Quentin Bouget <ypsah@xxxxxxxxxxx> writes: > During a re-authentication (second attempt at authenticating with a > remote, e.g. after a failed GSSAPI attempt), git allows the remote to > provide credential overrides in the redirect URL and unconditionnaly > drops the current HTTP credentials in favors of those, even when there > aren't any. > > This commit makes it so HTTP credentials are only overridden when the > redirect URL actually contains credentials itself. "This commit makes it so" -> "Make it so" > + char *username = NULL, *password = NULL; > + > + if (http_auth.username) > + username = xstrdup(http_auth.username); > + if (http_auth.password) > + password = xstrdup(http_auth.password); Not a huge deal, but we have xstrdup_or_null() helper function exactly for a use case like this. > credential_from_url(&http_auth, options->base_url->buf); > + > + if (http_auth.username) > + free(username); > + else if (username) > + http_auth.username = username; > + > + if (http_auth.password) > + free(password); > + else if (password) > + http_auth.password = password; This is an interesting change. I wonder what breaks if we completely ignored such credential materials forced by the remote via a redirect? > url = options->effective_url->buf; > } > } Thanks.
