
+ # Check if it's a number
+ case "$retry_after" in
+ [0-9]*)
+ # Numeric value
+ printf "Retry-After: %s\r\n" "$retry_after"
+ ;;
+ *)
+ # Assume it's an HTTP-date format (passed as-is, URL decoded)
+ # Apache may URL-encode the path, so decode common URL-encoded characters
+ # %20 = space, %2C = comma, %3A = colon
+ retry_value=$(echo "$retry_after" | sed -e 's/%20/ /g' -e 's/%2C/,/g' -e 's/%3A/:/g')
+ printf "Retry-After: %s\r\n" "$retry_value"
+ ;;
+ esac
+ ;;
+esac
+
+printf "Content-Type: text/plain\r\n"
+printf "\r\n"
+printf "Rate limited\n"
diff --git a/t/meson.build b/t/meson.build
index f80e366cff..44f72e0f07 100644
--- a/t/meson.build
+++ b/t/meson.build
@@ -704,6 +704,7 @@ integration_tests = [
't5581-http-curl-verbose.sh',
't5582-fetch-negative-refspec.sh',
't5583-push-branches.sh',
+ 't5584-http-429-retry.sh',
't5600-clone-fail-cleanup.sh',
't5601-clone.sh',
't5602-clone-remote-exec.sh',
diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
new file mode 100755
index 0000000000..f3a9439f51
--- /dev/null
+++ b/t/t5584-http-429-retry.sh
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+test_description='test HTTP 429 Too Many Requests retry logic'
+
+. ./test-lib.sh
+
+. "$TEST_DIRECTORY"/lib-httpd.sh
+
+start_httpd
+
+test_expect_success 'setup test repository' '
+ test_commit initial &&
+ git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
+ git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
+'
+
+# This test suite uses a special HTTP 429 endpoint at /http_429/ that simulates
+# rate limiting. The endpoint format is:
+# /http_429/<test-context>/<retry-after-value>/<repo-path>
+# The http-429.sh script (in t/lib-httpd) returns a 429 response with the
+# specified Retry-After header on the first request for each test context,
+# then forwards subsequent requests to git-http-backend. Each test context
+# is isolated, allowing multiple tests to run independently.
+
+test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
+ # Set maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Should fail immediately without any retry attempt
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retries-disabled/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message in stderr)
+ test_grep ! -i "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 permanent should fail after max retries' '
+ # Enable retries with a limit
+ test_config http.maxRetries 2 &&
+
+ # Git should retry but eventually fail when 429 persists
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/permanent-fail/permanent/repo.git" 2>err
+'
+
+test_expect_success 'HTTP 429 with Retry-After is retried and succeeds' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry after receiving 429 and eventually succeed
+ git ls-remote "$HTTPD_URL/http_429/retry-succeeds/1/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 without Retry-After uses configured default' '
+ # Enable retries and configure default delay
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Git should retry using configured default and succeed
+ git ls-remote "$HTTPD_URL/http_429/no-retry-after-header/none/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 retry delays are respected' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
+ # Configure max retry time to 3 seconds (much less than requested 100)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (less than 2 seconds, no 100 second wait)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
+ # Test misconfiguration: retryAfter > maxRetryTime
+ # Configure retryAfter larger than maxRetryTime
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 100 &&
+ test_config http.maxRetryTime 5 &&
+
+ # Should fail immediately with configuration error
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with Retry-After HTTP-date format' '
+ # Test HTTP-date format (RFC 2822) in Retry-After header
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 2)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/http-date-format/$future_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 200)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Configure max retry time much less than the 200 second delay
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 10 &&
+
+ # Should fail immediately without waiting 200 seconds
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/http-date-exceeds-max-time/$future_date_encoded/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 200 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ past_time=$((now - 10)) &&
+ raw=$(test-tool date show:rfc2822 $past_time) &&
+ past_date="${raw#* -> }" &&
+ past_date_encoded=$(echo "$past_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should complete quickly (less than 2 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with invalid Retry-After format uses configured default' '
+ # Configure default retry-after
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/invalid-retry-after-format/invalid/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (the configured default)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 will not be retried without config' '
+ # Default config means http.maxRetries=0 (retries disabled)
+ # When 429 is received, it should fail immediately without retry
+ # Do NOT configure anything - use defaults (http.maxRetries defaults to 0)
+
+ # Should fail immediately without retry
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/no-retry-without-config/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message)
+ test_grep ! -i "waiting.*retry" err &&
+
+ # Should get 429 error
+ test_grep "429" err
+'
+
+test_expect_success 'GIT_HTTP_RETRY_AFTER overrides http.retryAfter config' '
+ # Configure retryAfter to 10 seconds
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
+ start=$(test-tool date getnanos) &&
+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/http_429/env-retry-after-override/none/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should use env var (1 second), not config (10 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test "$duration_int" -lt 5 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRIES overrides http.maxRetries config' '
+ # Configure maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Override with environment variable to enable retries
+ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/http_429/env-max-retries-override/1/repo.git" >output 2>err &&
+
+ # Should retry (env var enables it despite config saying disabled)
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRY_TIME overrides http.maxRetryTime config' '
+ # Configure maxRetryTime to 100 seconds (would accept 50 second delay)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 100 &&
+
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
+ start=$(test-tool date getnanos) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
+ git ls-remote "$HTTPD_URL/http_429/env-max-retry-time-override/50/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 5 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'verify normal repository access still works' '
+ git ls-remote "$HTTPD_URL/smart/repo.git" >output &&
+ test_grep "refs/heads/" output
+'
+
+test_done
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH v4 2/5] strbuf_attach: fix all call sites to pass correct alloc
2026-02-18 14:09 ` [PATCH v4 2/5] strbuf_attach: fix all call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
@ 2026-02-20 22:55 ` Junio C Hamano
2026-02-23 12:49 ` Vaidas Pilkauskas
0 siblings, 1 reply; 49+ messages in thread
From: Junio C Hamano @ 2026-02-20 22:55 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget
Cc: git, Taylor Blau, Jeff King, Vaidas Pilkauskas
"Vaidas Pilkauskas via GitGitGadget" <gitgitgadget@gmail.com>
writes:
> - mailinfo, am, refs/files-backend, fast-import, trailer: pass len+1
> when the buffer is a NUL-terminated string (or from strbuf_detach).
These are good.
> - rerere, apply: ll_merge returns a buffer with exactly result.size
> bytes (no extra NUL). Use strbuf_add() to copy and NUL-terminate
> into the strbuf, then free the merge result, so alloc is correct.
I am not sure about this, because this will result in unnecessary
reallocation.
For example
> - strbuf_attach(&image->buf, result.ptr, result.size, result.size);
This would have resulted in realloc(result.ptr, result.size + X) to
preserve the strbuf invariants that len + 1 <= alloc inside the
strbuf_attach().
It depends on what the system allocator does, but when X is a small
number, often no new memory needs to be carved out when this
realloc() happens, and all that needs to happen is that the size of
the memory region recorded by the system allocator is adjusted, and
the program will keep using the same memory region plus X bytes out
of the slop that has already been there when result.ptr was
allocated. We will call realloc(), and it may result in a true
allocation and copy when X is larger than the existing slop, but it
may end up to be a cheap operation.
But if we rewrite it to do this ...
> + strbuf_add(&image->buf, result.ptr, result.size);
> + free(result.ptr);
... we will allocate as much as result.size and copy the bytes.
Guaranteed, regardless of how much slop the system allocator left
after result.ptr+result.size when it allocated result.ptr.
Of course, we could rewrite the original to
result.ptr = realloc(result.ptr, result.size + 1);
strbuf_attach(&image->buf, result.ptr, result.size, result.size + 1);
which would avoid the extra allocation and copy when there is even a
single byte of slop after result.ptr+result.size, but at that point,
for the sake of simplicity, we may be better off with the original
implementation of strbuf_attach() that automatically does that for
us.
So, I dunno.
Thanks.
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v4 2/5] strbuf_attach: fix all call sites to pass correct alloc
2026-02-20 22:55 ` Junio C Hamano
@ 2026-02-23 12:49 ` Vaidas Pilkauskas
0 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas @ 2026-02-23 12:49 UTC (permalink / raw)
To: Junio C Hamano
Cc: Vaidas Pilkauskas via GitGitGadget, git, Taylor Blau, Jeff King
On Sat, Feb 21, 2026 at 12:55 AM Junio C Hamano <gitster@pobox.com> wrote:
> > - rerere, apply: ll_merge returns a buffer with exactly result.size
> > bytes (no extra NUL). Use strbuf_add() to copy and NUL-terminate
> > into the strbuf, then free the merge result, so alloc is correct.
>
> I am not sure about this, because this will result in unnecessary
> reallocation.
>
> For example
>
> > - strbuf_attach(&image->buf, result.ptr, result.size, result.size);
>
> This would have resulted in realloc(result.ptr, result.size + X) to
> preserve the strbuf invariants that len + 1 <= alloc inside the
> strbuf_attach().
>
> It depends on what the system allocator does, but when X is a small
> number, often no new memory needs to be carved out when this
> realloc() happens, and all that needs to happen is that the size of
> the memory region recorded by the system allocator is adjusted, and
> the program will keep using the same memory region plus X bytes out
> of the slop that has already been there when result.ptr was
> allocated. We will call realloc(), and it may result in a true
> allocation and copy when X is larger than the existing slop, but it
> may end up to be a cheap operation.
>
> But if we rewrite it to do this ...
>
> > + strbuf_add(&image->buf, result.ptr, result.size);
> > + free(result.ptr);
>
> ... we will allocate as much as result.size and copy the bytes.
> Guaranteed, regardless of how much slop the system allocator left
> after result.ptr+result.size when it allocated result.ptr.
>
> Of course, we could rewrite the original to
>
> result.ptr = realloc(result.ptr, result.size + 1);
> strbuf_attach(&image->buf, result.ptr, result.size, result.size + 1);
>
> which would avoid the extra allocation and copy when there is even a
> single byte of slop after result.ptr+result.size, but at that point,
> for the sake of simplicity, we may be better off with the original
> implementation of strbuf_attach() that automatically does that for
> us.
It seems reasonable to stay with the original implementation. So I'll
change this patch to keep original calls to strbuf_attach() in rerere and
apply. And I'll remove patch which enforces strbuf_attach() contract with
BUG().
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v5 0/4] http: add support for HTTP 429 rate limit retries
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
` (4 preceding siblings ...)
2026-02-18 14:09 ` [PATCH v4 5/5] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2026-02-23 14:20 ` Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 1/4] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
` (5 more replies)
5 siblings, 6 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-23 14:20 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas
Changes since v4:
* fix only strbuf_attach() calls which don't need reallocation
* remove patch, which enforces strbuf_attach() contract via BUG()
Changes since v3:
* Clean up of all strbuf_attach() call sites
* Add strbuf_attach() contract enforcement via BUG()
Changes since v2:
* New preparatory patch: Introduced show_http_message_fatal() helper
function to reduce code duplication in remote-curl.c (suggested by Taylor
Blau)
* Removed specific HTTP_RATE_LIMITED error handling from http-push.c and
http-walker.c for the obsolete "dumb" protocol, allowing generic error
handling to take over (suggested by Jeff King)
* Added support for CURLINFO_RETRY_AFTER on curl >= 7.66.0, falling back to
manual header parsing on older versions
* Simplified retry/delay architecture: replaced complex non-blocking
"delayed slot" mechanism with simple blocking sleep() call in the retry
loop, removing ~66 lines of timing logic (suggested by Jeff King)
* Fixed Retry-After: 0 handling to allow immediate retry as specified by
RFC 9110
* Changed http.retryAfter default from -1 to 0, so Git will retry
immediately when encountering HTTP 429 without a Retry-After header,
rather than failing with a configuration error
* Improved error messages: shortened to be more concise
* Fixed coding style issues: removed unnecessary curly braces, changed x ==
0 to !x (per CodingGuidelines)
* Improved test portability: replaced non-portable date(1) commands with
test-tool date, added nanosecond-precision timing with getnanos, replaced
cut(1) with POSIX shell parameter expansion
* Split out strbuf.c bugfix into separate preparatory patch (the
strbuf_reencode alloc size fix is unrelated to HTTP 429 support)
* Squashed separate trace2 logging patch into main HTTP 429 retry support
commit
* Kept header_is_last_match assignment for Retry-After to prevent incorrect
handling of HTTP header continuation lines
The implementation includes:
1. A bug fix in strbuf_reencode() that corrects the allocation size passed
to strbuf_attach(), passing len+1 instead of len so that the existing
buffer is reused rather than immediately reallocated.
2. A cleanup of strbuf_attach() call sites that were passing alloc == len,
leaving no room for the NUL terminator. Sites with a
known-NUL-terminated buffer now pass len+1; sites where the source
buffer has no trailing NUL (ll_merge output) are converted to use
strbuf_add() instead.
3. A new show_http_message_fatal() helper in remote-curl.c that combines
the repeated pattern of show_http_message() followed by die() into a
single NORETURN function, reducing boilerplate at existing call sites
and providing a clean hook for the retry logic.
4. The main feature: HTTP 429 retry logic with support for the Retry-After
header (both delay-seconds and HTTP-date formats), configurable via
http.maxRetries, http.retryAfter, and http.maxRetryTime options. If any
computed delay exceeds maxRetryTime the request fails immediately with a
clear diagnostic rather than capping and retrying silently.
Vaidas Pilkauskas (4):
strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
strbuf_attach: fix call sites to pass correct alloc
remote-curl: introduce show_http_message_fatal() helper
http: add support for HTTP 429 rate limit retries
Documentation/config/http.adoc | 23 +++
builtin/am.c | 2 +-
builtin/fast-import.c | 2 +-
git-curl-compat.h | 8 +
http.c | 190 +++++++++++++++++++++--
http.h | 2 +
mailinfo.c | 2 +-
refs/files-backend.c | 2 +-
remote-curl.c | 49 +++---
strbuf.c | 2 +-
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
trailer.c | 2 +-
16 files changed, 623 insertions(+), 35 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
base-commit: 7c02d39fc2ed2702223c7674f73150d9a7e61ba4
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-2008%2Fvaidas-shopify%2Fretry-after-v5
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-2008/vaidas-shopify/retry-after-v5
Pull-Request: https://github.com/gitgitgadget/git/pull/2008
Range-diff vs v4:
1: a3386f5b56 = 1: 7ec2d66447 strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
2: f48b1f07c4 ! 2: 3e0b78cfb6 strbuf_attach: fix all call sites to pass correct alloc
@@ Metadata
Author: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
## Commit message ##
- strbuf_attach: fix all call sites to pass correct alloc
+ strbuf_attach: fix call sites to pass correct alloc
strbuf_attach(sb, buf, len, alloc) requires alloc > len (the buffer
must have at least len+1 bytes to hold the NUL). Several call sites
passed alloc == len, relying on strbuf_grow(sb, 0) inside strbuf_attach
- to reallocate. Prepare for changing that by fixing call sites to pass
- the correct alloc.
-
- - mailinfo, am, refs/files-backend, fast-import, trailer: pass len+1
- when the buffer is a NUL-terminated string (or from strbuf_detach).
- - rerere, apply: ll_merge returns a buffer with exactly result.size
- bytes (no extra NUL). Use strbuf_add() to copy and NUL-terminate
- into the strbuf, then free the merge result, so alloc is correct.
+ to reallocate. Fix these in mailinfo, am, refs/files-backend,
+ fast-import, and trailer by passing len+1 when the buffer is a
+ NUL-terminated string (or from strbuf_detach).
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
- ## apply.c ##
-@@ apply.c: static int three_way_merge(struct apply_state *state,
- return -1;
- }
- image_clear(image);
-- strbuf_attach(&image->buf, result.ptr, result.size, result.size);
-+ strbuf_add(&image->buf, result.ptr, result.size);
-+ free(result.ptr);
-
- return status;
- }
-
## builtin/am.c ##
@@ builtin/am.c: static void am_append_signoff(struct am_state *state)
{
@@ refs/files-backend.c: static int commit_ref(struct ref_lock *lock)
/*
* If this fails, commit_lock_file() will also fail
- ## rerere.c ##
-@@ rerere.c: static int handle_cache(struct index_state *istate,
- else
- io.io.output = NULL;
- strbuf_init(&io.input, 0);
-- strbuf_attach(&io.input, result.ptr, result.size, result.size);
-+ strbuf_add(&io.input, result.ptr, result.size);
-+ free(result.ptr);
-
- /*
- * Grab the conflict ID and optionally write the original
-
## trailer.c ##
@@ trailer.c: static struct trailer_block *trailer_block_get(const struct process_trailer_opti
for (ptr = trailer_lines; *ptr; ptr++) {
3: 557fd77444 < -: ---------- strbuf: replace strbuf_grow() in strbuf_attach() with BUG() check
4: 3a39dc9e39 = 3: 973703e9dd remote-curl: introduce show_http_message_fatal() helper
5: 5e0f4a56ef = 4: bfee1f10c0 http: add support for HTTP 429 rate limit retries
--
gitgitgadget
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v5 1/4] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
@ 2026-02-23 14:20 ` Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 2/4] strbuf_attach: fix call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
` (4 subsequent siblings)
5 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-23 14:20 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
reencode_string_len() allocates len+1 bytes (including the NUL) and
returns the string length in len. strbuf_reencode() was calling
strbuf_attach(sb, out, len, len), so alloc was one byte too small.
strbuf_attach() then calls strbuf_grow(sb, 0). With alloc < len+1,
ALLOC_GROW always reallocates, so we reallocated immediately after
attach even when the strbuf was not extended further. Pass len+1 as
the alloc argument so the existing buffer is reused and the
reallocation is avoided.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
strbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/strbuf.c b/strbuf.c
index 3939863cf3..3e04addc22 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
if (!out)
return -1;
- strbuf_attach(sb, out, len, len);
+ strbuf_attach(sb, out, len, len + 1);
return 0;
}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v5 2/4] strbuf_attach: fix call sites to pass correct alloc
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 1/4] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
@ 2026-02-23 14:20 ` Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 3/4] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
` (3 subsequent siblings)
5 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-23 14:20 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
strbuf_attach(sb, buf, len, alloc) requires alloc > len (the buffer
must have at least len+1 bytes to hold the NUL). Several call sites
passed alloc == len, relying on strbuf_grow(sb, 0) inside strbuf_attach
to reallocate. Fix these in mailinfo, am, refs/files-backend,
fast-import, and trailer by passing len+1 when the buffer is a
NUL-terminated string (or from strbuf_detach).
