During a re-authentication (second attempt at authenticating with a remote, e.g. after a failed GSSAPI attempt), git allows the remote to provide credential overrides in the redirect URL and unconditionnaly drops the current HTTP credentials in favors of those, even when there aren't any. This commit makes it so HTTP credentials are only overridden when the redirect URL actually contains credentials itself. Signed-off-by: Quentin Bouget <ypsah@xxxxxxxxxxx> --- http.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/http.c b/http.c index ccea19ac47..caba9cac1e 100644 --- a/http.c +++ b/http.c @@ -2160,7 +2160,25 @@ static int http_request_reauth(const char *url, if (options && options->effective_url && options->base_url) { if (update_url_from_redirect(options->base_url, url, options->effective_url)) { + char *username = NULL, *password = NULL; + + if (http_auth.username) + username = xstrdup(http_auth.username); + if (http_auth.password) + password = xstrdup(http_auth.password); + credential_from_url(&http_auth, options->base_url->buf); + + if (http_auth.username) + free(username); + else if (username) + http_auth.username = username; + + if (http_auth.password) + free(password); + else if (password) + http_auth.password = password; + url = options->effective_url->buf; } } -- 2.43.0