Jeff King <peff@xxxxxxxx> writes:
> When redacting auth tokens in trace output from curl, we look for http/2
> headers of the form "h2h3 [header: value]". This comes from b637a41ebe
> (http: redact curl h2h3 headers in info, 2022-11-11).
>
> But the "h2h3" prefix changed to just "h2" in curl's fc2f1e547 (http2:
> support HTTP/2 to forward proxies, non-tunneling, 2023-04-14). That's in
> released version curl 8.1.0; linking against that version means we'll
> fail to correctly redact the trace. Our t5559.17 notices and fails.
>
> We can fix this by matching either prefix, which should handle both old
> and new versions.
Thanks! This patch looks good to me.
I think the approach of matching both patterns literally is better than
trying to catch both `h2h3` and `h2` with a single pattern. Yes, it's
more readable, but it'll also extend better to future changes in curl -
we have no control over what curl might choose to log in the future,
which could be something completely unmatchable.
> Signed-off-by: Jeff King <peff@xxxxxxxx>
> ---
> http.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/http.c b/http.c
> index bb58bb3e6a..b71bb1e3ad 100644
> --- a/http.c
> +++ b/http.c
> @@ -746,7 +746,8 @@ static void redact_sensitive_info_header(struct strbuf *header)
> * h2h3 [<header-name>: <header-val>]
> */
> if (trace_curl_redact &&
> - skip_iprefix(header->buf, "h2h3 [", &sensitive_header)) {
> + (skip_iprefix(header->buf, "h2h3 [", &sensitive_header) ||
> + skip_iprefix(header->buf, "h2 [", &sensitive_header))) {
> if (redact_sensitive_header(header, sensitive_header - header->buf)) {
> /* redaction ate our closing bracket */
> strbuf_addch(header, ']');
> --
> 2.41.0.402.g53108db102