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
builtin/am.c | 2 +-
builtin/fast-import.c | 2 +-
mailinfo.c | 2 +-
refs/files-backend.c | 2 +-
trailer.c | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/builtin/am.c b/builtin/am.c
index e0c767e223..c439f868dc 100644
--- a/builtin/am.c
+++ b/builtin/am.c
@@ -1188,7 +1188,7 @@ static void am_append_signoff(struct am_state *state)
{
struct strbuf sb = STRBUF_INIT;
- strbuf_attach(&sb, state->msg, state->msg_len, state->msg_len);
+ strbuf_attach(&sb, state->msg, state->msg_len, state->msg_len + 1);
append_signoff(&sb, 0, 0);
state->msg = strbuf_detach(&sb, &state->msg_len);
}
diff --git a/builtin/fast-import.c b/builtin/fast-import.c
index b8a7757cfd..164d8a6198 100644
--- a/builtin/fast-import.c
+++ b/builtin/fast-import.c
@@ -3246,7 +3246,7 @@ static void cat_blob(struct object_entry *oe, struct object_id *oid)
cat_blob_write("\n", 1);
if (oe && oe->pack_id == pack_id) {
last_blob.offset = oe->idx.offset;
- strbuf_attach(&last_blob.data, buf, size, size);
+ strbuf_attach(&last_blob.data, buf, size, size + 1);
last_blob.depth = oe->depth;
} else
free(buf);
diff --git a/mailinfo.c b/mailinfo.c
index a2f06dbd96..13949ff31e 100644
--- a/mailinfo.c
+++ b/mailinfo.c
@@ -470,7 +470,7 @@ static int convert_to_utf8(struct mailinfo *mi,
return error("cannot convert from %s to %s",
charset, mi->metainfo_charset);
}
- strbuf_attach(line, out, out_len, out_len);
+ strbuf_attach(line, out, out_len, out_len + 1);
return 0;
}
diff --git a/refs/files-backend.c b/refs/files-backend.c
index b1b13b41f6..6baba11f96 100644
--- a/refs/files-backend.c
+++ b/refs/files-backend.c
@@ -1806,7 +1806,7 @@ static int commit_ref(struct ref_lock *lock)
size_t len = strlen(path);
struct strbuf sb_path = STRBUF_INIT;
- strbuf_attach(&sb_path, path, len, len);
+ strbuf_attach(&sb_path, path, len, len + 1);
/*
* If this fails, commit_lock_file() will also fail
diff --git a/trailer.c b/trailer.c
index 911a81ed99..3afe368db0 100644
--- a/trailer.c
+++ b/trailer.c
@@ -1009,7 +1009,7 @@ static struct trailer_block *trailer_block_get(const struct process_trailer_opti
for (ptr = trailer_lines; *ptr; ptr++) {
if (last && isspace((*ptr)->buf[0])) {
struct strbuf sb = STRBUF_INIT;
- strbuf_attach(&sb, *last, strlen(*last), strlen(*last));
+ strbuf_attach(&sb, *last, strlen(*last), strlen(*last) + 1);
strbuf_addbuf(&sb, *ptr);
*last = strbuf_detach(&sb, NULL);
continue;
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v5 3/4] remote-curl: introduce show_http_message_fatal() helper
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 1/4] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 2/4] strbuf_attach: fix call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
@ 2026-02-23 14:20 ` Vaidas Pilkauskas via GitGitGadget
2026-03-10 17:44 ` Jeff King
2026-02-23 14:20 ` [PATCH v5 4/4] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
` (2 subsequent siblings)
5 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-23 14:20 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Several code paths in remote-curl.c follow the same pattern of calling
show_http_message() to display server error messages followed by die()
to terminate with an error. This duplication makes the code more verbose
and harder to maintain.
Introduce a new show_http_message_fatal() helper function that combines
these two operations. This function:
1. Displays any HTTP error message from the server via show_http_message()
2. Calls die() with the provided error message
3. Returns NORETURN to help the compiler with control flow analysis
Refactor existing call sites in remote-curl.c to use this new helper,
reducing code duplication and improving readability. This pattern will
also be used by upcoming HTTP 429 rate limiting support.
Suggested-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
remote-curl.c | 45 ++++++++++++++++++++++++++++-----------------
1 file changed, 28 insertions(+), 17 deletions(-)
diff --git a/remote-curl.c b/remote-curl.c
index 92e40bb682..21c96f2ca9 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -367,23 +367,25 @@ static void free_discovery(struct discovery *d)
}
}
-static int show_http_message(struct strbuf *type, struct strbuf *charset,
- struct strbuf *msg)
+static NORETURN void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
+ struct strbuf *msg, const char *fmt, ...)
{
const char *p, *eol;
+ va_list ap;
+ report_fn die_message_routine = get_die_message_routine();
/*
* We only show text/plain parts, as other types are likely
* to be ugly to look at on the user's terminal.
*/
if (strcmp(type->buf, "text/plain"))
- return -1;
+ goto out;
if (charset->len)
strbuf_reencode(msg, charset->buf, get_log_output_encoding());
strbuf_trim(msg);
if (!msg->len)
- return -1;
+ goto out;
p = msg->buf;
do {
@@ -391,7 +393,16 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
p = eol + 1;
} while(*eol);
- return 0;
+
+out:
+ strbuf_release(type);
+ strbuf_release(charset);
+ strbuf_release(msg);
+
+ va_start(ap, fmt);
+ die_message_routine(fmt, ap);
+ va_end(ap);
+ exit(128);
}
static int get_protocol_http_header(enum protocol_version version,
@@ -518,21 +529,21 @@ static struct discovery *discover_refs(const char *service, int for_push)
case HTTP_OK:
break;
case HTTP_MISSING_TARGET:
- show_http_message(&type, &charset, &buffer);
- die(_("repository '%s' not found"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("repository '%s' not found"),
+ transport_anonymize_url(url.buf));
case HTTP_NOAUTH:
- show_http_message(&type, &charset, &buffer);
- die(_("Authentication failed for '%s'"),
- transport_anonymize_url(url.buf));
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("Authentication failed for '%s'"),
+ transport_anonymize_url(url.buf));
case HTTP_NOMATCHPUBLICKEY:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
default:
- show_http_message(&type, &charset, &buffer);
- die(_("unable to access '%s': %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("unable to access '%s': %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
}
if (options.verbosity && !starts_with(refs_url.buf, url.buf)) {
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v5 4/4] http: add support for HTTP 429 rate limit retries
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
` (2 preceding siblings ...)
2026-02-23 14:20 ` [PATCH v5 3/4] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
@ 2026-02-23 14:20 ` Vaidas Pilkauskas via GitGitGadget
2026-03-10 19:07 ` Jeff King
2026-02-24 0:07 ` [PATCH v5 0/4] " Junio C Hamano
2026-03-17 13:00 ` [PATCH v6 0/3] " Vaidas Pilkauskas via GitGitGadget
5 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-02-23 14:20 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add retry logic for HTTP 429 (Too Many Requests) responses to handle
server-side rate limiting gracefully. When Git's HTTP client receives
a 429 response, it can now automatically retry the request after an
appropriate delay, respecting the server's rate limits.
The implementation supports the RFC-compliant Retry-After header in
both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
past date is provided, Git retries immediately without waiting.
Retry behavior is controlled by three new configuration options
(http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
documented in git-config(1).
The retry logic implements a fail-fast approach: if any delay
(whether from server header or configuration) exceeds maxRetryTime,
Git fails immediately with a clear error message rather than capping
the delay. This provides better visibility into rate limiting issues.
The implementation includes extensive test coverage for basic retry
behavior, Retry-After header formats (integer and HTTP-date),
configuration combinations, maxRetryTime limits, invalid header
handling, environment variable overrides, and edge cases.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
Documentation/config/http.adoc | 23 +++
git-curl-compat.h | 8 +
http.c | 190 +++++++++++++++++++++--
http.h | 2 +
remote-curl.c | 4 +
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
10 files changed, 589 insertions(+), 12 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
diff --git a/Documentation/config/http.adoc b/Documentation/config/http.adoc
index 9da5c298cc..7d9a90dcba 100644
--- a/Documentation/config/http.adoc
+++ b/Documentation/config/http.adoc
@@ -315,6 +315,29 @@ http.keepAliveCount::
unset, curl's default value is used. Can be overridden by the
`GIT_HTTP_KEEPALIVE_COUNT` environment variable.
+http.retryAfter::
+ Default wait time in seconds before retrying when a server returns
+ HTTP 429 (Too Many Requests) without a Retry-After header.
+ Defaults to 0 (retry immediately). When a Retry-After header is
+ present, its value takes precedence over this setting. Can be
+ overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
+ Maximum number of times to retry after receiving HTTP 429 (Too Many
+ Requests) responses. Set to 0 (the default) to disable retries.
+ Can be overridden by the `GIT_HTTP_MAX_RETRIES` environment variable.
+ See also `http.retryAfter` and `http.maxRetryTime`.
+
+http.maxRetryTime::
+ Maximum time in seconds to wait for a single retry attempt when
+ handling HTTP 429 (Too Many Requests) responses. If the server
+ requests a delay (via Retry-After header) or if `http.retryAfter`
+ is configured with a value that exceeds this maximum, Git will fail
+ immediately rather than waiting. Default is 300 seconds (5 minutes).
+ Can be overridden by the `GIT_HTTP_MAX_RETRY_TIME` environment
+ variable. See also `http.retryAfter` and `http.maxRetries`.
+
http.noEPSV::
A boolean which disables using of EPSV ftp command by curl.
This can be helpful with some "poor" ftp servers which don't
diff --git a/git-curl-compat.h b/git-curl-compat.h
index 659e5a3875..dccdd4d6e5 100644
--- a/git-curl-compat.h
+++ b/git-curl-compat.h
@@ -37,6 +37,14 @@
#define GIT_CURL_NEED_TRANSFER_ENCODING_HEADER
#endif
+/**
+ * CURLINFO_RETRY_AFTER was added in 7.66.0, released in September 2019.
+ * It allows curl to automatically parse Retry-After headers.
+ */
+#if LIBCURL_VERSION_NUM >= 0x074200
+#define GIT_CURL_HAVE_CURLINFO_RETRY_AFTER 1
+#endif
+
/**
* CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR were added in 7.85.0,
* released in August 2022.
diff --git a/http.c b/http.c
index 7815f144de..11ea9f38f7 100644
--- a/http.c
+++ b/http.c
@@ -22,6 +22,8 @@
#include "object-file.h"
#include "odb.h"
#include "tempfile.h"
+#include "date.h"
+#include "trace2.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -149,6 +151,11 @@ static char *cached_accept_language;
static char *http_ssl_backend;
static int http_schannel_check_revoke = 1;
+
+static long http_retry_after = 0;
+static long http_max_retries = 0;
+static long http_max_retry_time = 300;
+
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ -209,7 +216,7 @@ static inline int is_hdr_continuation(const char *ptr, const size_t size)
return size && (*ptr == ' ' || *ptr == '\t');
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
+static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
@@ -257,6 +264,50 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
goto exit;
}
+#ifndef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
+ /* Parse Retry-After header for rate limiting (for curl < 7.66.0) */
+ if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
+ struct active_request_slot *slot = (struct active_request_slot *)p;
+
+ strbuf_add(&buf, val, val_len);
+ strbuf_trim(&buf);
+
+ if (slot && slot->results) {
+ /* Parse the retry-after value (delay-seconds or HTTP-date) */
+ char *endptr;
+ long retry_after;
+
+ errno = 0;
+ retry_after = strtol(buf.buf, &endptr, 10);
+
+ /* Check if it's a valid integer (delay-seconds format) */
+ if (endptr != buf.buf && *endptr == '\0' &&
+ errno != ERANGE && retry_after >= 0) {
+ slot->results->retry_after = retry_after;
+ } else {
+ /* Try parsing as HTTP-date format */
+ timestamp_t timestamp;
+ int offset;
+ if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
+ /* Successfully parsed as date, calculate delay from now */
+ timestamp_t now = time(NULL);
+ if (timestamp > now) {
+ slot->results->retry_after = (long)(timestamp - now);
+ } else {
+ /* Past date means retry immediately */
+ slot->results->retry_after = 0;
+ }
+ } else {
+ /* Failed to parse as either delay-seconds or HTTP-date */
+ warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
+ }
+ }
+ }
+
+ goto exit;
+ }
+#endif
+
/*
* This line could be a continuation of the previously matched header
* field. If this is the case then we should append this value to the
@@ -342,6 +393,17 @@ static void finish_active_slot(struct active_request_slot *slot)
curl_easy_getinfo(slot->curl, CURLINFO_HTTP_CONNECTCODE,
&slot->results->http_connectcode);
+
+#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
+ if (slot->results->http_code == 429) {
+ curl_off_t retry_after;
+ CURLcode res = curl_easy_getinfo(slot->curl,
+ CURLINFO_RETRY_AFTER,
+ &retry_after);
+ if (res == CURLE_OK && retry_after > 0)
+ slot->results->retry_after = (long)retry_after;
+ }
+#endif
}
/* Run callback if appropriate */
@@ -575,6 +637,21 @@ static int http_options(const char *var, const char *value,
return 0;
}
+ if (!strcmp("http.retryafter", var)) {
+ http_retry_after = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretries", var)) {
+ http_max_retries = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretrytime", var)) {
+ http_max_retry_time = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
/* Fall back on the default ones */
return git_default_config(var, value, ctx, data);
}
@@ -1422,6 +1499,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
+ set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
+ set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
+ set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
+
curl_default = get_curl_handle();
}
@@ -1871,6 +1952,10 @@ static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
+ trace2_data_intmax("http", the_repository, "http/429-retry-after",
+ results->retry_after);
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
credential_reject(the_repository, &proxy_auth);
@@ -1886,6 +1971,9 @@ int run_one_slot(struct active_request_slot *slot,
struct slot_results *results)
{
slot->results = results;
+ /* Initialize retry_after to -1 (not set) */
+ results->retry_after = -1;
+
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
@@ -2119,7 +2207,8 @@ static void http_opt_request_remainder(CURL *curl, off_t pos)
static int http_request(const char *url,
void *result, int target,
- const struct http_get_options *options)
+ const struct http_get_options *options,
+ long *retry_after_out)
{
struct active_request_slot *slot;
struct slot_results results;
@@ -2148,7 +2237,8 @@ static int http_request(const char *url,
fwrite_buffer);
}
- curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_headers);
+ curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
accept_language = http_get_accept_language_header();
@@ -2183,6 +2273,10 @@ static int http_request(const char *url,
ret = run_one_slot(slot, &results);
+ /* Store retry_after from slot results if output parameter provided */
+ if (retry_after_out)
+ *retry_after_out = results.retry_after;
+
if (options && options->content_type) {
struct strbuf raw = STRBUF_INIT;
curlinfo_strbuf(slot->curl, CURLINFO_CONTENT_TYPE, &raw);
@@ -2253,21 +2347,79 @@ static int update_url_from_redirect(struct strbuf *base,
return 1;
}
-static int http_request_reauth(const char *url,
+/*
+ * Handle rate limiting retry logic for HTTP 429 responses.
