Jeff King <peff@xxxxxxxx> writes: > On Tue, Sep 21, 2021 at 03:06:20PM -0400, Eric Sunshine wrote: > >> On Tue, Sep 21, 2021 at 2:41 PM Jeff King <peff@xxxxxxxx> wrote: >> > When HTTP/2 is in use, we fail to correctly redact "Authorization" (and >> > other) headers in our GIT_TRACE_CURL output. >> > >> > We get the headers in our CURLOPT_DEBUGFUNCTION callback, curl_trace(). >> > It passes them along to curl_dump_header(), which in turn checks >> > redact_sensitive_header(). We see the headers as a text buffer like: >> > >> > Host: ... >> > Authorization: Basic ... >> > >> > After breaking it into lines, we match each header using skip_prefix(). >> > This is case-insensitive, even though HTTP headers are case-insensitive. >> > This has worked reliably in the past because these headers are generated >> > by curl itself, which is predictable in what it sends. >> >> Did you mean "This is case-sensitive..."? > > Whoops, yes. It probably makes a lot more sense with that fix. :) Yeah, I was wondering about the same thing when I read it the first time.
