On Thu, Nov 10, 2022 at 09:38:08PM -0500, Jeff King wrote:
> On Thu, Nov 10, 2022 at 10:57:34PM +0000, Glen Choo via GitGitGadget wrote:
>
> > +/* Redact headers in info */
> > +static void redact_sensitive_info_header(struct strbuf *header)
> > +{
> > + const char *sensitive_header;
> > +
> > + /*
> > + * curl's h2h3 prints headers in info, e.g.:
> > + * h2h3 [<header-name>: <header-val>]
> > + */
> > + if (trace_curl_redact &&
> > + skip_iprefix(header->buf, "h2h3 [", &sensitive_header)) {
> > + struct strbuf inner = STRBUF_INIT;
> > +
> > + /* Drop the trailing "]" */
> > + strbuf_add(&inner, sensitive_header, strlen(sensitive_header) - 1);
>
> This will misbehave if fed the string "h2h3 [", because that strlen()
> becomes 0, and the subtraction underflows.
>
> Unlikely, since we are being fed by curl, but possibly worth asserting
> (though see below for an alternative which drops this line).
Eek. Thanks for spotting. Let's hold off on this one until Glen submits
another version, or you and him coordinate a combined series.
Thanks,
Taylor
