The http.cookiefile configuration variable is used to call curl_easy_setopt() to set CURLOPT_COOKIEFILE and if http.savecookies is set, the same value is used for CURLOPT_COOKIEJAR. The former is used only to read cookies at startup, the latter is used to write cookies at the end. The manual pages https://curl.se/libcurl/c/CURLOPT_COOKIEFILE.html and https://curl.se/libcurl/c/CURLOPT_COOKIEJAR.html talk about two interesting special values. * "" (an empty string) given to CURLOPT_COOKIEFILE means not to read cookies from any file upon startup. * It is not specified what "" (an empty string) given to CURLOPT_COOKIEJAR does; presumably open a file whose name is an empty string and write cookies to it? In any case, that is not what we want to see happen, ever. * "-" (a dash) given to CURLOPT_COOKIEFILE makes cURL read cookies from the standard input, and given to CURLOPT_COOKIEJAR makes cURL write cookies to the standard output. Neither of which we want ever to happen. So, let's make sure we avoid these nonsense cases. Specifically, when http.cookies is set to "-", ignore it with a warning, and when it is set to "" and http.savecookies is set, ignore http.savecookies with a warning. Signed-off-by: Junio C Hamano <gitster@xxxxxxxxx> --- * I have no confidence in me doing http correctly, so I am asking from folks who have touched http.c in the past 6 months for help. A proposed documentation update to talk about an empty string by Piotr, who is also on CC:, triggered this update. http.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git c/http.c w/http.c index 13fa94bef3..86ccca49f0 100644 --- c/http.c +++ w/http.c @@ -1466,7 +1466,16 @@ struct active_request_slot *get_active_slot(void) slot->finished = NULL; slot->callback_data = NULL; slot->callback_func = NULL; + + if (curl_cookie_file && !strcmp(curl_cookie_file, "-")) { + warning(_("refusing to read cookies from http.cookiefile '-'")); + FREE_AND_NULL(curl_cookie_file); + } curl_easy_setopt(slot->curl, CURLOPT_COOKIEFILE, curl_cookie_file); + if (curl_save_cookies && (!curl_cookie_file || !curl_cookie_file[0])) { + curl_save_cookies = 0; + warning(_("ignoring http.savecookies for empty http.cookiefile")); + } if (curl_save_cookies) curl_easy_setopt(slot->curl, CURLOPT_COOKIEJAR, curl_cookie_file); curl_easy_setopt(slot->curl, CURLOPT_HTTPHEADER, pragma_header);
