Fwd: [bug report, possibly] Multiple pushes with passwords in URL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello list,
I didn't find a bug tracker and some comments on StackOverflow
suggested I should post to the mailing list... please excuse me if I
followed the wrong info, it's not really easy to find your bug
tracker, if there is one.

I've came across this behavior trying to organize my repository to
push updates to several remote repositories. Here's what I did:

in .git/conf

[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true

[remote "github"]
        fetch = +refs/heads/*:refs/remotes/origin/*
url = https://username1:password1@xxxxxxxxxx/some.git

[remote "googlecode"]
        fetch = +refs/heads/*:refs/remotes/origin/*
        url = https://username2:password2@xxxxxxxxxxxxxxx/p/some/

[remote "origin"]
url = https://username1:password1@xxxxxxxxxx/some.git
#        url = https://username2:password2@xxxxxxxxxxxxxxx/p/some/

[remote "all"]
url = https://username1:password1@xxxxxxxxxx/some.git
        url = https://username2:password2@xxxxxxxxxxxxxxx/p/some/
[branch "master"]
remote = origin
merge = refs/heads/master

Now, what happens if I try to push origin master:
the commit is sent to the first origin with the credential specified
in the first URL, but then the request to second URL is sent with the
credentials from the first URL. I tried switching them, and the result
is the same. I tried separate push'es to both repositories and it
works fine. I thought there might be something particular about
"origin" and tried moving the list of URLs to "all" - with the exact
same results.

This is kind of frustrating... but this is also a tiny security threat
as you are basically sending the credentials of the users they used at
one site to another... w/o any notice or warning.

That aside, I would be very happy to find some way to save passwords
in some... well... more secure format. Like on the keyring, for
example... .netrc is out of question though because of duplicating
user names :(

Best.

Oleg
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]