From: Junio C Hamano <gitster@pobox.com>
To: "brian m. carlson" <sandals@crustytoothpaste.net>
Cc: M Hickford <mirth.hickford@gmail.com>,
git@vger.kernel.org, derrickstolee@github.com,
stolee@gmail.com
Subject: Re: transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits
Date: Fri, 10 Jan 2025 16:45:16 -0800 [thread overview]
Message-ID: <xmqqv7umb2lf.fsf@gitster.g> (raw)
In-Reply-To: <Z4G2Ze8S5PKfKjmI@tapette.crustytoothpaste.net> (brian m. carlson's message of "Sat, 11 Jan 2025 00:08:05 +0000")
"brian m. carlson" <sandals@crustytoothpaste.net> writes:
>> When the former is true and the latter is false, it is an indication
>> that for that site with the username-or-token, there wasn't anything
>> necessary to authenticate and the access was authorized. Which is
>> what the original poster wants us to warn against.
>
> No, I don't think that will work in the general case. Here's why. If I
> do `git push https://bmc@git.crustytoothpaste.net/git/bmc/xyzzy.git`,
> that uses Kerberos (Negotiate). There's a username there to make
> libcurl enable auth, but it's never used and a credential helper is
> never invoked, so case 1 is true and case 2 is false.
>
> Now, we _could_ do that only for Basic auth, which would catch the
> GitHub case. However, it's _also_ possible to use TLS client
> certificate auth (and I think Bitbucket does support that) and use the
> username only for choosing the account (because, say, your work account
> uses a client certificate and your personal account uses something
> else). There might be Basic auth sent (say, if you'd set
> `http.proactiveAuth`), but the server would ignore it since you were
> already authenticated via the TLS cert. That would also make case 1 be
> true and case 2 be false.
>
> Perhaps that latter case is not worth worrying about, but it is a
> possibility and I'm sure some people will hit it. Maybe with a config
> option for the advice that's okay, though.
Thanks, so in short, if we really want to do this "warning", it has
to look at the "username" string and "guess" that it is something
the user does not want to have as a value to remote.*.url field X-<.
So "should warn" in the title is not really #leftoverbits (i.e. we
clearly know it is a good idea, we just didn't have bandwidth to do
it, anybody is welcome to fill the void) at this point.
Thanks.
next prev parent reply other threads:[~2025-01-11 0:45 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 21:05 transfer.credentialsInUrl should warn about personal access tokens in user field #leftoverbits M Hickford
2025-01-10 21:32 ` Junio C Hamano
2025-01-10 22:06 ` brian m. carlson
2025-01-10 22:51 ` Junio C Hamano
2025-01-11 0:08 ` brian m. carlson
2025-01-11 0:45 ` Junio C Hamano [this message]
2025-01-11 1:01 ` rsbecker
2025-01-18 20:33 ` M Hickford
2025-01-10 22:10 ` rsbecker
2025-01-10 23:36 ` Randall Becker
2025-01-10 23:44 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqv7umb2lf.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=derrickstolee@github.com \
--cc=git@vger.kernel.org \
--cc=mirth.hickford@gmail.com \
--cc=sandals@crustytoothpaste.net \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).