On 2024-02-04 at 18:54:27, Quentin Bouget wrote: > During a re-authentication (second attempt at authenticating with a > remote, e.g. after a failed GSSAPI attempt), git allows the remote to > provide credential overrides in the redirect URL and unconditionnaly > drops the current HTTP credentials in favors of those, even when there > aren't any. > > This commit makes it so HTTP credentials are only overridden when the > redirect URL actually contains credentials itself. I don't think your proposed change is safe. Credentials are supposed to be tied to a certain site and may even be tied to a specific repository, and if there's a redirect, then we need to re-fetch credentials or we could leak credentials to the wrong site by reusing them. Your change would therefore introduce a security vulnerability. I should also point out that in general we are trying to make it less easy and less convenient for people to use credentials in the URL because that always necessitates insecure storage. There have in fact been proposals to remove that functionality entirely. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
