Crls <kaploceh@xxxxxxxxx> writes: > ... Coincidentally speaking, why does a username warrants a prompt > from git, is simply beyond me. I mean, that is certainly the more > far-fetched reasoning of implementation I've read in a long long > time. > > Can you git-clone a user? What about the user's settings? What > about the remainder its gpg tokens and so forth? In other words, > if a user's repo is not found, why even prompting for a username? > The latter, that is, the user's repo, is redundant, when the > prompt is clearly asking for a username, and not a repo. When you "git clone", you'd give a repository path to the server. If the repository is not open to the general anonymous public, then the server needs to check who you are (by asking username) and verify that you are who you claim to be (by asking password). Here two things you need to pay attention to. - A user can be the owner of more than one repositories, and - a repository can be accessed by users other than its owner. So even after the repository is known by the server, the server still needs to ask you who you are. Imagine that there are many projects hosted at the same site, the repository path is named after the codename of the project, and the project codename is need-to-know secret. If the server side reacted differently between an attempt to clone existing repositories and missing ones, an attacker can try git clone https://site.example.com/projects/$X with many X's and observe the behaviour of the server. If the server is known to respond with "no such repository" for a missing one, while responding with "please identify you" for an existing one, you can easily tell if a word $X is a project codename, that is supposed to be secret. > Preventing the disclosure of information has nothing to do with > the issue here. If anything seems clear to me, is that prompting > for a username, does indeed disclose usernames, private, public > and whatnot from either github or gitlab. When you need to identify yourself to GitHub or GitLab, you'd give your username and password. You know that GitHub or GitLab have the username so it is not secret to them. Otherwise they wouldn't be able to even recognise you. So I am not sure how it "seems clear" that asking for the username is a problem. The observed behaviour to ask for the username even for a missing repository is all about avoiding to disclose one bit of information: whether a repository exists at the given URL.