+ * Returns a negative value if retries are exhausted or configuration is invalid,
+ * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
+ */
+static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
+{
+ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
+
+ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
+ retry_attempt);
+
+ if (*rate_limit_retries <= 0) {
+ /* Retries are disabled or exhausted */
+ if (http_max_retries > 0) {
+ error(_("too many rate limit retries, giving up"));
+ trace2_data_string("http", the_repository,
+ "http/429-error", "retries-exhausted");
+ }
+ return -1;
+ }
+
+ (*rate_limit_retries)--;
+
+ /* Use the slot-specific retry_after value or configured default */
+ if (slot_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
+ if (slot_retry_after > http_max_retry_time) {
+ error(_("response requested a delay greater than http.maxRetryTime (%ld > %ld seconds)"),
+ slot_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "exceeds-max-retry-time");
+ trace2_data_intmax("http", the_repository,
+ "http/429-requested-delay", slot_retry_after);
+ return -1;
+ }
+ return slot_retry_after;
+ } else {
+ /* No Retry-After header provided, use configured default */
+ if (http_retry_after > http_max_retry_time) {
+ error(_("configured http.retryAfter exceeds http.maxRetryTime (%ld > %ld seconds)"),
+ http_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "config-exceeds-max-retry-time");
+ return -1;
+ }
+ trace2_data_string("http", the_repository,
+ "http/429-retry-source", "config-default");
+ return http_retry_after;
+ }
+}
+
+static int http_request_recoverable(const char *url,
void *result, int target,
struct http_get_options *options)
{
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
+ long slot_retry_after = -1; /* Per-slot retry_after value */
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
+ /* If retries are disabled and we got a 429, fail immediately */
+ if (ret == HTTP_RATE_LIMITED && !http_max_retries)
+ return HTTP_ERROR;
+
if (options && options->effective_url && options->base_url) {
if (update_url_from_redirect(options->base_url,
url, options->effective_url)) {
@@ -2276,7 +2428,8 @@ static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
+ while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
+ long retry_delay = -1;
/*
* The previous request may have put cruft into our output stream; we
* should clear it out before making our next request.
@@ -2301,10 +2454,23 @@ static int http_request_reauth(const char *url,
default:
BUG("Unknown http_request target");
}
+ if (ret == HTTP_RATE_LIMITED) {
+ retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
+ if (retry_delay < 0)
+ return HTTP_ERROR;
+
+ if (retry_delay > 0) {
+ warning(_("rate limited, waiting %ld seconds before retry"), retry_delay);
+ trace2_data_intmax("http", the_repository,
+ "http/retry-sleep-seconds", retry_delay);
+ sleep(retry_delay);
+ }
+ slot_retry_after = -1; /* Reset after use */
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
- credential_fill(the_repository, &http_auth, 1);
-
- ret = http_request(url, result, target, options);
+ ret = http_request(url, result, target, options, &slot_retry_after);
}
return ret;
}
@@ -2313,7 +2479,7 @@ int http_get_strbuf(const char *url,
struct strbuf *result,
struct http_get_options *options)
{
- return http_request_reauth(url, result, HTTP_REQUEST_STRBUF, options);
+ return http_request_recoverable(url, result, HTTP_REQUEST_STRBUF, options);
}
/*
@@ -2337,7 +2503,7 @@ int http_get_file(const char *url, const char *filename,
goto cleanup;
}
- ret = http_request_reauth(url, result, HTTP_REQUEST_FILE, options);
+ ret = http_request_recoverable(url, result, HTTP_REQUEST_FILE, options);
fclose(result);
if (ret == HTTP_OK && finalize_object_file(the_repository, tmpfile.buf, filename))
diff --git a/http.h b/http.h
index f9d4593404..eb40456450 100644
--- a/http.h
+++ b/http.h
@@ -20,6 +20,7 @@ struct slot_results {
long http_code;
long auth_avail;
long http_connectcode;
+ long retry_after;
};
struct active_request_slot {
@@ -167,6 +168,7 @@ struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
#define HTTP_NOMATCHPUBLICKEY 6
+#define HTTP_RATE_LIMITED 7
/*
* Requests a URL and stores the result in a strbuf.
diff --git a/remote-curl.c b/remote-curl.c
index 21c96f2ca9..b80d2adb95 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -540,6 +540,10 @@ static struct discovery *discover_refs(const char *service, int for_push)
show_http_message_fatal(&type, &charset, &buffer,
_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
+ show_http_message_fatal(&type, &charset, &buffer,
+ _("rate limited by '%s', please try again later"),
+ transport_anonymize_url(url.buf));
default:
show_http_message_fatal(&type, &charset, &buffer,
_("unable to access '%s': %s"),
diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
index 5091db949b..8a43261ffc 100644
--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
@@ -167,6 +167,7 @@ prepare_httpd() {
install_script error.sh
install_script apply-one-time-script.sh
install_script nph-custom-auth.sh
+ install_script http-429.sh
ln -s "$LIB_HTTPD_MODULE_PATH" "$HTTPD_ROOT_PATH/modules"
diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index e631ab0eb5..6bdef603cd 100644
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -139,6 +139,10 @@ SetEnv PERL_PATH ${PERL_PATH}
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
</LocationMatch>
+<LocationMatch /http_429/>
+ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
+ SetEnv GIT_HTTP_EXPORT_ALL
+</LocationMatch>
<LocationMatch /smart_v0/>
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
@@ -160,6 +164,7 @@ ScriptAlias /broken_smart/ broken-smart-http.sh/
ScriptAlias /error_smart/ error-smart-http.sh/
ScriptAlias /error/ error.sh/
ScriptAliasMatch /one_time_script/(.*) apply-one-time-script.sh/$1
+ScriptAliasMatch /http_429/(.*) http-429.sh/$1
ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Directory ${GIT_EXEC_PATH}>
Options FollowSymlinks
@@ -185,6 +190,9 @@ ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Files apply-one-time-script.sh>
Options ExecCGI
</Files>
+<Files http-429.sh>
+ Options ExecCGI
+</Files>
<Files ${GIT_EXEC_PATH}/git-http-backend>
Options ExecCGI
</Files>
diff --git a/t/lib-httpd/http-429.sh b/t/lib-httpd/http-429.sh
new file mode 100644
index 0000000000..c97b16145b
--- /dev/null
+++ b/t/lib-httpd/http-429.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Script to return HTTP 429 Too Many Requests responses for testing retry logic.
+# Usage: /http_429/<test-context>/<retry-after-value>/<repo-path>
+#
+# The test-context is a unique identifier for each test to isolate state files.
+# The retry-after-value can be:
+# - A number (e.g., "1", "2", "100") - sets Retry-After header to that many seconds
+# - "none" - no Retry-After header
+# - "invalid" - invalid Retry-After format
+# - "permanent" - always return 429 (never succeed)
+# - An HTTP-date string (RFC 2822 format) - sets Retry-After to that date
+#
+# On first call, returns 429. On subsequent calls (after retry), forwards to git-http-backend
+# unless retry-after-value is "permanent".
+
+# Extract test context, retry-after value and repo path from PATH_INFO
+# PATH_INFO format: /<test-context>/<retry-after-value>/<repo-path>
+path_info="${PATH_INFO#/}" # Remove leading slash
+test_context="${path_info%%/*}" # Get first component (test context)
+remaining="${path_info#*/}" # Get rest
+retry_after="${remaining%%/*}" # Get second component (retry-after value)
+repo_path="${remaining#*/}" # Get rest (repo path)
+
+# Extract repository name from repo_path (e.g., "repo.git" from "repo.git/info/refs")
+# The repo name is the first component before any "/"
+repo_name="${repo_path%%/*}"
+
+# Use current directory (HTTPD_ROOT_PATH) for state file
+# Create a safe filename from test_context, retry_after and repo_name
+# This ensures all requests for the same test context share the same state file
+safe_name=$(echo "${test_context}-${retry_after}-${repo_name}" | tr '/' '_' | tr -cd 'a-zA-Z0-9_-')
+state_file="http-429-state-${safe_name}"
+
+# Check if this is the first call (no state file exists)
+if test -f "$state_file"
+then
+ # Already returned 429 once, forward to git-http-backend
+ # Set PATH_INFO to just the repo path (without retry-after value)
+ # Set GIT_PROJECT_ROOT so git-http-backend can find the repository
+ # Use exec to replace this process so git-http-backend gets the updated environment
+ PATH_INFO="/$repo_path"
+ export PATH_INFO
+ # GIT_PROJECT_ROOT points to the document root where repositories are stored
+ # The script runs from HTTPD_ROOT_PATH, and www/ is the document root
+ if test -z "$GIT_PROJECT_ROOT"
+ then
+ # Construct path: current directory (HTTPD_ROOT_PATH) + /www
+ GIT_PROJECT_ROOT="$(pwd)/www"
+ export GIT_PROJECT_ROOT
+ fi
+ exec "$GIT_EXEC_PATH/git-http-backend"
+fi
+
+# Mark that we've returned 429
+touch "$state_file"
+
+# Output HTTP 429 response
+printf "Status: 429 Too Many Requests\r\n"
+
+# Set Retry-After header based on retry_after value
+case "$retry_after" in
+ none)
+ # No Retry-After header
+ ;;
+ invalid)
+ printf "Retry-After: invalid-format-123abc\r\n"
+ ;;
+ permanent)
+ # Always return 429, don't set state file for success
+ rm -f "$state_file"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Permanently rate limited\n"
+ exit 0
+ ;;
+ *)
+ # Check if it's a number
+ case "$retry_after" in
+ [0-9]*)
+ # Numeric value
+ printf "Retry-After: %s\r\n" "$retry_after"
+ ;;
+ *)
+ # Assume it's an HTTP-date format (passed as-is, URL decoded)
+ # Apache may URL-encode the path, so decode common URL-encoded characters
+ # %20 = space, %2C = comma, %3A = colon
+ retry_value=$(echo "$retry_after" | sed -e 's/%20/ /g' -e 's/%2C/,/g' -e 's/%3A/:/g')
+ printf "Retry-After: %s\r\n" "$retry_value"
+ ;;
+ esac
+ ;;
+esac
+
+printf "Content-Type: text/plain\r\n"
+printf "\r\n"
+printf "Rate limited\n"
diff --git a/t/meson.build b/t/meson.build
index f80e366cff..44f72e0f07 100644
--- a/t/meson.build
+++ b/t/meson.build
@@ -704,6 +704,7 @@ integration_tests = [
't5581-http-curl-verbose.sh',
't5582-fetch-negative-refspec.sh',
't5583-push-branches.sh',
+ 't5584-http-429-retry.sh',
't5600-clone-fail-cleanup.sh',
't5601-clone.sh',
't5602-clone-remote-exec.sh',
diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
new file mode 100755
index 0000000000..f3a9439f51
--- /dev/null
+++ b/t/t5584-http-429-retry.sh
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+test_description='test HTTP 429 Too Many Requests retry logic'
+
+. ./test-lib.sh
+
+. "$TEST_DIRECTORY"/lib-httpd.sh
+
+start_httpd
+
+test_expect_success 'setup test repository' '
+ test_commit initial &&
+ git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
+ git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
+'
+
+# This test suite uses a special HTTP 429 endpoint at /http_429/ that simulates
+# rate limiting. The endpoint format is:
+# /http_429/<test-context>/<retry-after-value>/<repo-path>
+# The http-429.sh script (in t/lib-httpd) returns a 429 response with the
+# specified Retry-After header on the first request for each test context,
+# then forwards subsequent requests to git-http-backend. Each test context
+# is isolated, allowing multiple tests to run independently.
+
+test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
+ # Set maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Should fail immediately without any retry attempt
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retries-disabled/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message in stderr)
+ test_grep ! -i "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 permanent should fail after max retries' '
+ # Enable retries with a limit
+ test_config http.maxRetries 2 &&
+
+ # Git should retry but eventually fail when 429 persists
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/permanent-fail/permanent/repo.git" 2>err
+'
+
+test_expect_success 'HTTP 429 with Retry-After is retried and succeeds' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry after receiving 429 and eventually succeed
+ git ls-remote "$HTTPD_URL/http_429/retry-succeeds/1/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 without Retry-After uses configured default' '
+ # Enable retries and configure default delay
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Git should retry using configured default and succeed
+ git ls-remote "$HTTPD_URL/http_429/no-retry-after-header/none/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 retry delays are respected' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
+ # Configure max retry time to 3 seconds (much less than requested 100)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (less than 2 seconds, no 100 second wait)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
+ # Test misconfiguration: retryAfter > maxRetryTime
+ # Configure retryAfter larger than maxRetryTime
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 100 &&
+ test_config http.maxRetryTime 5 &&
+
+ # Should fail immediately with configuration error
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with Retry-After HTTP-date format' '
+ # Test HTTP-date format (RFC 2822) in Retry-After header
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 2)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/http-date-format/$future_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 200)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Configure max retry time much less than the 200 second delay
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 10 &&
+
+ # Should fail immediately without waiting 200 seconds
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/http-date-exceeds-max-time/$future_date_encoded/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 200 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ past_time=$((now - 10)) &&
+ raw=$(test-tool date show:rfc2822 $past_time) &&
+ past_date="${raw#* -> }" &&
+ past_date_encoded=$(echo "$past_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should complete quickly (less than 2 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 2 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with invalid Retry-After format uses configured default' '
+ # Configure default retry-after
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/invalid-retry-after-format/invalid/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (the configured default)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 will not be retried without config' '
+ # Default config means http.maxRetries=0 (retries disabled)
+ # When 429 is received, it should fail immediately without retry
+ # Do NOT configure anything - use defaults (http.maxRetries defaults to 0)
+
+ # Should fail immediately without retry
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/no-retry-without-config/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message)
+ test_grep ! -i "waiting.*retry" err &&
+
+ # Should get 429 error
+ test_grep "429" err
+'
+
+test_expect_success 'GIT_HTTP_RETRY_AFTER overrides http.retryAfter config' '
+ # Configure retryAfter to 10 seconds
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
+ start=$(test-tool date getnanos) &&
+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/http_429/env-retry-after-override/none/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should use env var (1 second), not config (10 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test "$duration_int" -lt 5 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRIES overrides http.maxRetries config' '
+ # Configure maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Override with environment variable to enable retries
+ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/http_429/env-max-retries-override/1/repo.git" >output 2>err &&
+
+ # Should retry (env var enables it despite config saying disabled)
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRY_TIME overrides http.maxRetryTime config' '
+ # Configure maxRetryTime to 100 seconds (would accept 50 second delay)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 100 &&
+
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
+ start=$(test-tool date getnanos) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
+ git ls-remote "$HTTPD_URL/http_429/env-max-retry-time-override/50/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 5 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'verify normal repository access still works' '
+ git ls-remote "$HTTPD_URL/smart/repo.git" >output &&
+ test_grep "refs/heads/" output
+'
+
+test_done
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH v5 0/4] http: add support for HTTP 429 rate limit retries
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
` (3 preceding siblings ...)
2026-02-23 14:20 ` [PATCH v5 4/4] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2026-02-24 0:07 ` Junio C Hamano
2026-03-09 23:34 ` Junio C Hamano
2026-03-17 13:00 ` [PATCH v6 0/3] " Vaidas Pilkauskas via GitGitGadget
5 siblings, 1 reply; 49+ messages in thread
From: Junio C Hamano @ 2026-02-24 0:07 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget
Cc: git, Taylor Blau, Jeff King, Vaidas Pilkauskas
"Vaidas Pilkauskas via GitGitGadget" <gitgitgadget@gmail.com>
writes:
> Changes since v4:
>
> * fix only strbuf_attach() calls which don't need reallocation
> * remove patch, which enforces strbuf_attach() contract via BUG()
> ...
> Vaidas Pilkauskas (4):
> strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
> strbuf_attach: fix call sites to pass correct alloc
> remote-curl: introduce show_http_message_fatal() helper
These three patches looked quite reasonable to me.
> http: add support for HTTP 429 rate limit retries
I'd feel comfortable to see somebody more familiar with the HTTP
transport code base to take a look at this step before we declare
victory.
Thanks.
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v5 0/4] http: add support for HTTP 429 rate limit retries
2026-02-24 0:07 ` [PATCH v5 0/4] " Junio C Hamano
@ 2026-03-09 23:34 ` Junio C Hamano
2026-03-10 19:10 ` Jeff King
0 siblings, 1 reply; 49+ messages in thread
From: Junio C Hamano @ 2026-03-09 23:34 UTC (permalink / raw)
To: git
Cc: Vaidas Pilkauskas via GitGitGadget, Taylor Blau, Jeff King,
Vaidas Pilkauskas
Junio C Hamano <gitster@pobox.com> writes:
> "Vaidas Pilkauskas via GitGitGadget" <gitgitgadget@gmail.com>
> writes:
>
>> Changes since v4:
>>
>> * fix only strbuf_attach() calls which don't need reallocation
>> * remove patch, which enforces strbuf_attach() contract via BUG()
>> ...
>> Vaidas Pilkauskas (4):
>> strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
>> strbuf_attach: fix call sites to pass correct alloc
>> remote-curl: introduce show_http_message_fatal() helper
>
> These three patches looked quite reasonable to me.
>
>> http: add support for HTTP 429 rate limit retries
>
> I'd feel comfortable to see somebody more familiar with the HTTP
> transport code base to take a look at this step before we declare
> victory.
Any volunteers?
Thanks.
