On 5/29/2022 8:16 PM, Junio C Hamano wrote: > "Derrick Stolee via GitGitGadget" <gitgitgadget@xxxxxxxxx> writes: > >> Create a new "fetch.credentialsInUrl" config option and teach Git to >> warn or die when seeing a URL with this kind of information. The warning >> anonymizes the sensitive information of the URL to be clear about the >> issue. >> >> This change currently defaults the behavior to "allow" which does >> nothing with these URLs. We can consider changing this behavior to >> "warn" by default if we wish. At that time, we may want to add some >> advice about setting fetch.credentialsInUrl=ignore for users who still >> want to follow this pattern (and not receive the warning). > > Can we make this die in a bit more controlled way? > > e.g. https://github.com/git/git/runs/6646450422 seems to show that > depending on the timing, the call to die() on the "git clone" side > may cause us stop reading early enough to kill the other side with > SIGPIPE. The nicely prepared warning message seems to be lost. Thanks for pointing this out. It took a while for me to reproduce this with --stress, but I can get it to happen on my machine. Investigating now. Thanks, -Stolee
