From: Derrick Stolee <derrickstolee@github.com>
To: Johannes Schindelin <Johannes.Schindelin@gmx.de>
Cc: Junio C Hamano <gitster@pobox.com>,
Derrick Stolee via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, peff@peff.net, me@ttaylorr.com,
avarab@gmail.com, christian.couder@gmail.com, jrnieder@gmail.com,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Robert Coup <robert.coup@koordinates.com>
Subject: Re: [PATCH] urlmatch: create fetch.credentialsInUrl config
Date: Tue, 24 May 2022 16:14:08 -0400 [thread overview]
Message-ID: <9318a400-479f-4029-c10b-3bfe498fcbb7@github.com> (raw)
In-Reply-To: <nycvar.QRO.7.76.6.2205241343390.352@tvgsbejvaqbjf.bet>
On 5/24/2022 7:46 AM, Johannes Schindelin wrote:
> Hi Stolee,
>
> On Mon, 23 May 2022, Derrick Stolee wrote:
>
>> On 5/23/2022 3:06 PM, Junio C Hamano wrote:
>>> "Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes:
>>>
>>>> +static void detected_credentials_in_url(const char *url, size_t scheme_len)
>>>> +{
>>>> + char *value = NULL;
>>>> + const char *at_ptr;
>>>> + const char *colon_ptr;
>>>> + struct strbuf anonymized = STRBUF_INIT;
>>>> +
>>>> + /* "ignore" is the default behavior. */
>>>> + if (git_config_get_string("fetch.credentialsinurl", &value) ||
>>>> + !strcasecmp("ignore", value))
>>>> + goto cleanup;
>>>> +
>>>> + at_ptr = strchr(url, '@');
>>>> + colon_ptr = strchr(url + scheme_len + 3, ':');
>>>
>>> We expect that at_ptr would come after colon_ptr (i.e. in
>>> "scheme://<u>:<p>@host", no @ exists in <u> or <p> part) and the
>>> while() loop below assumes that for redacting.
>
> Careful here. https://me@there.com:9999/ _is_ a valid URL, too.
Thanks for checking. The method should not be called unless the
password region was already detected. I'll add a BUG() statement and
a comment to prevent future callers from providing incorrect URLs.
I can also add a test to show that this warning is not output when
the only colon is for the port number.
>>> Are we better off if we assert it here, or has the calling parser
>>> already rejected such cases?
>>
>> This computation of at_ptr matches the one in url_normalize_1(),
>> so it at least agrees about where the "username[:password]" section
>> could be. That does mean that the password cannot contain an "@"
>> symbol (unless it is special-cased somehow?).
>
> The password cannot contain a literal `@`, and neither can the user name.
> They have to be URL-encoded, via `%40`.
Thanks!
-Stolee
next prev parent reply other threads:[~2022-05-24 20:14 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-23 18:04 [PATCH] urlmatch: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget
2022-05-23 19:06 ` Junio C Hamano
2022-05-23 20:31 ` Derrick Stolee
2022-05-23 21:14 ` Junio C Hamano
2022-05-24 11:46 ` Johannes Schindelin
2022-05-24 20:14 ` Derrick Stolee [this message]
2022-05-23 20:37 ` Junio C Hamano
2022-05-24 11:51 ` Johannes Schindelin
2022-05-24 8:18 ` Ævar Arnfjörð Bjarmason
2022-05-24 13:50 ` Derrick Stolee
2022-05-24 21:01 ` Ævar Arnfjörð Bjarmason
2022-05-25 14:03 ` Derrick Stolee
2022-05-24 11:42 ` Johannes Schindelin
2022-05-24 20:16 ` Derrick Stolee
2022-05-27 13:27 ` [PATCH v2] " Derrick Stolee via GitGitGadget
2022-05-27 14:22 ` Ævar Arnfjörð Bjarmason
2022-05-27 14:43 ` Derrick Stolee
2022-05-27 18:09 ` Junio C Hamano
2022-05-27 18:40 ` Junio C Hamano
2022-05-30 0:16 ` Junio C Hamano
2022-05-31 13:32 ` Derrick Stolee
2022-06-01 1:16 ` [PATCH v3 0/2] fetch: " Derrick Stolee via GitGitGadget
2022-06-01 1:16 ` [PATCH v3 1/2] remote: " Derrick Stolee via GitGitGadget
2022-06-01 19:19 ` Ævar Arnfjörð Bjarmason
2022-06-02 13:38 ` Derrick Stolee
2022-06-01 1:16 ` [PATCH v3 2/2] usage: add warn_once() helper for repeated warnings Derrick Stolee via GitGitGadget
2022-06-01 12:29 ` Ævar Arnfjörð Bjarmason
2022-06-01 18:42 ` Derrick Stolee
2022-06-01 19:33 ` Ævar Arnfjörð Bjarmason
2022-06-02 13:43 ` Derrick Stolee
2022-06-01 20:21 ` Junio C Hamano
2022-06-02 14:24 ` Derrick Stolee
2022-06-02 17:53 ` Junio C Hamano
2022-06-01 20:40 ` Junio C Hamano
2022-06-02 17:20 ` [PATCH v4] remote: create fetch.credentialsInUrl config Derrick Stolee via GitGitGadget
2022-06-02 21:20 ` Junio C Hamano
2022-06-03 12:54 ` Derrick Stolee
2022-06-06 15:37 ` Junio C Hamano
2022-06-06 14:36 ` [PATCH v5] " Derrick Stolee via GitGitGadget
2022-06-06 16:34 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9318a400-479f-4029-c10b-3bfe498fcbb7@github.com \
--to=derrickstolee@github.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=avarab@gmail.com \
--cc=christian.couder@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=jrnieder@gmail.com \
--cc=me@ttaylorr.com \
--cc=peff@peff.net \
--cc=robert.coup@koordinates.com \
--cc=sandals@crustytoothpaste.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).