On Tue, Sep 21, 2021 at 03:06:20PM -0400, Eric Sunshine wrote: > On Tue, Sep 21, 2021 at 2:41 PM Jeff King <peff@xxxxxxxx> wrote: > > When HTTP/2 is in use, we fail to correctly redact "Authorization" (and > > other) headers in our GIT_TRACE_CURL output. > > > > We get the headers in our CURLOPT_DEBUGFUNCTION callback, curl_trace(). > > It passes them along to curl_dump_header(), which in turn checks > > redact_sensitive_header(). We see the headers as a text buffer like: > > > > Host: ... > > Authorization: Basic ... > > > > After breaking it into lines, we match each header using skip_prefix(). > > This is case-insensitive, even though HTTP headers are case-insensitive. > > This has worked reliably in the past because these headers are generated > > by curl itself, which is predictable in what it sends. > > Did you mean "This is case-sensitive..."? Whoops, yes. It probably makes a lot more sense with that fix. :) -Peff
