> -----Original Message----- > From: Jeff King [mailto:peff@xxxxxxxx] > Sent: Monday, October 03, 2016 5:01 PM > To: David Turner > Cc: git@xxxxxxxxxxxxxxx; sandals@xxxxxxxxxxxxxxxxxxxx > Subject: Re: [PATCH] http: http.emptyauth should allow empty (not just > NULL) usernames > > On Mon, Oct 03, 2016 at 01:19:28PM -0400, David Turner wrote: > > > When using kerberos authentication, one URL pattern which is allowed > > is http://@gitserver.example.com. This leads to a username of > > zero-length, rather than a NULL username. But the two cases should be > > treated the same by http.emptyauth. > > > > Signed-off-by: David Turner <dturner@xxxxxxxxxxxx> > > --- > > http.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/http.c b/http.c > > index 82ed542..bd0dba2 100644 > > --- a/http.c > > +++ b/http.c > > @@ -351,7 +351,7 @@ static int http_options(const char *var, const > > char *value, void *cb) > > > > static void init_curl_http_auth(CURL *result) { > > - if (!http_auth.username) { > > + if (!http_auth.username || !*http_auth.username) { > > Hmm. This fixes this caller, but what about other users of the credential > struct? I wonder if the correct fix is in credential_from_url(), which > should avoid writing an empty field. > > OTOH, I can imagine that "http://user:@example.com"; would be a way to say > "I have a username and the password is blank" without getting prompted. > Which makes me wonder if it is useful to say "my username is blank" in the > same way. Yes, that was my thought process. > I dunno. The code path you are changing _only_ affects anything if the > http.emptyauth config is set. But I guess I just don't understand why you > would say "http://@gitserver"; in the first place. Is that a common thing? > > -Peff I have no idea if it is common. I know that we do it. It used to be that git 2.8/libcurl would handle @gitserver as if the username were blank, but then we upgraded our company's libcurl and it broke (git started prompting for a password). I do not know what the previous version of libcurl was. The reason we have a required-to-be-blank username/password is apparently Kerberos (or something about our particular Kerberos configuration), which I treat as inscrutable black magic.