On Wed, Apr 10, 2013 at 05:47:22PM -0400, Jeff King wrote:
> On Wed, Apr 10, 2013 at 11:30:59PM +0200, Jakub Narębski wrote:
>
>>> 1. GET $repo/info/refs?service=git-receive-pack
>>>
>>> This makes initial contact and gets the ref information which
>>> push uses to decide what it is going to push. So it is
>>> read-only, and in an anonymous-read setup, does not need to
>>> be protected.
>>
>> Yes, it doesn't need to be protected, but *git-receive-pack*
>> requires (or required) valid user even for above GET request for
>> getting refs.
>
> Right. But that is not anything receive-pack is doing; it is up to
> his webserver config, which is why I asked to see it.
Nope. I'm pretty sure this had *nothing* to do with my config. This
is the original config, which doesn't work:
$HTTP["url"] =~ "^/git" {
cgi.assign = ( "" => "" )
setenv.add-environment = (
"GIT_PROJECT_ROOT" => "/srv/git",
"GIT_HTTP_EXPORT_ALL" => ""
)
$HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
include "trac-git-auth.conf"
}
}
This will turn on authentication *only* for URLs matching
^/git/.*/git-receive-pack$, which AFAIU is *exactly* what the manpage states is
all that is needed.
This is the configuration that actually works:
$HTTP["querystring"] =~ "service=git-receive-pack" {
$HTTP["url"] =~ "^/git" {
cgi.assign = ( "" => "" )
setenv.add-environment = (
"GIT_PROJECT_ROOT" => "/srv/git",
"GIT_HTTP_EXPORT_ALL" => ""
)
include "trac-git-auth.conf"
}
} else $HTTP["url"] =~ "^/git" {
cgi.assign = ( "" => "" )
setenv.add-environment = (
"GIT_PROJECT_ROOT" => "/srv/git",
"GIT_HTTP_EXPORT_ALL" => ""
)
$HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
include "trac-git-auth.conf"
}
}
The top bit adds matching against the query string and ^/git which
forces authentication on the initial GET as well.
>>> 2. POST $repo/git-receive-pack
>>>
>>> This actually pushes up the objects and updates the refs, and
>>> must be protected.
>>>
>>> The setup listed above does work with apache; it is tested as part
>>> of our test suite (you can see the actual config in
>>> t/lib-httpd/apache.conf). So what in lighttpd is giving us the
>>> 403? Can you share your whole config?
>>
>> I think I have seen a patch on git mailing list to correct this,
>> but I am not sure.
>>
>> Are you sure that we test this correctly?
>
> Perhaps you are thinking of the jk/maint-http-half-auth-push topic
> from last August/September. It explicitly tests the setup from the
> manpage. The relevant commits are 4c71009 (t: test http access to
> "half-auth" repositories, 2012-08-27) which demonstrates the
> problem, and b81401c (http: prompt for credentials on failed POST,
> 2012-08-27).
>
> However, even before the fix, it never got a 403 on the GET of
> info/refs. It got a 401 on the later POST, but didn't prompt for
> credentials.
I know nothing about CGI, but surely the script signals the need for a
valid user to the server somehow, couldn't the web server then decide
to return 403 rather than 401 *if there's no configuration for
authentication*?
In any case it seems there is no fix in the version of git in Arch
Linux[1].
/M
[1]: The package I've been using is built from these unpatched
sources: http://git-core.googlecode.com/files/git-1.8.2.tar.gz
--
Magnus Therning OpenPGP: 0xAB4DFBA4
email: magnus@xxxxxxxxxxxx jabber: magnus@xxxxxxxxxxxx
twitter: magthe http://therning.org/magnus
I invented the term Object-Oriented, and I can tell you I did not have
C++ in mind.
-- Alan Kay
Attachment:
pgpHopdPWErJ7.pgp
Description: PGP signature