Fwd: [bug report, possibly] Multiple pushes with passwords in URL

Fwd: [bug report, possibly] Multiple pushes with passwords in URL

[Left Right]

Hello list,
I didn't find a bug tracker and some comments on StackOverflow
suggested I should post to the mailing list... please excuse me if I
followed the wrong info, it's not really easy to find your bug
tracker, if there is one.

I've came across this behavior trying to organize my repository to
push updates to several remote repositories. Here's what I did:

in .git/conf

[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true

[remote "github"]
        fetch = +refs/heads/*:refs/remotes/origin/*
url = https://username1:password1@github.com/some.git

[remote "googlecode"]
        fetch = +refs/heads/*:refs/remotes/origin/*
        url = https://username2:password2@code.google.com/p/some/

[remote "origin"]
url = https://username1:password1@github.com/some.git
#        url = https://username2:password2@code.google.com/p/some/

[remote "all"]
url = https://username1:password1@github.com/some.git
        url = https://username2:password2@code.google.com/p/some/
[branch "master"]
remote = origin
merge = refs/heads/master

Now, what happens if I try to push origin master:
the commit is sent to the first origin with the credential specified
in the first URL, but then the request to second URL is sent with the
credentials from the first URL. I tried switching them, and the result
is the same. I tried separate push'es to both repositories and it
works fine. I thought there might be something particular about
"origin" and tried moving the list of URLs to "all" - with the exact
same results.

This is kind of frustrating... but this is also a tiny security threat
as you are basically sending the credentials of the users they used at
one site to another... w/o any notice or warning.

That aside, I would be very happy to find some way to save passwords
in some... well... more secure format. Like on the keyring, for
example... .netrc is out of question though because of duplicating
user names :(

Best.

Oleg

Re: [bug report, possibly] Multiple pushes with passwords in URL

[Kevin]

Hi,

First, this is the right place for reporting bugs.

I don't know why it's using the credentials for the first remote. But I know
that recent versions of git ship a credentials[1] helper that can ask a wallet
or keychain for credentials, so you don't have to store them in the git
config.

Kevin


[1]: http://git-scm.com/docs/gitcredentials

On Tue, Jun 26, 2012 at 8:43 PM, Left Right <olegsivokon@gmail.com> wrote:
> Hello list,
> I didn't find a bug tracker and some comments on StackOverflow
> suggested I should post to the mailing list... please excuse me if I
> followed the wrong info, it's not really easy to find your bug
> tracker, if there is one.
>
> I've came across this behavior trying to organize my repository to
> push updates to several remote repositories. Here's what I did:
>
> in .git/conf
>
> [core]
> repositoryformatversion = 0
> filemode = true
> bare = false
> logallrefupdates = true
>
> [remote "github"]
>         fetch = +refs/heads/*:refs/remotes/origin/*
> url = https://username1:password1@github.com/some.git
>
> [remote "googlecode"]
>         fetch = +refs/heads/*:refs/remotes/origin/*
>         url = https://username2:password2@code.google.com/p/some/
>
> [remote "origin"]
> url = https://username1:password1@github.com/some.git
> #        url = https://username2:password2@code.google.com/p/some/
>
> [remote "all"]
> url = https://username1:password1@github.com/some.git
>         url = https://username2:password2@code.google.com/p/some/
> [branch "master"]
> remote = origin
> merge = refs/heads/master
>
> Now, what happens if I try to push origin master:
> the commit is sent to the first origin with the credential specified
> in the first URL, but then the request to second URL is sent with the
> credentials from the first URL. I tried switching them, and the result
> is the same. I tried separate push'es to both repositories and it
> works fine. I thought there might be something particular about
> "origin" and tried moving the list of URLs to "all" - with the exact
> same results.
>
> This is kind of frustrating... but this is also a tiny security threat
> as you are basically sending the credentials of the users they used at
> one site to another... w/o any notice or warning.
>
> That aside, I would be very happy to find some way to save passwords
> in some... well... more secure format. Like on the keyring, for
> example... .netrc is out of question though because of duplicating
> user names :(
>
> Best.
>
> Oleg
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [bug report, possibly] Multiple pushes with passwords in URL

[Left Right]

I have Git version 1.7.2.5 (this is what Debian repository provides), so

$ git help -a | grep credential-

doesn't find anything. But thanks, I've put that page into favorites.
Once there will be a newer version, I'll try that.

Best.

Oleg