On Tue, Sep 21, 2021 at 2:41 PM Jeff King <peff@xxxxxxxx> wrote: > When HTTP/2 is in use, we fail to correctly redact "Authorization" (and > other) headers in our GIT_TRACE_CURL output. > > We get the headers in our CURLOPT_DEBUGFUNCTION callback, curl_trace(). > It passes them along to curl_dump_header(), which in turn checks > redact_sensitive_header(). We see the headers as a text buffer like: > > Host: ... > Authorization: Basic ... > > After breaking it into lines, we match each header using skip_prefix(). > This is case-insensitive, even though HTTP headers are case-insensitive. > This has worked reliably in the past because these headers are generated > by curl itself, which is predictable in what it sends. Did you mean "This is case-sensitive..."? > But when HTTP/2 is in use, instead we get a lower-case "authorization:" > header, and we fail to match it. The fix is simple: we should match with > skip_iprefix(). > [...] > Signed-off-by: Jeff King <peff@xxxxxxxx>
