On Sat, Jun 17, 2023 at 12:42:32AM -0400, Jeff King wrote:
> Looking at the string it prints, curl gave us "h2 [...". But your
> b637a41ebe (http: redact curl h2h3 headers in info, 2022-11-11) looks
> for "h2h3 [...". I don't know why curl would print one versus the other.
> The solution may be something like:
>
> diff --git a/http.c b/http.c
> index bb58bb3e6a..283410b3c7 100644
> --- a/http.c
> +++ b/http.c
> @@ -746,7 +746,8 @@ static void redact_sensitive_info_header(struct strbuf *header)
> * h2h3 [<header-name>: <header-val>]
> */
> if (trace_curl_redact &&
> - skip_iprefix(header->buf, "h2h3 [", &sensitive_header)) {
> + skip_iprefix(header->buf, "h2h3 [", &sensitive_header) ||
> + skip_iprefix(header->buf, "h2 [", &sensitive_header)) {
> if (redact_sensitive_header(header, sensitive_header - header->buf)) {
> /* redaction ate our closing bracket */
> strbuf_addch(header, ']');
>
> but it would be nice to have some explanation of why we would see each
> one.
Ah, I see. It looks like it depends on which version of curl is using.
Perhaps the macOS image in CI has been updated (or maybe the new version
just became available via brew or something). I was able to replicate on
my Linux system by building and linking against curl 8.1.0, and the
patch above (modulo some missing parentheses) fixes it.
So here's that patch with a commit message, though note that t5559.30
seems to reliably fail with a timeout for me on the new version of curl. :(
-- >8 --
Subject: [PATCH] http: handle both "h2" and "h2h3" in curl info lines
When redacting auth tokens in trace output from curl, we look for http/2
headers of the form "h2h3 [header: value]". This comes from b637a41ebe
(http: redact curl h2h3 headers in info, 2022-11-11).
But the "h2h3" prefix changed to just "h2" in curl's fc2f1e547 (http2:
support HTTP/2 to forward proxies, non-tunneling, 2023-04-14). That's in
released version curl 8.1.0; linking against that version means we'll
fail to correctly redact the trace. Our t5559.17 notices and fails.
We can fix this by matching either prefix, which should handle both old
and new versions.
Signed-off-by: Jeff King <peff@xxxxxxxx>
---
http.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/http.c b/http.c
index bb58bb3e6a..b71bb1e3ad 100644
--- a/http.c
+++ b/http.c
@@ -746,7 +746,8 @@ static void redact_sensitive_info_header(struct strbuf *header)
* h2h3 [<header-name>: <header-val>]
*/
if (trace_curl_redact &&
- skip_iprefix(header->buf, "h2h3 [", &sensitive_header)) {
+ (skip_iprefix(header->buf, "h2h3 [", &sensitive_header) ||
+ skip_iprefix(header->buf, "h2 [", &sensitive_header))) {
if (redact_sensitive_header(header, sensitive_header - header->buf)) {
/* redaction ate our closing bracket */
strbuf_addch(header, ']');
--
2.41.0.402.g53108db102