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v5 3/4] remote-curl: introduce show_http_message_fatal() helper
2026-02-23 14:20 ` [PATCH v5 3/4] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
@ 2026-03-10 17:44 ` Jeff King
0 siblings, 0 replies; 49+ messages in thread
From: Jeff King @ 2026-03-10 17:44 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget
Cc: git, Taylor Blau, Junio C Hamano, Vaidas Pilkauskas
On Mon, Feb 23, 2026 at 02:20:04PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
>
> Several code paths in remote-curl.c follow the same pattern of calling
> show_http_message() to display server error messages followed by die()
> to terminate with an error. This duplication makes the code more verbose
> and harder to maintain.
>
> Introduce a new show_http_message_fatal() helper function that combines
> these two operations. This function:
>
> 1. Displays any HTTP error message from the server via show_http_message()
> 2. Calls die() with the provided error message
> 3. Returns NORETURN to help the compiler with control flow analysis
>
> Refactor existing call sites in remote-curl.c to use this new helper,
> reducing code duplication and improving readability. This pattern will
> also be used by upcoming HTTP 429 rate limiting support.
I'm unconvinced that this actually makes things simpler. It doesn't save
any lines, the show_http_message() becomes less flexible, and we now
encode die-logic like the numeric code for exit() in the curl code.
> +static NORETURN void show_http_message_fatal(struct strbuf *type, struct strbuf *charset,
> + struct strbuf *msg, const char *fmt, ...)
> {
> const char *p, *eol;
> + va_list ap;
> + report_fn die_message_routine = get_die_message_routine();
If we got the die_routine here and not the die_message_routine, we
wouldn't have to exit() ourselves. But sadly there is not a
get_die_routine() helper yet, so we'd have to add one.
> /*
> * We only show text/plain parts, as other types are likely
> * to be ugly to look at on the user's terminal.
> */
> if (strcmp(type->buf, "text/plain"))
> - return -1;
> + goto out;
> if (charset->len)
> strbuf_reencode(msg, charset->buf, get_log_output_encoding());
>
> strbuf_trim(msg);
> if (!msg->len)
> - return -1;
> + goto out;
>
> p = msg->buf;
> do {
OK, we jump to the end since now we have to make sure to hit the exit
bits.
> @@ -391,7 +393,16 @@ static int show_http_message(struct strbuf *type, struct strbuf *charset,
> fprintf(stderr, "remote: %.*s\n", (int)(eol - p), p);
> p = eol + 1;
> } while(*eol);
> - return 0;
> +
> +out:
> + strbuf_release(type);
> + strbuf_release(charset);
> + strbuf_release(msg);
This cleanup seems pointless. These strbufs came from the caller, so
they are not our responsibility to release. But also, we're about to
call die(), so there is no need to clean them up.
> + va_start(ap, fmt);
> + die_message_routine(fmt, ap);
> + va_end(ap);
> + exit(128);
This part is the advertised change for the function, which looks correct.
> static int get_protocol_http_header(enum protocol_version version,
> @@ -518,21 +529,21 @@ static struct discovery *discover_refs(const char *service, int for_push)
> case HTTP_OK:
> break;
> case HTTP_MISSING_TARGET:
> - show_http_message(&type, &charset, &buffer);
> - die(_("repository '%s' not found"),
> - transport_anonymize_url(url.buf));
> + show_http_message_fatal(&type, &charset, &buffer,
> + _("repository '%s' not found"),
> + transport_anonymize_url(url.buf));
So this is what the refactoring bought us: we trade 3 lines for 3 lines. ;)
If we could roll in policy decisions like anonymizing the URL, or
showing the curl_errorstr, I think it might be worth it. But we can't do
that easily because they are varargs for the %s format.
IMHO we should just drop this patch, and patch 4 should do the usual
show_http_message() and die().
-Peff
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v5 4/4] http: add support for HTTP 429 rate limit retries
2026-02-23 14:20 ` [PATCH v5 4/4] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2026-03-10 19:07 ` Jeff King
0 siblings, 0 replies; 49+ messages in thread
From: Jeff King @ 2026-03-10 19:07 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget
Cc: git, Taylor Blau, Junio C Hamano, Vaidas Pilkauskas
On Mon, Feb 23, 2026 at 02:20:05PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> @@ -257,6 +264,50 @@ static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
> goto exit;
> }
>
> +#ifndef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
> + /* Parse Retry-After header for rate limiting (for curl < 7.66.0) */
> + if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
> + struct active_request_slot *slot = (struct active_request_slot *)p;
> +
> + strbuf_add(&buf, val, val_len);
> + strbuf_trim(&buf);
> +
> + if (slot && slot->results) {
> + /* Parse the retry-after value (delay-seconds or HTTP-date) */
> + char *endptr;
> + long retry_after;
> +
> + errno = 0;
> + retry_after = strtol(buf.buf, &endptr, 10);
> +
> + /* Check if it's a valid integer (delay-seconds format) */
> + if (endptr != buf.buf && *endptr == '\0' &&
> + errno != ERANGE && retry_after >= 0) {
> + slot->results->retry_after = retry_after;
> + } else {
> + /* Try parsing as HTTP-date format */
> + timestamp_t timestamp;
> + int offset;
> + if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
> + /* Successfully parsed as date, calculate delay from now */
> + timestamp_t now = time(NULL);
> + if (timestamp > now) {
> + slot->results->retry_after = (long)(timestamp - now);
> + } else {
> + /* Past date means retry immediately */
> + slot->results->retry_after = 0;
> + }
> + } else {
> + /* Failed to parse as either delay-seconds or HTTP-date */
> + warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
> + }
> + }
> + }
> +
> + goto exit;
> + }
> +#endif
> +
> /*
> * This line could be a continuation of the previously matched header
> * field. If this is the case then we should append this value to the
I don't think this meshes well with the existing code for parsing
www-authenticate, especially with respect to header continuation:
1. If we see continuation like "Retry-After:\n <date>", we won't find
<date>. Instead, we'll just think it's blank (or worse, do a
partial parse if the line break happens at whitespace in the middle
of the date).
2. We don't reset http_auth.header_is_last_match, so
"WWW-Authenticate: foo\nRetry-After:\n <date>" will attribute
<date> to the WWW-Authenticate header.
3. We don't clear the value like we do for www-authenticate headers,
as we do in the lower code:
/*
* If this is a HTTP status line and not a header field, this signals
* a different HTTP response. libcurl writes all the output of all
* response headers of all responses, including redirects.
* We only care about the last HTTP request response's headers so clear
* the existing array.
*/
if (skip_iprefix_mem(ptr, size, "http/", &val, &val_len))
strvec_clear(values);
It's probably unlikely to get a retry-after _and_ a redirect in
practice, though.
I suspect these are all quite uncommon cases, but it worries me a little
that a malicious response could inject values into the wrong header.
And worse, that these cases will go largely untested, as most developers
have recent enough versions of libcurl.
Could we drop this hunk entirely, and just document that the Retry-After
feature only works if you have a recent version of libcurl? Curl 7.66.0
is almost 7 years old now (and you'd still get manual-timed retries if
you configure them).
> @@ -342,6 +393,17 @@ static void finish_active_slot(struct active_request_slot *slot)
>
> curl_easy_getinfo(slot->curl, CURLINFO_HTTP_CONNECTCODE,
> &slot->results->http_connectcode);
> +
> +#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
> + if (slot->results->http_code == 429) {
> + curl_off_t retry_after;
> + CURLcode res = curl_easy_getinfo(slot->curl,
> + CURLINFO_RETRY_AFTER,
> + &retry_after);
> + if (res == CURLE_OK && retry_after > 0)
> + slot->results->retry_after = (long)retry_after;
> + }
> +#endif
This hunk makes sense. It is a little funny that we cast to long after
getting a curl_off_t, but I suspect we have to cast somewhere unless we
want to consistently pass around a curl_off_t (including via
http_request).
Though since it seems like http_request() is the only code path that
handles retries, do we need to grab it here in finish_active_slot()?
I.e., would it make more sense to do it in http_request() where we are
copying it out from the results field anyway?
Pushing it down to this level would make sense if we wanted to handle
retries on other requests outside of http_request (like dumb-http walker
request), but I don't think your patch does that.
> @@ -1886,6 +1971,9 @@ int run_one_slot(struct active_request_slot *slot,
> struct slot_results *results)
> {
> slot->results = results;
> + /* Initialize retry_after to -1 (not set) */
> + results->retry_after = -1;
> +
This is an unusual spot for per-request setup. Usually this happens in
get_active_slot(), which is called before making a request.
I think you are putting it here because we will make several requests on
the same handle via http_request_recoverable(). But in that case, would
setting it there make more sense? In fact, we seem to _reset_ it there
already.
> static int http_request(const char *url,
> void *result, int target,
> - const struct http_get_options *options)
> + const struct http_get_options *options,
> + long *retry_after_out)
> {
Why add this as a new argument when we already have many other optional
out-parameters in http_get_options? I.e., I'd have expected this:
diff --git a/http.h b/http.h
index eb40456450..4e36e41432 100644
--- a/http.h
+++ b/http.h
@@ -155,12 +155,14 @@ struct http_get_options {
/*
* If not NULL, contains additional HTTP headers to be sent with the
* request. The strings in the list must not be freed until after the
* request has completed.
*/
struct string_list *extra_headers;
+
+ long *retry_after;
};
/* Return values for http_get_*() */
#define HTTP_OK 0
#define HTTP_MISSING_TARGET 1
#define HTTP_ERROR 2
We could possibly even just make it a regular "long", not a pointer. The
reason the other fields in http_get_options are pointers is that we only
want to fill them in if the caller is interested, because:
1. There is a cost to getting/computing the information.
2. They allocate memory, so the caller has to know to clean them up.
But here we just have a plain integer, so we could just always assign
it. It would mean dropping the "const" from the struct parameter, but I
think that's fine.
Looking further in the patch, I guess one reason is that the retry stuff
is handled internally by http_request(), so a caller never needs or
wants to see it. I wonder if that is always true, though. For example,
when we print the rate-limited message at the top-level of
remote-curl.c, might it be useful for us to mention the retry-after field?
If you want retries to work for all calls, we might have to use a dummy
http_get_options struct. But I think that would actually make the code
cleaner in general (no more "if (options && options->effective_url)"; it
would just "if (options->effective_url)".
> @@ -2148,7 +2237,8 @@ static int http_request(const char *url,
> fwrite_buffer);
> }
>
> - curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
> + curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_headers);
> + curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
This hunk goes away if we drop the fwrite_headers() bit.
> +static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
> [...]
> + /* Use the slot-specific retry_after value or configured default */
> + if (slot_retry_after >= 0) {
> + /* Check if retry delay exceeds maximum allowed */
> + if (slot_retry_after > http_max_retry_time) {
> + error(_("response requested a delay greater than http.maxRetryTime (%ld > %ld seconds)"),
> + slot_retry_after, http_max_retry_time);
> + trace2_data_string("http", the_repository,
> + "http/429-error", "exceeds-max-retry-time");
> + trace2_data_intmax("http", the_repository,
> + "http/429-requested-delay", slot_retry_after);
> + return -1;
> + }
> + return slot_retry_after;
OK. I had imagine that the max-time would clamp how long we were willing
to wait, but instead we just bail. I guess what you have is probably more
friendly to a server that says "please try again after 600 seconds" as
opposed to trying again faster than they'd prefer.
> + } else {
> + /* No Retry-After header provided, use configured default */
> + if (http_retry_after > http_max_retry_time) {
> + error(_("configured http.retryAfter exceeds http.maxRetryTime (%ld > %ld seconds)"),
> + http_retry_after, http_max_retry_time);
> + trace2_data_string("http", the_repository,
> + "http/429-error", "config-exceeds-max-retry-time");
> + return -1;
> + }
And this one is a misconfiguration on the part of the user, so it should
certainly be an error. ;)
> +static int http_request_recoverable(const char *url,
> void *result, int target,
> struct http_get_options *options)
> {
> int i = 3;
> int ret;
> + int rate_limit_retries = http_max_retries;
> + long slot_retry_after = -1; /* Per-slot retry_after value */
Hmm, what is "i" here? Previously we used it to avoid REAUTH looping too
many times:
> - while (ret == HTTP_REAUTH && --i) {
> + while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
But now we are looping on both rate-limits and auth. If max_retries is
greater than 2, won't we bail even though there are retries left?
Also, what if we retry once due to RATE_LIMITED, but then need multiple
attempts to do auth? It feels like we should have two separate counters:
while ((ret == HTTP_REAUTH && --i) ||
(ret == HTTP_RATE_LIMITED && --rate_limit_retries)
Side note: I think I am reading the "--i" count right. It feels like it
would be simpler as "i--", but I guess it is counting the initial
http_request() we made. I suspect this might make more sense as a
do-while loop, but it is hairy enough that trying to refactor it further
might be risky.
> @@ -2301,10 +2454,23 @@ static int http_request_reauth(const char *url,
> default:
> BUG("Unknown http_request target");
> }
> + if (ret == HTTP_RATE_LIMITED) {
> + retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
> + if (retry_delay < 0)
> + return HTTP_ERROR;
> +
> + if (retry_delay > 0) {
> + warning(_("rate limited, waiting %ld seconds before retry"), retry_delay);
> + trace2_data_intmax("http", the_repository,
> + "http/retry-sleep-seconds", retry_delay);
> + sleep(retry_delay);
> + }
> + slot_retry_after = -1; /* Reset after use */
> + } else if (ret == HTTP_REAUTH) {
> + credential_fill(the_repository, &http_auth, 1);
> + }
OK. In the loop condition I suggested above, we decrement
rate_limit_retries there. But obviously it is also happening here via
handle_rate_limit_retry(), so it has to be one or the other.
I wondered about the case where we are out of retries, and whether we
might sleep before bailing. But that function checks that case and
returns -1, so we'd bail immediately. Good.
> +test_expect_success 'HTTP 429 retry delays are respected' '
> + # Enable retries
> + test_config http.maxRetries 3 &&
> +
> + # Time the operation - it should take at least 2 seconds due to retry delay
> + start=$(test-tool date getnanos) &&
> + git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
> + duration=$(test-tool date getnanos $start) &&
> +
> + # Verify it took at least 2 seconds (allowing some tolerance)
> + duration_int=${duration%.*} &&
> + test "$duration_int" -ge 1 &&
> + test_grep "refs/heads/" output
> +'
Nice, the duration-checking here looks nice and simple. The 2-second
check here should be non-racy, since we'll wait at least that long. We
may get a false-success on a heavily-loaded system, but that's OK.
> +test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
> + # Configure max retry time to 3 seconds (much less than requested 100)
> + test_config http.maxRetries 3 &&
> + test_config http.maxRetryTime 3 &&
> +
> + # Should fail immediately without waiting
> + start=$(test-tool date getnanos) &&
> + test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
> + duration=$(test-tool date getnanos $start) &&
> +
> + # Should fail quickly (less than 2 seconds, no 100 second wait)
> + duration_int=${duration%.*} &&
> + test "$duration_int" -lt 2 &&
> + test_grep "greater than http.maxRetryTime" err
> +'
This one is the opposite, though. On a heavily loaded system, we may get
a false failure if the test takes longer than 2s to run. Can we bump
this to something much less likely to trigger, like 99? Or even 100
would work, I'd think, since we know we'll wait at least 100 seconds if
we actually tried to use that retry-time.
> +test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
> + # Test misconfiguration: retryAfter > maxRetryTime
> + # Configure retryAfter larger than maxRetryTime
> + test_config http.maxRetries 3 &&
> + test_config http.retryAfter 100 &&
> + test_config http.maxRetryTime 5 &&
> +
> + # Should fail immediately with configuration error
> + start=$(test-tool date getnanos) &&
> + test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
> + duration=$(test-tool date getnanos $start) &&
> +
> + # Should fail quickly
> + duration_int=${duration%.*} &&
> + test "$duration_int" -lt 2 &&
> + test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
> +'
Same here; the key thing is that we don't wait 100 seconds, but we might
accidentally take 2 seconds on a slow system.
I think there are a few more below, just looking for "-lt".
-Peff
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH v5 0/4] http: add support for HTTP 429 rate limit retries
2026-03-09 23:34 ` Junio C Hamano
@ 2026-03-10 19:10 ` Jeff King
2026-03-10 19:19 ` Junio C Hamano
0 siblings, 1 reply; 49+ messages in thread
From: Jeff King @ 2026-03-10 19:10 UTC (permalink / raw)
To: Junio C Hamano
Cc: git, Vaidas Pilkauskas via GitGitGadget, Taylor Blau,
Vaidas Pilkauskas
On Mon, Mar 09, 2026 at 04:34:25PM -0700, Junio C Hamano wrote:
> Junio C Hamano <gitster@pobox.com> writes:
>
> > "Vaidas Pilkauskas via GitGitGadget" <gitgitgadget@gmail.com>
> > writes:
> >
> >> Changes since v4:
> >>
> >> * fix only strbuf_attach() calls which don't need reallocation
> >> * remove patch, which enforces strbuf_attach() contract via BUG()
> >> ...
> >> Vaidas Pilkauskas (4):
> >> strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
> >> strbuf_attach: fix call sites to pass correct alloc
> >> remote-curl: introduce show_http_message_fatal() helper
> >
> > These three patches looked quite reasonable to me.
