Hi Peff, On Wed, 22 Apr 2020, Jeff King wrote: > On Wed, Apr 22, 2020 at 08:51:02PM +0000, Johannes Schindelin via GitGitGadget wrote: > > > This fixes the problem illustrated by Peff's example > > [https://lore.kernel.org/git/20200422040644.GC3559880@xxxxxxxxxxxxxxxxxxxxxxx/] > > , in maint-2.17: > > > > $ echo url=https://example.com | > > git -c credential.example.com.username=foo credential fill > > warning: url has no scheme: example.com > > fatal: credential url cannot be parsed: example.com > > > > The fix is necessarily different than what was proposed by brian > > [https://lore.kernel.org/git/20200422012344.2051103-1-sandals@xxxxxxxxxxxxxxxxxxxx/] > > because that fix targets v2.26.x which has 46fd7b390034 (credential: allow > > wildcard patterns when matching config, 2020-02-20). > > > > This patch series targets maint-2.17 instead (and might actually not be able > > to fix maint due to that wildcard pattern patch; I haven't had the time to > > check yet). > > Yes, this will remove the die() in all versions, but in v2.26.0 and up, > that config would be silently ignored (and your new test will fail). Thanks for testing! > > Please note that Git v2.17.4 will not do what we would expect here: if any > > host name (without protocol) is specified, e.g. -c > > credential.golli.wog.username = boo, it will actually ignore the host name. > > That is, this will populate the username: > > > > $ echo url=https://example.com | > > git -c credential.totally.bog.us.username=foo credential fill > > That seems scary. What if it is not .username, but: > > [credential "example.com"] > username = foo > helper = "!echo password=bar" > > ? (Or you can imagine a helper that is pulling from a read-only store, > like "pass"). That would send the credential to the wrong host. It would. But I am not aware of any implications regarding `.gitmodules` (for some reason I now expect every bug to open an attack vector via submodules, I wonder why that is), so that's at least good. There do seem to be a few projects that set a `credential.<hostname>.useHTTPPath` as part of their build, but I doubt that that could be exploited. > I think any fix we do here needs to make sure we are not any > reintroducing wrong-host problems (though I do admit that the usage like > my example above is probably way less common than vanilla helpers that > do the host-selection themselves). Yes. For the record, I tried to be very careful here. The _only_ code path that is affected by this change is the config reading. Reading `.gitmodules` (also in `fsck.c`) should behave identically to the way v2.17.5 behaves: they should not allow empty protocol or hostname. If you spot any difference in behavior in this regard, please do let me know: that would be a bug. And I do not think that these patches could re-introduce the problems you fixed: the `credential_match()` tries to work against a `struct credential` that has been sent to `credential_apply_config()` and as per your fixes, this function now verifies that neither protocol nor hostname are unset. But again, I would love another pair of eyes on this, to confirm my analysis. Thanks, Dscho
