Re: git clone with basic auth in url directly returns authentication failure after 401 received under some git versions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Aug 22, 2022 at 10:11:29PM +0000, brian m. carlson wrote:

> > I'm not 100% on it either. When it comes to security restrictions,
> > sometimes simple-and-stupid is the best way. I was literally thinking of
> > something as basic and restricted as:
> > 
> >   if (from_port == 80 && to_port == 443 &&
> >       from_protocol == HTTP && to_protocol == HTTPS)
> >         /* ok, allow it */
> > 
> > just because https upgrade is such a common (and presumably harmless)
> > redirect.  But possibly even that leaves wiggle room for bad things to
> > happen. I'm happy to defer to you and other curl folks there.
> 
> I think it's actually better to fail in this case, and here's why.  If
> someone is using HTTP and getting redirected to HTTPS, there's no
> security if an attacker intercepts the HTTP connection.  Anyone who
> knows how a captive portal works will recognize this immediately, and
> it's why we have Strict Transport Security in browsers.
> 
> If we fail when a user redirects, then they'll fix their URL to use
> HTTPS, at which point their connection is prevented from tampering
> effectively forever.  If we redirect, then when they make a connection,
> they'll be vulnerable to tampering every time, possibly sending
> credentials over the wire in plaintext or being redirected to a rogue
> site.

I agree redirecting is less secure, but in this case the credentials are
cleared unless it's an http->https upgrade on the same hostname (not
shown in my example above is the implication that curl would still be
doing the hostname check).

We also follow redirects in general, so this is just about clearing
in-url credentials. We'll still prompt for credentials in the more usual
case, though we do properly say "password for $REDIRECTED_URL" when
doing so.

All that said, I agree that failing and asking the user to adjust their
URL is a fine outcome, as long as we do that. The problem now is just
that Git's output is misleading at best. The diff I showed earlier would
help with that. I think it could use a little polish, but I'll see if I
can do that in the next few days.

-Peff
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux