From: Junio C Hamano <gitster@pobox.com>
To: Derrick Stolee <derrickstolee@github.com>
Cc: Derrick Stolee via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, peff@peff.net, me@ttaylorr.com,
avarab@gmail.com, christian.couder@gmail.com,
johannes.schindelin@gmx.de, jrnieder@gmail.com,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Robert Coup <robert.coup@koordinates.com>
Subject: Re: [PATCH] urlmatch: create fetch.credentialsInUrl config
Date: Mon, 23 May 2022 14:14:06 -0700 [thread overview]
Message-ID: <xmqqo7zoostd.fsf@gitster.g> (raw)
In-Reply-To: <7495dac8-0241-ad56-59e3-100673c88c52@github.com> (Derrick Stolee's message of "Mon, 23 May 2022 16:31:42 -0400")
Derrick Stolee <derrickstolee@github.com> writes:
> This computation of at_ptr matches the one in url_normalize_1(),
> so it at least agrees about where the "username[:password]" section
> could be.
OK.
> That does mean that the password cannot contain an "@"
> symbol (unless it is special-cased somehow?).
I wasn't worried about what is valid but more about what attackers
can fool users to throw at "git clone" and make our code misbehave
(which can include garbage that would not parse correctly).
I think the while() loop will just become a no-op, anonymized buffer
is left empty and colon_ptr does not get updated at all. Then
strbuf_addstr() after the loop will put everything from '@' to the
strbuf to be showed, and none of these should lead to any overrun or
exploit.
Thanks.
next prev parent reply other threads:[~2022-05-23 21:14 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget
2022-05-23 19:06 ` Junio C Hamano
2022-05-23 20:31 ` Derrick Stolee
2022-05-23 21:14 ` Junio C Hamano [this message]
2022-05-24 11:46 ` Johannes Schindelin
2022-05-24 20:14 ` Derrick Stolee
2022-05-23 20:37 ` Junio C Hamano
2022-05-24 11:51 ` Johannes Schindelin
2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason
2022-05-24 13:50 ` Derrick Stolee
2022-05-24 21:01 ` Ævar Arnfjörð Bjarmason
2022-05-25 14:03 ` Derrick Stolee
2022-05-24 11:42 ` Johannes Schindelin
2022-05-24 20:16 ` Derrick Stolee
2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget
2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason
2022-05-27 14:43 ` Derrick Stolee
2022-05-27 18:09 ` Junio C Hamano
2022-05-27 18:40 ` Junio C Hamano
2022-05-30 0:16 ` Junio C Hamano
2022-05-31 13:32 ` Derrick Stolee
2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget
2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget
2022-06-01 19:19 ` Ævar Arnfjörð Bjarmason
2022-06-02 13:38 ` Derrick Stolee
2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget
2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason
2022-06-01 18:42 ` Derrick Stolee
2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason
2022-06-02 13:43 ` Derrick Stolee
2022-06-01 20:21 ` Junio C Hamano
2022-06-02 14:24 ` Derrick Stolee
2022-06-02 17:53 ` Junio C Hamano
2022-06-01 20:40 ` Junio C Hamano
2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget
2022-06-02 21:20 ` Junio C Hamano
2022-06-03 12:54 ` Derrick Stolee
2022-06-06 15:37 ` Junio C Hamano
2022-06-06 14:36 ` [PATCH v5] " Derrick Stolee via GitGitGadget
2022-06-06 16:34 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqo7zoostd.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=avarab@gmail.com \
--cc=christian.couder@gmail.com \
--cc=derrickstolee@github.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=johannes.schindelin@gmx.de \
--cc=jrnieder@gmail.com \
--cc=me@ttaylorr.com \
--cc=peff@peff.net \
--cc=robert.coup@koordinates.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.