Re: Git Bug Report: git credential 'url' parsing clear other fields

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 26, 2024 at 09:27:03PM +0200, Thomas Desveaux wrote:

> input:
> ```
> username=user
> password=s3cret
> url=https://example.com/repository.git
> ```
> 
> This next input works as intended.
> input:
> ```
> url=https://example.com/repository.git
> username=user
> password=s3cret
> ```
> [...]
> `username` and `password` are correctly parsed and stored in the struct.
> `url` parsing then clear the fields.

Thanks for a clear report and example.

However, what you're seeing is the intended behavior. When the "url"
feature was added, it came with these docs in git-credential.txt:

  When this special attribute is read by `git credential`, the value is
  parsed as a URL and treated as if its constituent parts were read
  (e.g., `url=https://example.com` would behave as if `protocol=https`
  and `host=example.com` had been provided). This can help callers avoid
  parsing URLs themselves.  Note that any components which are missing
  from the URL (e.g., there is no username in the example above) will be
  set to empty; if you want to provide a URL and override some
  attributes, provide the URL attribute first, followed by any
  overrides.

That last "Note that..." part was lost in 1aed817f99 (credential:
document protocol updates, 2020-05-06). Between digging around in the
thread[1] and my recollection, I think the point was that we might drop
the "override" behavior as a defense-in-depth against injection attacks
(like "path=evil/\nhost=github.com"). I.e., make it an error to specify
"host=" more than once. But we didn't actually make that code change
yet.

However, even if we did so, I think we'd keep the "clear" half of the
behavior (we parsed a URL with no password in it, so the result is a
credential with no password in it). In which case your first example
still wouldn't behave as you expected.

So I think 1aed817f99 may have gone a bit too far and caused the
documentation to be misleading. It should probably keep the "any
components which are missing will be set to empty" part.

-Peff

[1] https://lore.kernel.org/git/20200505013908.4596-1-carenas@xxxxxxxxx/
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux