On Sat, Feb 25, 2017 at 12:48:54PM +0100, Johannes Schindelin wrote:
> Hi,
>
> On Wed, 22 Feb 2017, Jeff King wrote:
>
> > [two beautiful patches]
>
> I applied them and verified that the reported issue is fixed. Thank you!
>
> Hopefully you do not mind that I cherry-picked them in preparation for
> Git for Windows v2.12.0?
No, I don't mind. I'm happy that more people with a non-Basic setup are
verifying that they work. :)
Of the changes:
> diff --git a/http.c b/http.c
> index f8eb0f23d6c..fb94c444c80 100644
> --- a/http.c
> +++ b/http.c
> @@ -334,7 +334,10 @@ static int http_options(const char *var, const char *value, void *cb)
> return git_config_string(&user_agent, var, value);
>
> if (!strcmp("http.emptyauth", var)) {
> - curl_empty_auth = git_config_bool(var, value);
> + if (value && !strcmp("auto", value))
> + curl_empty_auth = -1;
> + else
> + curl_empty_auth = git_config_bool(var, value);
> return 0;
> }
Obviously good, I should have included this in the original.
> +#ifndef LIBCURL_CAN_HANDLE_AUTH_ANY
> + /*
> + * Our libcurl is too old to do AUTH_ANY in the first place;
> + * just default to turning the feature off.
> + */
> #else
> - /*
> - * Our libcurl is too old to do AUTH_ANY in the first place;
> - * just default to turning the feature off.
> - */
The ifdef reordering here is good.
> + /*
> + * In the automatic case, kick in the empty-auth
> + * hack as long as we would potentially try some
> + * method more exotic than "Basic".
> + *
> + * But only do this when this is our second or
> + * subsequent * request, as by then we know what
> + * methods are available.
> + */
> + if (http_auth_methods_restricted)
> + switch (http_auth_methods) {
> + case CURLAUTH_BASIC:
> + case CURLAUTH_DIGEST:
> +#ifdef CURLAUTH_DIGEST_IE
> + case CURLAUTH_DIGEST_IE:
> #endif
> [...]
> + return 0;
> + default:
> + return 1;
> + }
This is an improvement over my basic-only, but I think you actually want
to bitmask here. A server which advertises only BASIC|DIGEST should not
do empty-auth, but wouldn't match your switch statement.
Patch below.
> Now, how to get this into upstream Git, too? Jeff, do you want to submit a
> v2? In that case, would you please consider the fixup! I mentioned above?
> Otherwise I'd be happy to take it from here.
I don't mind doing a v2. I'm unsure of whether we want to default to
"auto" or not upstream. It seems from your releases that you think it is
safe enough to do in Windows. And I guess nobody outside of that is
really doing NTLM. So it's OK, I guess?
<shrug> I don't have enough information to make an intelligent opinion,
so I'm happy to defer.
I'll send my v2 in a minute. Here's the interdiff/fixup if you need to
apply it separately:
diff --git a/http.c b/http.c
index 523c43cf9..dd637d031 100644
--- a/http.c
+++ b/http.c
@@ -126,6 +126,13 @@ static int ssl_cert_password_required;
#ifdef LIBCURL_CAN_HANDLE_AUTH_ANY
static unsigned long http_auth_methods = CURLAUTH_ANY;
static int http_auth_methods_restricted;
+/* Modes for which empty_auth cannot actually help us. */
+static unsigned long empty_auth_useless =
+ CURLAUTH_BASIC
+#ifdef CURLAUTH_DIGEST_IE
+ | CURLAUTH_DIGEST_IE
+#endif
+ | CURLAUTH_DIGEST;
#endif
static struct curl_slist *pragma_header;
@@ -400,23 +407,15 @@ static int curl_empty_auth_enabled(void)
/*
* In the automatic case, kick in the empty-auth
* hack as long as we would potentially try some
- * method more exotic than "Basic".
+ * method more exotic than "Basic" or "Digest".
*
* But only do this when this is our second or
* subsequent * request, as by then we know what
* methods are available.
*/
- if (http_auth_methods_restricted)
- switch (http_auth_methods) {
- case CURLAUTH_BASIC:
- case CURLAUTH_DIGEST:
-#ifdef CURLAUTH_DIGEST_IE
- case CURLAUTH_DIGEST_IE:
-#endif
- return 0;
- default:
- return 1;
- }
+ if (http_auth_methods_restricted &&
+ (http_auth_methods & ~empty_auth_useless))
+ return 1;
#endif
return 0;
}