> >
> >> http: add support for HTTP 429 rate limit retries
> >
> > I'd feel comfortable to see somebody more familiar with the HTTP
> > transport code base to take a look at this step before we declare
> > victory.
>
> Any volunteers?
Sorry, I'm way underwater on things I could/should be reviewing, and
this one was quite non-trivial. ;)
I just left some comments. A lot of it was about how to more cleanly
integrate with the http code (which I admit is a mess, especially with
respect to which "layer" things should happen at). Some of that may be
debatable, though I hope we can make things a bit cleaner.
But I think there may be a logic error in how http_request_recoverable()
loops, which certainly needs to be fixed.
-Peff
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v5 0/4] http: add support for HTTP 429 rate limit retries
2026-03-10 19:10 ` Jeff King
@ 2026-03-10 19:19 ` Junio C Hamano
0 siblings, 0 replies; 49+ messages in thread
From: Junio C Hamano @ 2026-03-10 19:19 UTC (permalink / raw)
To: Jeff King
Cc: git, Vaidas Pilkauskas via GitGitGadget, Taylor Blau,
Vaidas Pilkauskas
Jeff King <peff@peff.net> writes:
> On Mon, Mar 09, 2026 at 04:34:25PM -0700, Junio C Hamano wrote:
>
>> Junio C Hamano <gitster@pobox.com> writes:
>>
>> > "Vaidas Pilkauskas via GitGitGadget" <gitgitgadget@gmail.com>
>> > writes:
>> >
>> >> Changes since v4:
>> >>
>> >> * fix only strbuf_attach() calls which don't need reallocation
>> >> * remove patch, which enforces strbuf_attach() contract via BUG()
>> >> ...
>> >> Vaidas Pilkauskas (4):
>> >> strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
>> >> strbuf_attach: fix call sites to pass correct alloc
>> >> remote-curl: introduce show_http_message_fatal() helper
>> >
>> > These three patches looked quite reasonable to me.
>> >
>> >> http: add support for HTTP 429 rate limit retries
>> >
>> > I'd feel comfortable to see somebody more familiar with the HTTP
>> > transport code base to take a look at this step before we declare
>> > victory.
>>
>> Any volunteers?
>
> Sorry, I'm way underwater on things I could/should be reviewing, and
> this one was quite non-trivial. ;)
>
> I just left some comments. A lot of it was about how to more cleanly
> integrate with the http code (which I admit is a mess, especially with
> respect to which "layer" things should happen at). Some of that may be
> debatable, though I hope we can make things a bit cleaner.
>
> But I think there may be a logic error in how http_request_recoverable()
> loops, which certainly needs to be fixed.
Thanks.
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v6 0/3] http: add support for HTTP 429 rate limit retries
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
` (4 preceding siblings ...)
2026-02-24 0:07 ` [PATCH v5 0/4] " Junio C Hamano
@ 2026-03-17 13:00 ` Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 1/3] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
` (3 more replies)
5 siblings, 4 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-03-17 13:00 UTC (permalink / raw)
To: git; +Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas
Changes since v5:
* drop show_http_message_fatal() preparation patch
* drop fwrite_headers, restore fwrite_wwwauth
* move CURLINFO_RETRY_AFTER from finish_active_slot to http_request
* move retry_after=-1 init from run_one_slot to http_request
* replace retry_after_out param with http_get_options field
* fix loop counter: separate REAUTH and RATE_LIMITED counters
* fix racy -lt 2 timing bounds in tests
Changes since v4:
* fix only strbuf_attach() calls which don't need reallocation
* remove patch, which enforces strbuf_attach() contract via BUG()
Changes since v3:
* Clean up of all strbuf_attach() call sites
* Add strbuf_attach() contract enforcement via BUG()
Changes since v2:
* New preparatory patch: Introduced show_http_message_fatal() helper
function to reduce code duplication in remote-curl.c (suggested by Taylor
Blau)
* Removed specific HTTP_RATE_LIMITED error handling from http-push.c and
http-walker.c for the obsolete "dumb" protocol, allowing generic error
handling to take over (suggested by Jeff King)
* Added support for CURLINFO_RETRY_AFTER on curl >= 7.66.0, falling back to
manual header parsing on older versions
* Simplified retry/delay architecture: replaced complex non-blocking
"delayed slot" mechanism with simple blocking sleep() call in the retry
loop, removing ~66 lines of timing logic (suggested by Jeff King)
* Fixed Retry-After: 0 handling to allow immediate retry as specified by
RFC 9110
* Changed http.retryAfter default from -1 to 0, so Git will retry
immediately when encountering HTTP 429 without a Retry-After header,
rather than failing with a configuration error
* Improved error messages: shortened to be more concise
* Fixed coding style issues: removed unnecessary curly braces, changed x ==
0 to !x (per CodingGuidelines)
* Improved test portability: replaced non-portable date(1) commands with
test-tool date, added nanosecond-precision timing with getnanos, replaced
cut(1) with POSIX shell parameter expansion
* Split out strbuf.c bugfix into separate preparatory patch (the
strbuf_reencode alloc size fix is unrelated to HTTP 429 support)
* Squashed separate trace2 logging patch into main HTTP 429 retry support
commit
* Kept header_is_last_match assignment for Retry-After to prevent incorrect
handling of HTTP header continuation lines
The implementation includes:
1. A bug fix in strbuf_reencode() that corrects the allocation size passed
to strbuf_attach(), passing len+1 instead of len so that the existing
buffer is reused rather than immediately reallocated.
2. A cleanup of strbuf_attach() call sites that were passing alloc == len,
leaving no room for the NUL terminator. Sites with a
known-NUL-terminated buffer now pass len+1; sites where the source
buffer has no trailing NUL (ll_merge output) are converted to use
strbuf_add() instead.
3. The main feature: HTTP 429 retry logic with support for the Retry-After
header (both delay-seconds and HTTP-date formats), configurable via
http.maxRetries, http.retryAfter, and http.maxRetryTime options. If any
computed delay exceeds maxRetryTime the request fails immediately with a
clear diagnostic rather than capping and retrying silently.
Vaidas Pilkauskas (3):
strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
strbuf_attach: fix call sites to pass correct alloc
http: add support for HTTP 429 rate limit retries
Documentation/config/http.adoc | 26 ++++
builtin/am.c | 2 +-
builtin/fast-import.c | 2 +-
git-curl-compat.h | 8 +
http.c | 144 +++++++++++++++---
http.h | 9 ++
mailinfo.c | 2 +-
refs/files-backend.c | 2 +-
remote-curl.c | 11 ++
strbuf.c | 2 +-
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
trailer.c | 2 +-
16 files changed, 557 insertions(+), 27 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
base-commit: ca1db8a0f7dc0dbea892e99f5b37c5fe5861be71
Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-2008%2Fvaidas-shopify%2Fretry-after-v6
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-2008/vaidas-shopify/retry-after-v6
Pull-Request: https://github.com/gitgitgadget/git/pull/2008
Range-diff vs v5:
1: 7ec2d66447 = 1: 6e76be1d85 strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
2: 3e0b78cfb6 = 2: 0dc214d3c2 strbuf_attach: fix call sites to pass correct alloc
3: 973703e9dd < -: ---------- remote-curl: introduce show_http_message_fatal() helper
4: bfee1f10c0 ! 3: 3418f4553d http: add support for HTTP 429 rate limit retries
@@ Documentation/config/http.adoc: http.keepAliveCount::
+ Default wait time in seconds before retrying when a server returns
+ HTTP 429 (Too Many Requests) without a Retry-After header.
+ Defaults to 0 (retry immediately). When a Retry-After header is
-+ present, its value takes precedence over this setting. Can be
-+ overridden by the `GIT_HTTP_RETRY_AFTER` environment variable.
++ present, its value takes precedence over this setting; however,
++ automatic use of the server-provided `Retry-After` header requires
++ libcurl 7.66.0 or later. On older versions, configure this setting
++ manually to control the retry delay. Can be overridden by the
++ `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
@@ http.c: static inline int is_hdr_continuation(const char *ptr, const size_t size
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
-+static size_t fwrite_headers(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
++static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
-@@ http.c: static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UN
- goto exit;
- }
-
-+#ifndef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
-+ /* Parse Retry-After header for rate limiting (for curl < 7.66.0) */
-+ if (skip_iprefix_mem(ptr, size, "retry-after:", &val, &val_len)) {
-+ struct active_request_slot *slot = (struct active_request_slot *)p;
-+
-+ strbuf_add(&buf, val, val_len);
-+ strbuf_trim(&buf);
-+
-+ if (slot && slot->results) {
-+ /* Parse the retry-after value (delay-seconds or HTTP-date) */
-+ char *endptr;
-+ long retry_after;
-+
-+ errno = 0;
-+ retry_after = strtol(buf.buf, &endptr, 10);
-+
-+ /* Check if it's a valid integer (delay-seconds format) */
-+ if (endptr != buf.buf && *endptr == '\0' &&
-+ errno != ERANGE && retry_after >= 0) {
-+ slot->results->retry_after = retry_after;
-+ } else {
-+ /* Try parsing as HTTP-date format */
-+ timestamp_t timestamp;
-+ int offset;
-+ if (!parse_date_basic(buf.buf, ×tamp, &offset)) {
-+ /* Successfully parsed as date, calculate delay from now */
-+ timestamp_t now = time(NULL);
-+ if (timestamp > now) {
-+ slot->results->retry_after = (long)(timestamp - now);
-+ } else {
-+ /* Past date means retry immediately */
-+ slot->results->retry_after = 0;
-+ }
-+ } else {
-+ /* Failed to parse as either delay-seconds or HTTP-date */
-+ warning(_("unable to parse Retry-After header value: '%s'"), buf.buf);
-+ }
-+ }
-+ }
-+
-+ goto exit;
-+ }
-+#endif
-+
- /*
- * This line could be a continuation of the previously matched header
- * field. If this is the case then we should append this value to the
-@@ http.c: static void finish_active_slot(struct active_request_slot *slot)
-
- curl_easy_getinfo(slot->curl, CURLINFO_HTTP_CONNECTCODE,
- &slot->results->http_connectcode);
-+
-+#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
-+ if (slot->results->http_code == 429) {
-+ curl_off_t retry_after;
-+ CURLcode res = curl_easy_getinfo(slot->curl,
-+ CURLINFO_RETRY_AFTER,
-+ &retry_after);
-+ if (res == CURLE_OK && retry_after > 0)
-+ slot->results->retry_after = (long)retry_after;
-+ }
-+#endif
- }
-
- /* Run callback if appropriate */
@@ http.c: static int http_options(const char *var, const char *value,
return 0;
}
@@ http.c: int run_one_slot(struct active_request_slot *slot,
struct slot_results *results)
{
slot->results = results;
-+ /* Initialize retry_after to -1 (not set) */
-+ results->retry_after = -1;
+
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
@@ http.c: static void http_opt_request_remainder(CURL *curl, off_t pos)
static int http_request(const char *url,
void *result, int target,
- const struct http_get_options *options)
-+ const struct http_get_options *options,
-+ long *retry_after_out)
++ struct http_get_options *options)
{
struct active_request_slot *slot;
- struct slot_results results;
+- struct slot_results results;
++ struct slot_results results = { .retry_after = -1 };
+ struct curl_slist *headers = http_copy_default_headers();
+ struct strbuf buf = STRBUF_INIT;
+ const char *accept_language;
@@ http.c: static int http_request(const char *url,
- fwrite_buffer);
- }
+ headers = curl_slist_append(headers, accept_language);
-- curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_wwwauth);
-+ curl_easy_setopt(slot->curl, CURLOPT_HEADERFUNCTION, fwrite_headers);
-+ curl_easy_setopt(slot->curl, CURLOPT_HEADERDATA, slot);
+ strbuf_addstr(&buf, "Pragma:");
+- if (options && options->no_cache)
++ if (options->no_cache)
+ strbuf_addstr(&buf, " no-cache");
+- if (options && options->initial_request &&
++ if (options->initial_request &&
+ http_follow_config == HTTP_FOLLOW_INITIAL)
+ curl_easy_setopt(slot->curl, CURLOPT_FOLLOWLOCATION, 1L);
- accept_language = http_get_accept_language_header();
+ headers = curl_slist_append(headers, buf.buf);
+ /* Add additional headers here */
+- if (options && options->extra_headers) {
++ if (options->extra_headers) {
+ const struct string_list_item *item;
+- if (options && options->extra_headers) {
+- for_each_string_list_item(item, options->extra_headers) {
+- headers = curl_slist_append(headers, item->string);
+- }
+- }
++ for_each_string_list_item(item, options->extra_headers)
++ headers = curl_slist_append(headers, item->string);
+ }
+
+ headers = http_append_auth_header(&http_auth, headers);
@@ http.c: static int http_request(const char *url,
ret = run_one_slot(slot, &results);
-+ /* Store retry_after from slot results if output parameter provided */
-+ if (retry_after_out)
-+ *retry_after_out = results.retry_after;
+- if (options && options->content_type) {
++#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
++ if (ret == HTTP_RATE_LIMITED) {
++ curl_off_t retry_after;
++ if (curl_easy_getinfo(slot->curl, CURLINFO_RETRY_AFTER,
++ &retry_after) == CURLE_OK && retry_after > 0)
++ results.retry_after = (long)retry_after;
++ }
++#endif
++
++ options->retry_after = results.retry_after;
+
- if (options && options->content_type) {
++ if (options->content_type) {
struct strbuf raw = STRBUF_INIT;
curlinfo_strbuf(slot->curl, CURLINFO_CONTENT_TYPE, &raw);
+ extract_content_type(&raw, options->content_type,
+@@ http.c: static int http_request(const char *url,
+ strbuf_release(&raw);
+ }
+
+- if (options && options->effective_url)
++ if (options->effective_url)
+ curlinfo_strbuf(slot->curl, CURLINFO_EFFECTIVE_URL,
+ options->effective_url);
+
@@ http.c: static int update_url_from_redirect(struct strbuf *base,
return 1;
}
-static int http_request_reauth(const char *url,
+/*
-+ * Handle rate limiting retry logic for HTTP 429 responses.
-+ * Returns a negative value if retries are exhausted or configuration is invalid,
-+ * otherwise returns the delay value (>= 0) to indicate the retry should proceed.
++ * Compute the retry delay for an HTTP 429 response.
++ * Returns a negative value if configuration is invalid (delay exceeds
++ * http.maxRetryTime), otherwise returns the delay in seconds (>= 0).
+ */
-+static long handle_rate_limit_retry(int *rate_limit_retries, long slot_retry_after)
++static long handle_rate_limit_retry(long slot_retry_after)
+{
-+ int retry_attempt = http_max_retries - *rate_limit_retries + 1;
-+
-+ trace2_data_intmax("http", the_repository, "http/429-retry-attempt",
-+ retry_attempt);
-+
-+ if (*rate_limit_retries <= 0) {
-+ /* Retries are disabled or exhausted */
-+ if (http_max_retries > 0) {
-+ error(_("too many rate limit retries, giving up"));
-+ trace2_data_string("http", the_repository,
-+ "http/429-error", "retries-exhausted");
-+ }
-+ return -1;
-+ }
-+
-+ (*rate_limit_retries)--;
-+
+ /* Use the slot-specific retry_after value or configured default */
+ if (slot_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
@@ http.c: static int update_url_from_redirect(struct strbuf *base,
void *result, int target,
struct http_get_options *options)
{
++ static struct http_get_options empty_opts;
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
-+ long slot_retry_after = -1; /* Per-slot retry_after value */
++
++ if (!options)
++ options = &empty_opts;
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
-- ret = http_request(url, result, target, options);
-+ ret = http_request(url, result, target, options, &slot_retry_after);
+ ret = http_request(url, result, target, options);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
+- if (options && options->effective_url && options->base_url) {
+ /* If retries are disabled and we got a 429, fail immediately */
+ if (ret == HTTP_RATE_LIMITED && !http_max_retries)
+ return HTTP_ERROR;
+
- if (options && options->effective_url && options->base_url) {
++ if (options->effective_url && options->base_url) {
if (update_url_from_redirect(options->base_url,
url, options->effective_url)) {
+ credential_from_url(&http_auth, options->base_url->buf);
@@ http.c: static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
-+ while ((ret == HTTP_REAUTH || ret == HTTP_RATE_LIMITED) && --i) {
++ while ((ret == HTTP_REAUTH && --i) ||
++ (ret == HTTP_RATE_LIMITED && --rate_limit_retries)) {
+ long retry_delay = -1;
/*
* The previous request may have put cruft into our output stream; we
@@ http.c: static int http_request_reauth(const char *url,
default:
BUG("Unknown http_request target");
}
+-
+- credential_fill(the_repository, &http_auth, 1);
+ if (ret == HTTP_RATE_LIMITED) {
-+ retry_delay = handle_rate_limit_retry(&rate_limit_retries, slot_retry_after);
++ retry_delay = handle_rate_limit_retry(options->retry_after);
+ if (retry_delay < 0)
+ return HTTP_ERROR;
+
@@ http.c: static int http_request_reauth(const char *url,
+ "http/retry-sleep-seconds", retry_delay);
+ sleep(retry_delay);
+ }
-+ slot_retry_after = -1; /* Reset after use */
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
-- credential_fill(the_repository, &http_auth, 1);
--
-- ret = http_request(url, result, target, options);
-+ ret = http_request(url, result, target, options, &slot_retry_after);
+ ret = http_request(url, result, target, options);
}
++ if (ret == HTTP_RATE_LIMITED) {
++ trace2_data_string("http", the_repository,
++ "http/429-error", "retries-exhausted");
++ return HTTP_RATE_LIMITED;
++ }
return ret;
}
+
@@ http.c: int http_get_strbuf(const char *url,
struct strbuf *result,
struct http_get_options *options)
@@ http.h: struct slot_results {
};
struct active_request_slot {
+@@ http.h: struct http_get_options {
+ * request has completed.
