On Thu, Jan 31, 2013 at 1:59 PM, Junio C Hamano <gitster@xxxxxxxxx> wrote: > Shawn Pearce <spearce@xxxxxxxxxxx> writes: > >> Before parsing a suspected smart-HTTP response verify the returned >> Content-Type matches the standard. This protects a client from >> attempting to process a payload that smells like a smart-HTTP >> server response. >> >> JGit has been doing this check on all responses since the dawn of >> time. I mistakenly failed to include it in git-core when smart HTTP >> was introduced. At the time I didn't know how to get the Content-Type >> from libcurl. I punted, meant to circle back and fix this, and just >> plain forgot about it. >> >> Signed-off-by: Shawn Pearce <spearce@xxxxxxxxxxx> >> --- > > Sounds sensible. Was there a report of attack attempts by malicious > servers or something, or is it just a general "common sense" thing? Common-sense cleanup. I had a report a while ago about JGit not working with the Git servers at Codeplex. This failure was caused by their HTTP servers returning an invalid Content-Type, making JGit refuse to continue parsing. This has since been fixed, I verified this morning that Codeplex is returning the correct Content-Type. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html