+ */
+ struct string_list *extra_headers;
++
++ /*
++ * After a request completes, contains the Retry-After delay in seconds
++ * if the server returned HTTP 429 with a Retry-After header (requires
++ * libcurl 7.66.0 or later), or -1 if no such header was present.
++ */
++ long retry_after;
+ };
+
+ /* Return values for http_get_*() */
@@ http.h: struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
@@ http.h: struct http_get_options {
## remote-curl.c ##
@@ remote-curl.c: static struct discovery *discover_refs(const char *service, int for_push)
- show_http_message_fatal(&type, &charset, &buffer,
- _("unable to access '%s' with http.pinnedPubkey configuration: %s"),
- transport_anonymize_url(url.buf), curl_errorstr);
+ show_http_message(&type, &charset, &buffer);
+ die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
+ transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
-+ show_http_message_fatal(&type, &charset, &buffer,
-+ _("rate limited by '%s', please try again later"),
-+ transport_anonymize_url(url.buf));
++ if (http_options.retry_after > 0) {
++ show_http_message(&type, &charset, &buffer);
++ die(_("rate limited by '%s', please try again in %ld seconds"),
++ transport_anonymize_url(url.buf),
++ http_options.retry_after);
++ } else {
++ show_http_message(&type, &charset, &buffer);
++ die(_("rate limited by '%s', please try again later"),
++ transport_anonymize_url(url.buf));
++ }
default:
- show_http_message_fatal(&type, &charset, &buffer,
- _("unable to access '%s': %s"),
+ show_http_message(&type, &charset, &buffer);
+ die(_("unable to access '%s': %s"),
## t/lib-httpd.sh ##
@@ t/lib-httpd.sh: prepare_httpd() {
@@ t/t5584-http-429-retry.sh (new)
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
-+ # Should fail quickly (less than 2 seconds, no 100 second wait)
++ # Should fail quickly (no 100 second wait)
+ duration_int=${duration%.*} &&
-+ test "$duration_int" -lt 2 &&
++ test "$duration_int" -lt 99 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
@@ t/t5584-http-429-retry.sh (new)
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
-+ # Should fail quickly
++ # Should fail quickly (no 100 second wait)
+ duration_int=${duration%.*} &&
-+ test "$duration_int" -lt 2 &&
++ test "$duration_int" -lt 99 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
@@ t/t5584-http-429-retry.sh (new)
+
+ # Should fail quickly (not wait 200 seconds)
+ duration_int=${duration%.*} &&
-+ test "$duration_int" -lt 2 &&
++ test "$duration_int" -lt 199 &&
+ test_grep "http.maxRetryTime" err
+'
+
@@ t/t5584-http-429-retry.sh (new)
+ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
-+ # Should complete quickly (less than 2 seconds)
++ # Should complete quickly (no wait for a past-date Retry-After)
+ duration_int=${duration%.*} &&
-+ test "$duration_int" -lt 2 &&
++ test "$duration_int" -lt 5 &&
+ test_grep "refs/heads/" output
+'
+
@@ t/t5584-http-429-retry.sh (new)
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ duration_int=${duration%.*} &&
-+ test "$duration_int" -lt 5 &&
++ test "$duration_int" -lt 49 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
--
gitgitgadget
^ permalink raw reply [flat|nested] 49+ messages in thread
* [PATCH v6 1/3] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode()
2026-03-17 13:00 ` [PATCH v6 0/3] " Vaidas Pilkauskas via GitGitGadget
@ 2026-03-17 13:00 ` Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 2/3] strbuf_attach: fix call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
` (2 subsequent siblings)
3 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-03-17 13:00 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
reencode_string_len() allocates len+1 bytes (including the NUL) and
returns the string length in len. strbuf_reencode() was calling
strbuf_attach(sb, out, len, len), so alloc was one byte too small.
strbuf_attach() then calls strbuf_grow(sb, 0). With alloc < len+1,
ALLOC_GROW always reallocates, so we reallocated immediately after
attach even when the strbuf was not extended further. Pass len+1 as
the alloc argument so the existing buffer is reused and the
reallocation is avoided.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
strbuf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/strbuf.c b/strbuf.c
index 3939863cf3..3e04addc22 100644
--- a/strbuf.c
+++ b/strbuf.c
@@ -168,7 +168,7 @@ int strbuf_reencode(struct strbuf *sb, const char *from, const char *to)
if (!out)
return -1;
- strbuf_attach(sb, out, len, len);
+ strbuf_attach(sb, out, len, len + 1);
return 0;
}
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v6 2/3] strbuf_attach: fix call sites to pass correct alloc
2026-03-17 13:00 ` [PATCH v6 0/3] " Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 1/3] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
@ 2026-03-17 13:00 ` Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 3/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-03-21 3:31 ` [PATCH v6 0/3] " Taylor Blau
3 siblings, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-03-17 13:00 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
strbuf_attach(sb, buf, len, alloc) requires alloc > len (the buffer
must have at least len+1 bytes to hold the NUL). Several call sites
passed alloc == len, relying on strbuf_grow(sb, 0) inside strbuf_attach
to reallocate. Fix these in mailinfo, am, refs/files-backend,
fast-import, and trailer by passing len+1 when the buffer is a
NUL-terminated string (or from strbuf_detach).
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
builtin/am.c | 2 +-
builtin/fast-import.c | 2 +-
mailinfo.c | 2 +-
refs/files-backend.c | 2 +-
trailer.c | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/builtin/am.c b/builtin/am.c
index e0c767e223..c439f868dc 100644
--- a/builtin/am.c
+++ b/builtin/am.c
@@ -1188,7 +1188,7 @@ static void am_append_signoff(struct am_state *state)
{
struct strbuf sb = STRBUF_INIT;
- strbuf_attach(&sb, state->msg, state->msg_len, state->msg_len);
+ strbuf_attach(&sb, state->msg, state->msg_len, state->msg_len + 1);
append_signoff(&sb, 0, 0);
state->msg = strbuf_detach(&sb, &state->msg_len);
}
diff --git a/builtin/fast-import.c b/builtin/fast-import.c
index a41f95191e..6593a71379 100644
--- a/builtin/fast-import.c
+++ b/builtin/fast-import.c
@@ -3250,7 +3250,7 @@ static void cat_blob(struct object_entry *oe, struct object_id *oid)
cat_blob_write("\n", 1);
if (oe && oe->pack_id == pack_id) {
last_blob.offset = oe->idx.offset;
- strbuf_attach(&last_blob.data, buf, size, size);
+ strbuf_attach(&last_blob.data, buf, size, size + 1);
last_blob.depth = oe->depth;
} else
free(buf);
diff --git a/mailinfo.c b/mailinfo.c
index a2f06dbd96..13949ff31e 100644
--- a/mailinfo.c
+++ b/mailinfo.c
@@ -470,7 +470,7 @@ static int convert_to_utf8(struct mailinfo *mi,
return error("cannot convert from %s to %s",
charset, mi->metainfo_charset);
}
- strbuf_attach(line, out, out_len, out_len);
+ strbuf_attach(line, out, out_len, out_len + 1);
return 0;
}
diff --git a/refs/files-backend.c b/refs/files-backend.c
index 7ce0d57478..0537a72b2a 100644
--- a/refs/files-backend.c
+++ b/refs/files-backend.c
@@ -1813,7 +1813,7 @@ static int commit_ref(struct ref_lock *lock)
size_t len = strlen(path);
struct strbuf sb_path = STRBUF_INIT;
- strbuf_attach(&sb_path, path, len, len);
+ strbuf_attach(&sb_path, path, len, len + 1);
/*
* If this fails, commit_lock_file() will also fail
diff --git a/trailer.c b/trailer.c
index 911a81ed99..3afe368db0 100644
--- a/trailer.c
+++ b/trailer.c
@@ -1009,7 +1009,7 @@ static struct trailer_block *trailer_block_get(const struct process_trailer_opti
for (ptr = trailer_lines; *ptr; ptr++) {
if (last && isspace((*ptr)->buf[0])) {
struct strbuf sb = STRBUF_INIT;
- strbuf_attach(&sb, *last, strlen(*last), strlen(*last));
+ strbuf_attach(&sb, *last, strlen(*last), strlen(*last) + 1);
strbuf_addbuf(&sb, *ptr);
*last = strbuf_detach(&sb, NULL);
continue;
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* [PATCH v6 3/3] http: add support for HTTP 429 rate limit retries
2026-03-17 13:00 ` [PATCH v6 0/3] " Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 1/3] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 2/3] strbuf_attach: fix call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
@ 2026-03-17 13:00 ` Vaidas Pilkauskas via GitGitGadget
2026-03-21 3:30 ` Taylor Blau
2026-03-21 3:31 ` [PATCH v6 0/3] " Taylor Blau
3 siblings, 1 reply; 49+ messages in thread
From: Vaidas Pilkauskas via GitGitGadget @ 2026-03-17 13:00 UTC (permalink / raw)
To: git
Cc: Taylor Blau, Jeff King, Junio C Hamano, Vaidas Pilkauskas,
Vaidas Pilkauskas
From: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
Add retry logic for HTTP 429 (Too Many Requests) responses to handle
server-side rate limiting gracefully. When Git's HTTP client receives
a 429 response, it can now automatically retry the request after an
appropriate delay, respecting the server's rate limits.
The implementation supports the RFC-compliant Retry-After header in
both delay-seconds (integer) and HTTP-date (RFC 2822) formats. If a
past date is provided, Git retries immediately without waiting.
Retry behavior is controlled by three new configuration options
(http.maxRetries, http.retryAfter, and http.maxRetryTime) which are
documented in git-config(1).
The retry logic implements a fail-fast approach: if any delay
(whether from server header or configuration) exceeds maxRetryTime,
Git fails immediately with a clear error message rather than capping
the delay. This provides better visibility into rate limiting issues.
The implementation includes extensive test coverage for basic retry
behavior, Retry-After header formats (integer and HTTP-date),
configuration combinations, maxRetryTime limits, invalid header
handling, environment variable overrides, and edge cases.
Signed-off-by: Vaidas Pilkauskas <vaidas.pilkauskas@shopify.com>
---
Documentation/config/http.adoc | 26 ++++
git-curl-compat.h | 8 +
http.c | 144 +++++++++++++++---
http.h | 9 ++
remote-curl.c | 11 ++
t/lib-httpd.sh | 1 +
t/lib-httpd/apache.conf | 8 +
t/lib-httpd/http-429.sh | 98 ++++++++++++
t/meson.build | 1 +
t/t5584-http-429-retry.sh | 266 +++++++++++++++++++++++++++++++++
10 files changed, 551 insertions(+), 21 deletions(-)
create mode 100644 t/lib-httpd/http-429.sh
create mode 100755 t/t5584-http-429-retry.sh
diff --git a/Documentation/config/http.adoc b/Documentation/config/http.adoc
index 9da5c298cc..849c89f36c 100644
--- a/Documentation/config/http.adoc
+++ b/Documentation/config/http.adoc
@@ -315,6 +315,32 @@ http.keepAliveCount::
unset, curl's default value is used. Can be overridden by the
`GIT_HTTP_KEEPALIVE_COUNT` environment variable.
+http.retryAfter::
+ Default wait time in seconds before retrying when a server returns
+ HTTP 429 (Too Many Requests) without a Retry-After header.
+ Defaults to 0 (retry immediately). When a Retry-After header is
+ present, its value takes precedence over this setting; however,
+ automatic use of the server-provided `Retry-After` header requires
+ libcurl 7.66.0 or later. On older versions, configure this setting
+ manually to control the retry delay. Can be overridden by the
+ `GIT_HTTP_RETRY_AFTER` environment variable.
+ See also `http.maxRetries` and `http.maxRetryTime`.
+
+http.maxRetries::
+ Maximum number of times to retry after receiving HTTP 429 (Too Many
+ Requests) responses. Set to 0 (the default) to disable retries.
+ Can be overridden by the `GIT_HTTP_MAX_RETRIES` environment variable.
+ See also `http.retryAfter` and `http.maxRetryTime`.
+
+http.maxRetryTime::
+ Maximum time in seconds to wait for a single retry attempt when
+ handling HTTP 429 (Too Many Requests) responses. If the server
+ requests a delay (via Retry-After header) or if `http.retryAfter`
+ is configured with a value that exceeds this maximum, Git will fail
+ immediately rather than waiting. Default is 300 seconds (5 minutes).
+ Can be overridden by the `GIT_HTTP_MAX_RETRY_TIME` environment
+ variable. See also `http.retryAfter` and `http.maxRetries`.
+
http.noEPSV::
A boolean which disables using of EPSV ftp command by curl.
This can be helpful with some "poor" ftp servers which don't
diff --git a/git-curl-compat.h b/git-curl-compat.h
index 659e5a3875..dccdd4d6e5 100644
--- a/git-curl-compat.h
+++ b/git-curl-compat.h
@@ -37,6 +37,14 @@
#define GIT_CURL_NEED_TRANSFER_ENCODING_HEADER
#endif
+/**
+ * CURLINFO_RETRY_AFTER was added in 7.66.0, released in September 2019.
+ * It allows curl to automatically parse Retry-After headers.
+ */
+#if LIBCURL_VERSION_NUM >= 0x074200
+#define GIT_CURL_HAVE_CURLINFO_RETRY_AFTER 1
+#endif
+
/**
* CURLOPT_PROTOCOLS_STR and CURLOPT_REDIR_PROTOCOLS_STR were added in 7.85.0,
* released in August 2022.
diff --git a/http.c b/http.c
index 8ea1b9d1f6..d8d016891b 100644
--- a/http.c
+++ b/http.c
@@ -22,6 +22,8 @@
#include "object-file.h"
#include "odb.h"
#include "tempfile.h"
+#include "date.h"
+#include "trace2.h"
static struct trace_key trace_curl = TRACE_KEY_INIT(CURL);
static int trace_curl_data = 1;
@@ -149,6 +151,11 @@ static char *cached_accept_language;
static char *http_ssl_backend;
static int http_schannel_check_revoke = 1;
+
+static long http_retry_after = 0;
+static long http_max_retries = 0;
+static long http_max_retry_time = 300;
+
/*
* With the backend being set to `schannel`, setting sslCAinfo would override
* the Certificate Store in cURL v7.60.0 and later, which is not what we want
@@ -209,7 +216,7 @@ static inline int is_hdr_continuation(const char *ptr, const size_t size)
return size && (*ptr == ' ' || *ptr == '\t');
}
-static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
+static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
{
size_t size = eltsize * nmemb;
struct strvec *values = &http_auth.wwwauth_headers;
@@ -575,6 +582,21 @@ static int http_options(const char *var, const char *value,
return 0;
}
+ if (!strcmp("http.retryafter", var)) {
+ http_retry_after = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretries", var)) {
+ http_max_retries = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
+ if (!strcmp("http.maxretrytime", var)) {
+ http_max_retry_time = git_config_int(var, value, ctx->kvi);
+ return 0;
+ }
+
/* Fall back on the default ones */
return git_default_config(var, value, ctx, data);
}
@@ -1422,6 +1444,10 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
set_long_from_env(&curl_tcp_keepintvl, "GIT_TCP_KEEPINTVL");
set_long_from_env(&curl_tcp_keepcnt, "GIT_TCP_KEEPCNT");
+ set_long_from_env(&http_retry_after, "GIT_HTTP_RETRY_AFTER");
+ set_long_from_env(&http_max_retries, "GIT_HTTP_MAX_RETRIES");
+ set_long_from_env(&http_max_retry_time, "GIT_HTTP_MAX_RETRY_TIME");
+
curl_default = get_curl_handle();
}
@@ -1871,6 +1897,10 @@ static int handle_curl_result(struct slot_results *results)
}
return HTTP_REAUTH;
}
+ } else if (results->http_code == 429) {
+ trace2_data_intmax("http", the_repository, "http/429-retry-after",
+ results->retry_after);
+ return HTTP_RATE_LIMITED;
} else {
if (results->http_connectcode == 407)
credential_reject(the_repository, &proxy_auth);
@@ -1886,6 +1916,7 @@ int run_one_slot(struct active_request_slot *slot,
struct slot_results *results)
{
slot->results = results;
+
if (!start_active_slot(slot)) {
xsnprintf(curl_errorstr, sizeof(curl_errorstr),
"failed to start HTTP request");
@@ -2119,10 +2150,10 @@ static void http_opt_request_remainder(CURL *curl, off_t pos)
static int http_request(const char *url,
void *result, int target,
- const struct http_get_options *options)
+ struct http_get_options *options)
{
struct active_request_slot *slot;
- struct slot_results results;
+ struct slot_results results = { .retry_after = -1 };
struct curl_slist *headers = http_copy_default_headers();
struct strbuf buf = STRBUF_INIT;
const char *accept_language;
@@ -2156,22 +2187,19 @@ static int http_request(const char *url,
headers = curl_slist_append(headers, accept_language);
strbuf_addstr(&buf, "Pragma:");
- if (options && options->no_cache)
+ if (options->no_cache)
strbuf_addstr(&buf, " no-cache");
- if (options && options->initial_request &&
+ if (options->initial_request &&
http_follow_config == HTTP_FOLLOW_INITIAL)
curl_easy_setopt(slot->curl, CURLOPT_FOLLOWLOCATION, 1L);
headers = curl_slist_append(headers, buf.buf);
/* Add additional headers here */
- if (options && options->extra_headers) {
+ if (options->extra_headers) {
const struct string_list_item *item;
- if (options && options->extra_headers) {
- for_each_string_list_item(item, options->extra_headers) {
- headers = curl_slist_append(headers, item->string);
- }
- }
+ for_each_string_list_item(item, options->extra_headers)
+ headers = curl_slist_append(headers, item->string);
}
headers = http_append_auth_header(&http_auth, headers);
@@ -2183,7 +2211,18 @@ static int http_request(const char *url,
ret = run_one_slot(slot, &results);
- if (options && options->content_type) {
+#ifdef GIT_CURL_HAVE_CURLINFO_RETRY_AFTER
+ if (ret == HTTP_RATE_LIMITED) {
+ curl_off_t retry_after;
+ if (curl_easy_getinfo(slot->curl, CURLINFO_RETRY_AFTER,
+ &retry_after) == CURLE_OK && retry_after > 0)
+ results.retry_after = (long)retry_after;
+ }
+#endif
+
+ options->retry_after = results.retry_after;
+
+ if (options->content_type) {
struct strbuf raw = STRBUF_INIT;
curlinfo_strbuf(slot->curl, CURLINFO_CONTENT_TYPE, &raw);
extract_content_type(&raw, options->content_type,
@@ -2191,7 +2230,7 @@ static int http_request(const char *url,
strbuf_release(&raw);
}
- if (options && options->effective_url)
+ if (options->effective_url)
curlinfo_strbuf(slot->curl, CURLINFO_EFFECTIVE_URL,
options->effective_url);
@@ -2253,22 +2292,66 @@ static int update_url_from_redirect(struct strbuf *base,
return 1;
}
-static int http_request_reauth(const char *url,
+/*
+ * Compute the retry delay for an HTTP 429 response.
+ * Returns a negative value if configuration is invalid (delay exceeds
+ * http.maxRetryTime), otherwise returns the delay in seconds (>= 0).
+ */
+static long handle_rate_limit_retry(long slot_retry_after)
+{
+ /* Use the slot-specific retry_after value or configured default */
+ if (slot_retry_after >= 0) {
+ /* Check if retry delay exceeds maximum allowed */
+ if (slot_retry_after > http_max_retry_time) {
+ error(_("response requested a delay greater than http.maxRetryTime (%ld > %ld seconds)"),
+ slot_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "exceeds-max-retry-time");
+ trace2_data_intmax("http", the_repository,
+ "http/429-requested-delay", slot_retry_after);
+ return -1;
+ }
+ return slot_retry_after;
+ } else {
+ /* No Retry-After header provided, use configured default */
+ if (http_retry_after > http_max_retry_time) {
+ error(_("configured http.retryAfter exceeds http.maxRetryTime (%ld > %ld seconds)"),
+ http_retry_after, http_max_retry_time);
+ trace2_data_string("http", the_repository,
+ "http/429-error", "config-exceeds-max-retry-time");
+ return -1;
+ }
+ trace2_data_string("http", the_repository,
+ "http/429-retry-source", "config-default");
+ return http_retry_after;
+ }
+}
+
+static int http_request_recoverable(const char *url,
void *result, int target,
struct http_get_options *options)
{
+ static struct http_get_options empty_opts;
int i = 3;
int ret;
+ int rate_limit_retries = http_max_retries;
+
+ if (!options)
+ options = &empty_opts;
if (always_auth_proactively())
credential_fill(the_repository, &http_auth, 1);
ret = http_request(url, result, target, options);
- if (ret != HTTP_OK && ret != HTTP_REAUTH)
+ if (ret != HTTP_OK && ret != HTTP_REAUTH && ret != HTTP_RATE_LIMITED)
return ret;
- if (options && options->effective_url && options->base_url) {
+ /* If retries are disabled and we got a 429, fail immediately */
+ if (ret == HTTP_RATE_LIMITED && !http_max_retries)
+ return HTTP_ERROR;
+
+ if (options->effective_url && options->base_url) {
if (update_url_from_redirect(options->base_url,
url, options->effective_url)) {
credential_from_url(&http_auth, options->base_url->buf);
@@ -2276,7 +2359,9 @@ static int http_request_reauth(const char *url,
}
}
- while (ret == HTTP_REAUTH && --i) {
+ while ((ret == HTTP_REAUTH && --i) ||
+ (ret == HTTP_RATE_LIMITED && --rate_limit_retries)) {
+ long retry_delay = -1;
/*
* The previous request may have put cruft into our output stream; we
* should clear it out before making our next request.
@@ -2301,11 +2386,28 @@ static int http_request_reauth(const char *url,
default:
BUG("Unknown http_request target");
}
-
- credential_fill(the_repository, &http_auth, 1);
+ if (ret == HTTP_RATE_LIMITED) {
+ retry_delay = handle_rate_limit_retry(options->retry_after);
+ if (retry_delay < 0)
+ return HTTP_ERROR;
+
+ if (retry_delay > 0) {
+ warning(_("rate limited, waiting %ld seconds before retry"), retry_delay);
+ trace2_data_intmax("http", the_repository,
+ "http/retry-sleep-seconds", retry_delay);
+ sleep(retry_delay);
+ }
+ } else if (ret == HTTP_REAUTH) {
+ credential_fill(the_repository, &http_auth, 1);
+ }
ret = http_request(url, result, target, options);
}
+ if (ret == HTTP_RATE_LIMITED) {
+ trace2_data_string("http", the_repository,
+ "http/429-error", "retries-exhausted");
+ return HTTP_RATE_LIMITED;
+ }
return ret;
}
@@ -2313,7 +2415,7 @@ int http_get_strbuf(const char *url,
struct strbuf *result,
struct http_get_options *options)
{
- return http_request_reauth(url, result, HTTP_REQUEST_STRBUF, options);
+ return http_request_recoverable(url, result, HTTP_REQUEST_STRBUF, options);
}
/*
@@ -2337,7 +2439,7 @@ int http_get_file(const char *url, const char *filename,
goto cleanup;
}
- ret = http_request_reauth(url, result, HTTP_REQUEST_FILE, options);
+ ret = http_request_recoverable(url, result, HTTP_REQUEST_FILE, options);
fclose(result);
if (ret == HTTP_OK && finalize_object_file(the_repository, tmpfile.buf, filename))
diff --git a/http.h b/http.h
index f9d4593404..f9ee888c3e 100644
--- a/http.h
+++ b/http.h
@@ -20,6 +20,7 @@ struct slot_results {
long http_code;
long auth_avail;
long http_connectcode;
+ long retry_after;
};
struct active_request_slot {
@@ -157,6 +158,13 @@ struct http_get_options {
* request has completed.
*/
struct string_list *extra_headers;
+
+ /*
+ * After a request completes, contains the Retry-After delay in seconds
+ * if the server returned HTTP 429 with a Retry-After header (requires
+ * libcurl 7.66.0 or later), or -1 if no such header was present.
+ */
+ long retry_after;
};
/* Return values for http_get_*() */
@@ -167,6 +175,7 @@ struct http_get_options {
#define HTTP_REAUTH 4
#define HTTP_NOAUTH 5
#define HTTP_NOMATCHPUBLICKEY 6
+#define HTTP_RATE_LIMITED 7
/*
* Requests a URL and stores the result in a strbuf.
diff --git a/remote-curl.c b/remote-curl.c
index 92e40bb682..57a3e9db62 100644
--- a/remote-curl.c
+++ b/remote-curl.c
@@ -529,6 +529,17 @@ static struct discovery *discover_refs(const char *service, int for_push)
show_http_message(&type, &charset, &buffer);
die(_("unable to access '%s' with http.pinnedPubkey configuration: %s"),
transport_anonymize_url(url.buf), curl_errorstr);
+ case HTTP_RATE_LIMITED:
+ if (http_options.retry_after > 0) {
+ show_http_message(&type, &charset, &buffer);
+ die(_("rate limited by '%s', please try again in %ld seconds"),
+ transport_anonymize_url(url.buf),
+ http_options.retry_after);
+ } else {
+ show_http_message(&type, &charset, &buffer);
+ die(_("rate limited by '%s', please try again later"),
+ transport_anonymize_url(url.buf));
+ }
default:
show_http_message(&type, &charset, &buffer);
die(_("unable to access '%s': %s"),
diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh
index 5f42c311c2..4c76e813e3 100644
--- a/t/lib-httpd.sh
+++ b/t/lib-httpd.sh
@@ -167,6 +167,7 @@ prepare_httpd() {
install_script error.sh
install_script apply-one-time-script.sh
install_script nph-custom-auth.sh
+ install_script http-429.sh
ln -s "$LIB_HTTPD_MODULE_PATH" "$HTTPD_ROOT_PATH/modules"
diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
index 6b8c50a51a..40a690b0bb 100644
--- a/t/lib-httpd/apache.conf
+++ b/t/lib-httpd/apache.conf
@@ -139,6 +139,10 @@ SetEnv PERL_PATH ${PERL_PATH}
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
</LocationMatch>
+<LocationMatch /http_429/>
+ SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
+ SetEnv GIT_HTTP_EXPORT_ALL
+</LocationMatch>
<LocationMatch /smart_v0/>
SetEnv GIT_EXEC_PATH ${GIT_EXEC_PATH}
SetEnv GIT_HTTP_EXPORT_ALL
@@ -160,6 +164,7 @@ ScriptAlias /broken_smart/ broken-smart-http.sh/
ScriptAlias /error_smart/ error-smart-http.sh/
ScriptAlias /error/ error.sh/
ScriptAliasMatch /one_time_script/(.*) apply-one-time-script.sh/$1
+ScriptAliasMatch /http_429/(.*) http-429.sh/$1
ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Directory ${GIT_EXEC_PATH}>
Options FollowSymlinks
@@ -185,6 +190,9 @@ ScriptAliasMatch /custom_auth/(.*) nph-custom-auth.sh/$1
<Files apply-one-time-script.sh>
Options ExecCGI
</Files>
+<Files http-429.sh>
+ Options ExecCGI
+</Files>
<Files ${GIT_EXEC_PATH}/git-http-backend>
Options ExecCGI
</Files>
diff --git a/t/lib-httpd/http-429.sh b/t/lib-httpd/http-429.sh
new file mode 100644
index 0000000000..c97b16145b
--- /dev/null
+++ b/t/lib-httpd/http-429.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+# Script to return HTTP 429 Too Many Requests responses for testing retry logic.
+# Usage: /http_429/<test-context>/<retry-after-value>/<repo-path>
+#
+# The test-context is a unique identifier for each test to isolate state files.
+# The retry-after-value can be:
+# - A number (e.g., "1", "2", "100") - sets Retry-After header to that many seconds
+# - "none" - no Retry-After header
+# - "invalid" - invalid Retry-After format
+# - "permanent" - always return 429 (never succeed)
+# - An HTTP-date string (RFC 2822 format) - sets Retry-After to that date
+#
+# On first call, returns 429. On subsequent calls (after retry), forwards to git-http-backend
+# unless retry-after-value is "permanent".
+
+# Extract test context, retry-after value and repo path from PATH_INFO
+# PATH_INFO format: /<test-context>/<retry-after-value>/<repo-path>
+path_info="${PATH_INFO#/}" # Remove leading slash
+test_context="${path_info%%/*}" # Get first component (test context)
+remaining="${path_info#*/}" # Get rest
+retry_after="${remaining%%/*}" # Get second component (retry-after value)
+repo_path="${remaining#*/}" # Get rest (repo path)
+
+# Extract repository name from repo_path (e.g., "repo.git" from "repo.git/info/refs")
+# The repo name is the first component before any "/"
+repo_name="${repo_path%%/*}"
+
+# Use current directory (HTTPD_ROOT_PATH) for state file
+# Create a safe filename from test_context, retry_after and repo_name
+# This ensures all requests for the same test context share the same state file
+safe_name=$(echo "${test_context}-${retry_after}-${repo_name}" | tr '/' '_' | tr -cd 'a-zA-Z0-9_-')
+state_file="http-429-state-${safe_name}"
+
+# Check if this is the first call (no state file exists)
+if test -f "$state_file"
+then
+ # Already returned 429 once, forward to git-http-backend
+ # Set PATH_INFO to just the repo path (without retry-after value)
+ # Set GIT_PROJECT_ROOT so git-http-backend can find the repository
+ # Use exec to replace this process so git-http-backend gets the updated environment
+ PATH_INFO="/$repo_path"
+ export PATH_INFO
+ # GIT_PROJECT_ROOT points to the document root where repositories are stored
+ # The script runs from HTTPD_ROOT_PATH, and www/ is the document root
+ if test -z "$GIT_PROJECT_ROOT"
+ then
+ # Construct path: current directory (HTTPD_ROOT_PATH) + /www
+ GIT_PROJECT_ROOT="$(pwd)/www"
+ export GIT_PROJECT_ROOT
+ fi
+ exec "$GIT_EXEC_PATH/git-http-backend"
+fi
+
+# Mark that we've returned 429
+touch "$state_file"
+
+# Output HTTP 429 response
+printf "Status: 429 Too Many Requests\r\n"
+
+# Set Retry-After header based on retry_after value
+case "$retry_after" in
+ none)
+ # No Retry-After header
+ ;;
+ invalid)
+ printf "Retry-After: invalid-format-123abc\r\n"
+ ;;
+ permanent)
+ # Always return 429, don't set state file for success
+ rm -f "$state_file"
+ printf "Retry-After: 1\r\n"
+ printf "Content-Type: text/plain\r\n"
+ printf "\r\n"
+ printf "Permanently rate limited\n"
+ exit 0
+ ;;
+ *)
+ # Check if it's a number
+ case "$retry_after" in
+ [0-9]*)
+ # Numeric value
+ printf "Retry-After: %s\r\n" "$retry_after"
+ ;;
+ *)
+ # Assume it's an HTTP-date format (passed as-is, URL decoded)
+ # Apache may URL-encode the path, so decode common URL-encoded characters
+ # %20 = space, %2C = comma, %3A = colon
+ retry_value=$(echo "$retry_after" | sed -e 's/%20/ /g' -e 's/%2C/,/g' -e 's/%3A/:/g')
+ printf "Retry-After: %s\r\n" "$retry_value"
+ ;;
+ esac
+ ;;
+esac
+
+printf "Content-Type: text/plain\r\n"
+printf "\r\n"
+printf "Rate limited\n"
diff --git a/t/meson.build b/t/meson.build
index 9b2fa4dee8..cba123af81 100644
--- a/t/meson.build
+++ b/t/meson.build
@@ -709,6 +709,7 @@ integration_tests = [
't5581-http-curl-verbose.sh',
't5582-fetch-negative-refspec.sh',
't5583-push-branches.sh',
+ 't5584-http-429-retry.sh',
't5600-clone-fail-cleanup.sh',
't5601-clone.sh',
't5602-clone-remote-exec.sh',
diff --git a/t/t5584-http-429-retry.sh b/t/t5584-http-429-retry.sh
new file mode 100755
index 0000000000..a22007b2cf
--- /dev/null
+++ b/t/t5584-http-429-retry.sh
@@ -0,0 +1,266 @@
+#!/bin/sh
+
+test_description='test HTTP 429 Too Many Requests retry logic'
+
+. ./test-lib.sh
+
+. "$TEST_DIRECTORY"/lib-httpd.sh
+
+start_httpd
+
+test_expect_success 'setup test repository' '
+ test_commit initial &&
+ git clone --bare . "$HTTPD_DOCUMENT_ROOT_PATH/repo.git" &&
+ git --git-dir="$HTTPD_DOCUMENT_ROOT_PATH/repo.git" config http.receivepack true
+'
+
+# This test suite uses a special HTTP 429 endpoint at /http_429/ that simulates
+# rate limiting. The endpoint format is:
+# /http_429/<test-context>/<retry-after-value>/<repo-path>
+# The http-429.sh script (in t/lib-httpd) returns a 429 response with the
+# specified Retry-After header on the first request for each test context,
+# then forwards subsequent requests to git-http-backend. Each test context
+# is isolated, allowing multiple tests to run independently.
+
+test_expect_success 'HTTP 429 with retries disabled (maxRetries=0) fails immediately' '
+ # Set maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Should fail immediately without any retry attempt
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retries-disabled/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message in stderr)
+ test_grep ! -i "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 permanent should fail after max retries' '
+ # Enable retries with a limit
+ test_config http.maxRetries 2 &&
+
+ # Git should retry but eventually fail when 429 persists
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/permanent-fail/permanent/repo.git" 2>err
+'
+
+test_expect_success 'HTTP 429 with Retry-After is retried and succeeds' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry after receiving 429 and eventually succeed
+ git ls-remote "$HTTPD_URL/http_429/retry-succeeds/1/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 without Retry-After uses configured default' '
+ # Enable retries and configure default delay
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Git should retry using configured default and succeed
+ git ls-remote "$HTTPD_URL/http_429/no-retry-after-header/none/repo.git" >output 2>err &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 retry delays are respected' '
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Time the operation - it should take at least 2 seconds due to retry delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/retry-delays-respected/2/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Verify it took at least 2 seconds (allowing some tolerance)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 fails immediately if Retry-After exceeds http.maxRetryTime' '
+ # Configure max retry time to 3 seconds (much less than requested 100)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 3 &&
+
+ # Should fail immediately without waiting
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/retry-after-exceeds-max-time/100/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (no 100 second wait)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 99 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 fails if configured http.retryAfter exceeds http.maxRetryTime' '
+ # Test misconfiguration: retryAfter > maxRetryTime
+ # Configure retryAfter larger than maxRetryTime
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 100 &&
+ test_config http.maxRetryTime 5 &&
+
+ # Should fail immediately with configuration error
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/config-retry-after-exceeds-max-time/none/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (no 100 second wait)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 99 &&
+ test_grep "configured http.retryAfter.*exceeds.*http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with Retry-After HTTP-date format' '
+ # Test HTTP-date format (RFC 2822) in Retry-After header
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 2)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should parse the HTTP-date and retry after the delay
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/http-date-format/$future_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (allowing tolerance for processing time)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with HTTP-date exceeding maxRetryTime fails immediately' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ future_time=$((now + 200)) &&
+ raw=$(test-tool date show:rfc2822 $future_time) &&
+ future_date="${raw#* -> }" &&
+ future_date_encoded=$(echo "$future_date" | sed "s/ /%20/g") &&
+
+ # Configure max retry time much less than the 200 second delay
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 10 &&
+
+ # Should fail immediately without waiting 200 seconds
+ start=$(test-tool date getnanos) &&
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/http-date-exceeds-max-time/$future_date_encoded/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 200 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 199 &&
+ test_grep "http.maxRetryTime" err
+'
+
+test_expect_success 'HTTP 429 with past HTTP-date should not wait' '
+ raw=$(test-tool date timestamp now) &&
+ now="${raw#* -> }" &&
+ past_time=$((now - 10)) &&
+ raw=$(test-tool date show:rfc2822 $past_time) &&
+ past_date="${raw#* -> }" &&
+ past_date_encoded=$(echo "$past_date" | sed "s/ /%20/g") &&
+
+ # Enable retries
+ test_config http.maxRetries 3 &&
+
+ # Git should retry immediately without waiting
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/past-http-date/$past_date_encoded/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should complete quickly (no wait for a past-date Retry-After)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 5 &&
+ test_grep "refs/heads/" output
+'
+
+test_expect_success 'HTTP 429 with invalid Retry-After format uses configured default' '
+ # Configure default retry-after
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 1 &&
+
+ # Should use configured default (1 second) since header is invalid
+ start=$(test-tool date getnanos) &&
+ git ls-remote "$HTTPD_URL/http_429/invalid-retry-after-format/invalid/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should take at least 1 second (the configured default)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'HTTP 429 will not be retried without config' '
+ # Default config means http.maxRetries=0 (retries disabled)
+ # When 429 is received, it should fail immediately without retry
+ # Do NOT configure anything - use defaults (http.maxRetries defaults to 0)
+
+ # Should fail immediately without retry
+ test_must_fail git ls-remote "$HTTPD_URL/http_429/no-retry-without-config/1/repo.git" 2>err &&
+
+ # Verify no retry happened (no "waiting" message)
+ test_grep ! -i "waiting.*retry" err &&
+
+ # Should get 429 error
+ test_grep "429" err
+'
+
+test_expect_success 'GIT_HTTP_RETRY_AFTER overrides http.retryAfter config' '
+ # Configure retryAfter to 10 seconds
+ test_config http.maxRetries 3 &&
+ test_config http.retryAfter 10 &&
+
+ # Override with environment variable to 1 second
+ start=$(test-tool date getnanos) &&
+ GIT_HTTP_RETRY_AFTER=1 git ls-remote "$HTTPD_URL/http_429/env-retry-after-override/none/repo.git" >output 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should use env var (1 second), not config (10 seconds)
+ duration_int=${duration%.*} &&
+ test "$duration_int" -ge 1 &&
+ test "$duration_int" -lt 5 &&
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRIES overrides http.maxRetries config' '
+ # Configure maxRetries to 0 (disabled)
+ test_config http.maxRetries 0 &&
+ test_config http.retryAfter 1 &&
+
+ # Override with environment variable to enable retries
+ GIT_HTTP_MAX_RETRIES=3 git ls-remote "$HTTPD_URL/http_429/env-max-retries-override/1/repo.git" >output 2>err &&
+
+ # Should retry (env var enables it despite config saying disabled)
+ test_grep "refs/heads/" output &&
+ test_grep "waiting.*retry" err
+'
+
+test_expect_success 'GIT_HTTP_MAX_RETRY_TIME overrides http.maxRetryTime config' '
+ # Configure maxRetryTime to 100 seconds (would accept 50 second delay)
+ test_config http.maxRetries 3 &&
+ test_config http.maxRetryTime 100 &&
+
+ # Override with environment variable to 10 seconds (should reject 50 second delay)
+ start=$(test-tool date getnanos) &&
+ test_must_fail env GIT_HTTP_MAX_RETRY_TIME=10 \
+ git ls-remote "$HTTPD_URL/http_429/env-max-retry-time-override/50/repo.git" 2>err &&
+ duration=$(test-tool date getnanos $start) &&
+
+ # Should fail quickly (not wait 50 seconds) because env var limits to 10
+ duration_int=${duration%.*} &&
+ test "$duration_int" -lt 49 &&
+ test_grep "greater than http.maxRetryTime" err
+'
+
+test_expect_success 'verify normal repository access still works' '
+ git ls-remote "$HTTPD_URL/smart/repo.git" >output &&
+ test_grep "refs/heads/" output
+'
+
+test_done
--
gitgitgadget
^ permalink raw reply related [flat|nested] 49+ messages in thread
* Re: [PATCH v6 3/3] http: add support for HTTP 429 rate limit retries
2026-03-17 13:00 ` [PATCH v6 3/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2026-03-21 3:30 ` Taylor Blau
0 siblings, 0 replies; 49+ messages in thread
From: Taylor Blau @ 2026-03-21 3:30 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget
Cc: git, Jeff King, Junio C Hamano, Vaidas Pilkauskas
On Tue, Mar 17, 2026 at 01:00:35PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> return size && (*ptr == ' ' || *ptr == '\t');
> }
>
> -static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p UNUSED)
> +static size_t fwrite_wwwauth(char *ptr, size_t eltsize, size_t nmemb, void *p MAYBE_UNUSED)
> {
> size_t size = eltsize * nmemb;
> struct strvec *values = &http_auth.wwwauth_headers;
> @@ -575,6 +582,21 @@ static int http_options(const char *var, const char *value,
Good, this version drops the special case where we do not define
GIT_CURL_HAVE_CURLINFO_RETRY_AFTER, which Peff suggested in his review
of the earlier round.
I agree with his suggestion that we can document that handling
Retry-After requires a libcurl newer than 7.66.0, and that is well
documented in the user-facing documentation and code comments where
appropriate.
> @@ -2119,10 +2150,10 @@ static void http_opt_request_remainder(CURL *curl, off_t pos)
>
> static int http_request(const char *url,
> void *result, int target,
> - const struct http_get_options *options)
> + struct http_get_options *options)
The previous round had this as a const pointer, with a separate
out-parameter via 'long *retry_after_out'. Review on the previous round
suggested making the retry_after part of the existing out-parameter. Of
course, doing so requires that we make that parameter non-const, hence
the change here, which looks good to me.
> {
> struct active_request_slot *slot;
> - struct slot_results results;
> + struct slot_results results = { .retry_after = -1 };
This also moved from run_one_slot(); this location makes more sense to
me.
> diff --git a/http.h b/http.h
> index f9d4593404..f9ee888c3e 100644
> --- a/http.h
> +++ b/http.h
> @@ -20,6 +20,7 @@ struct slot_results {
> long http_code;
> long auth_avail;
> long http_connectcode;
> + long retry_after;
> };
>
> struct active_request_slot {
> @@ -157,6 +158,13 @@ struct http_get_options {
> * request has completed.
> */
> struct string_list *extra_headers;
> +
> + /*
> + * After a request completes, contains the Retry-After delay in seconds
> + * if the server returned HTTP 429 with a Retry-After header (requires
> + * libcurl 7.66.0 or later), or -1 if no such header was present.
> + */
> + long retry_after;
I think making this a pure long instead of a pointer as is the case with
other members of this struct makes sense for the reasons that Peff
pointed out in the review of the previous round.
Thanks,
Taylor
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v6 0/3] http: add support for HTTP 429 rate limit retries
2026-03-17 13:00 ` [PATCH v6 0/3] " Vaidas Pilkauskas via GitGitGadget
` (2 preceding siblings ...)
2026-03-17 13:00 ` [PATCH v6 3/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
@ 2026-03-21 3:31 ` Taylor Blau
2026-03-21 4:57 ` Junio C Hamano
2026-03-23 6:58 ` Vaidas Pilkauskas
3 siblings, 2 replies; 49+ messages in thread
From: Taylor Blau @ 2026-03-21 3:31 UTC (permalink / raw)
To: Vaidas Pilkauskas via GitGitGadget
Cc: git, Jeff King, Junio C Hamano, Vaidas Pilkauskas
On Tue, Mar 17, 2026 at 01:00:32PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
> Changes since v5:
>
> * drop show_http_message_fatal() preparation patch
> * drop fwrite_headers, restore fwrite_wwwauth
> * move CURLINFO_RETRY_AFTER from finish_active_slot to http_request
> * move retry_after=-1 init from run_one_slot to http_request
> * replace retry_after_out param with http_get_options field
> * fix loop counter: separate REAUTH and RATE_LIMITED counters
> * fix racy -lt 2 timing bounds in tests
Thanks, this round looks good to me. The main things that I noted from
the review on v5 was to drop the old 3/4, and a handful of suggestions
on the final patch, all of which look to have been addressed.
The first two patches being unchanged, this round looks good to me.
Thanks for working on this, Vaidas!
Thanks,
Taylor
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v6 0/3] http: add support for HTTP 429 rate limit retries
2026-03-21 3:31 ` [PATCH v6 0/3] " Taylor Blau
@ 2026-03-21 4:57 ` Junio C Hamano
2026-03-23 6:58 ` Vaidas Pilkauskas
1 sibling, 0 replies; 49+ messages in thread
From: Junio C Hamano @ 2026-03-21 4:57 UTC (permalink / raw)
To: Taylor Blau
Cc: Vaidas Pilkauskas via GitGitGadget, git, Jeff King,
Vaidas Pilkauskas
Taylor Blau <me@ttaylorr.com> writes:
> On Tue, Mar 17, 2026 at 01:00:32PM +0000, Vaidas Pilkauskas via GitGitGadget wrote:
>> Changes since v5:
>>
>> * drop show_http_message_fatal() preparation patch
>> * drop fwrite_headers, restore fwrite_wwwauth
>> * move CURLINFO_RETRY_AFTER from finish_active_slot to http_request
>> * move retry_after=-1 init from run_one_slot to http_request
>> * replace retry_after_out param with http_get_options field
>> * fix loop counter: separate REAUTH and RATE_LIMITED counters
>> * fix racy -lt 2 timing bounds in tests
>
> Thanks, this round looks good to me. The main things that I noted from
> the review on v5 was to drop the old 3/4, and a handful of suggestions
> on the final patch, all of which look to have been addressed.
>
> The first two patches being unchanged, this round looks good to me.
> Thanks for working on this, Vaidas!
>
> Thanks,
> Taylor
Thanks, both.
Let me mark the topic for 'next' then.
^ permalink raw reply [flat|nested] 49+ messages in thread
* Re: [PATCH v6 0/3] http: add support for HTTP 429 rate limit retries
2026-03-21 3:31 ` [PATCH v6 0/3] " Taylor Blau
2026-03-21 4:57 ` Junio C Hamano
@ 2026-03-23 6:58 ` Vaidas Pilkauskas
1 sibling, 0 replies; 49+ messages in thread
From: Vaidas Pilkauskas @ 2026-03-23 6:58 UTC (permalink / raw)
To: Taylor Blau
Cc: Vaidas Pilkauskas via GitGitGadget, git, Jeff King,
Junio C Hamano
On Sat, Mar 21, 2026 at 5:31 AM Taylor Blau <me@ttaylorr.com> wrote:
>
> Thanks, this round looks good to me. The main things that I noted from
> the review on v5 was to drop the old 3/4, and a handful of suggestions
> on the final patch, all of which look to have been addressed.
>
> The first two patches being unchanged, this round looks good to me.
> Thanks for working on this, Vaidas!
>
> Thanks,
> Taylor
Taylor, Peff and Junio, thank you very much for reviewing!
^ permalink raw reply [flat|nested] 49+ messages in thread
end of thread, other threads:[~2026-03-23 6:58 UTC | newest]
Thread overview: 49+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-26 12:30 [PATCH 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2025-11-26 12:30 ` [PATCH 1/3] " Vaidas Pilkauskas via GitGitGadget
2025-12-09 23:15 ` Taylor Blau
2025-12-12 12:36 ` Vaidas Pilkauskas
2025-11-26 12:30 ` [PATCH 2/3] remote-curl: fix memory leak in show_http_message() Vaidas Pilkauskas via GitGitGadget
2025-12-09 23:52 ` Taylor Blau
2025-11-26 12:30 ` [PATCH 3/3] http: add trace2 logging for retry operations Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 0/2] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2025-12-18 14:44 ` [PATCH v2 1/2] " Vaidas Pilkauskas via GitGitGadget
2026-02-11 1:05 ` Taylor Blau
2026-02-11 9:13 ` Jeff King
2026-02-13 13:41 ` Vaidas Pilkauskas
2026-02-15 9:13 ` Jeff King
2026-02-13 13:30 ` Vaidas Pilkauskas
2025-12-18 14:44 ` [PATCH v2 2/2] http: add trace2 logging for retry operations Vaidas Pilkauskas via GitGitGadget
2026-02-11 1:06 ` Taylor Blau
2026-02-17 11:08 ` [PATCH v3 0/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 1/3] strbuf: fix incorrect alloc size in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-02-17 20:51 ` Junio C Hamano
2026-02-18 13:43 ` Vaidas Pilkauskas
2026-02-17 11:08 ` [PATCH v3 2/3] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
2026-02-17 11:08 ` [PATCH v3 3/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 0/5] " Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 1/5] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 2/5] strbuf_attach: fix all call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
2026-02-20 22:55 ` Junio C Hamano
2026-02-23 12:49 ` Vaidas Pilkauskas
2026-02-18 14:09 ` [PATCH v4 3/5] strbuf: replace strbuf_grow() in strbuf_attach() with BUG() check Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 4/5] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
2026-02-18 14:09 ` [PATCH v4 5/5] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 0/4] " Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 1/4] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 2/4] strbuf_attach: fix call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
2026-02-23 14:20 ` [PATCH v5 3/4] remote-curl: introduce show_http_message_fatal() helper Vaidas Pilkauskas via GitGitGadget
2026-03-10 17:44 ` Jeff King
2026-02-23 14:20 ` [PATCH v5 4/4] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-03-10 19:07 ` Jeff King
2026-02-24 0:07 ` [PATCH v5 0/4] " Junio C Hamano
2026-03-09 23:34 ` Junio C Hamano
2026-03-10 19:10 ` Jeff King
2026-03-10 19:19 ` Junio C Hamano
2026-03-17 13:00 ` [PATCH v6 0/3] " Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 1/3] strbuf: pass correct alloc to strbuf_attach() in strbuf_reencode() Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 2/3] strbuf_attach: fix call sites to pass correct alloc Vaidas Pilkauskas via GitGitGadget
2026-03-17 13:00 ` [PATCH v6 3/3] http: add support for HTTP 429 rate limit retries Vaidas Pilkauskas via GitGitGadget
2026-03-21 3:30 ` Taylor Blau
2026-03-21 3:31 ` [PATCH v6 0/3] " Taylor Blau
2026-03-21 4:57 ` Junio C Hamano
2026-03-23 6:58 ` Vaidas Pilkauskas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox