* [PATCH] Added Curl Option to Override Request Method @ 2022-04-26 11:01 Drew Green via GitGitGadget 2022-04-26 15:57 ` [PATCH v2] Added Curl Option to Override Request Method v2 Drew Green via GitGitGadget 0 siblings, 1 reply; 5+ messages in thread From: Drew Green via GitGitGadget @ 2022-04-26 11:01 UTC (permalink / raw) To: git; +Cc: Drew Green, agreenbhm From: agreenbhm <agreenbhm@gmail.com> Added support for environment variable "CURLOPT_CUSTOMREQUEST" to allow setting the curl option to override the default request method used by HTTP Git operations. Primary reason for this is to allow support for cloning repositories where only GET requests are allowed but not POSTs. When cloning a repo first a GET is made to the server and then a POST is made to the "git-upload-pack" endpoint. In some corporate environments with strong controls only GET requests are allowed to known repository hosts (such as GitHub) to prevent data leakage by sending data. Using this new environmental variable, a user can set "CURLOPT_CUSTOMREQUEST=GET" which will change the second request from a POST to a GET, bypassing web proxy restrictions on the type of requests allowed. Tested with GitHub, changing the request from POST to GET still results in the expected behavior of the repo successfully being cloned. Signed-off-by: agreenbhm <agreenbhm@gmail.com> --- Added Curl Option to Override Request Method Added support for environment variable "CURLOPT_CUSTOMREQUEST" to allow setting the curl option to override the default request method used by HTTP Git operations. Primary reason for this is to allow support for cloning repositories where only GET requests are allowed but not POSTs. When cloning a repo first a GET is made to the server and then a POST is made to the "git-upload-pack" endpoint. In some corporate environments with strong controls only GET requests are allowed to known repository hosts (such as GitHub) to prevent data leakage by sending data. Using this new environmental variable, a user can set "CURLOPT_CUSTOMREQUEST=GET" which will change the second request from a POST to a GET, bypassing web proxy restrictions on the type of requests allowed. Tested with GitHub, changing the request from POST to GET still results in the expected behavior of the repo successfully being cloned. Signed-off-by: agreenbhm agreenbhm@gmail.com Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1225%2Fagreenbhm%2Fmaster-v1 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1225/agreenbhm/master-v1 Pull-Request: https://github.com/gitgitgadget/git/pull/1225 http.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/http.c b/http.c index 229da4d1488..2ca13b848a5 100644 --- a/http.c +++ b/http.c @@ -1235,6 +1235,8 @@ struct active_request_slot *get_active_slot(void) curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods); if (http_auth.password || curl_empty_auth_enabled()) init_curl_http_auth(slot->curl); + if(getenv("CURLOPT_CUSTOMREQUEST")) + curl_easy_setopt(slot->curl, CURLOPT_CUSTOMREQUEST, getenv("CURLOPT_CUSTOMREQUEST")); return slot; } base-commit: 6cd33dceed60949e2dbc32e3f0f5e67c4c882e1e -- gitgitgadget ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2] Added Curl Option to Override Request Method v2 2022-04-26 11:01 [PATCH] Added Curl Option to Override Request Method Drew Green via GitGitGadget @ 2022-04-26 15:57 ` Drew Green via GitGitGadget 2022-04-26 21:28 ` brian m. carlson 0 siblings, 1 reply; 5+ messages in thread From: Drew Green via GitGitGadget @ 2022-04-26 15:57 UTC (permalink / raw) To: git; +Cc: Drew Green, agreenbhm From: agreenbhm <agreenbhm@gmail.com> Added support for environment variable "CURLOPT_CUSTOMREQUEST" and config option "http.customrequest" to allow setting the Curl option to override the default request method used by HTTP Git operations. Primary reason for this is to allow support for cloning repositories where only GET requests are allowed by a local web proxy but not POSTs. When cloning a repo first a GET is made to the server and then a POST is made to the "git-upload-pack" endpoint. In some corporate environments with strong controls only GET requests are allowed to known repository hosts (such as GitHub) through a web proxy to prevent data leakage. Using this new setting, a user can set the "CURLOPT_CUSTOMREQUEST=GET" env at runtime or "http.customrequest = GET" in their config file which will change the second request from a POST to a GET, bypassing web proxy restrictions on the type of requests allowed. Tested with GitHub, changing the request from POST to GET still results in the expected behavior of the repo successfully being cloned. This is v2 of this patch, which refactored the placement of the env and added the ability to set the config file option. Signed-off-by: agreenbhm <agreenbhm@gmail.com> --- Added Curl Option to Override Request Method Added support for environment variable "CURLOPT_CUSTOMREQUEST" to allow setting the curl option to override the default request method used by HTTP Git operations. Primary reason for this is to allow support for cloning repositories where only GET requests are allowed but not POSTs. When cloning a repo first a GET is made to the server and then a POST is made to the "git-upload-pack" endpoint. In some corporate environments with strong controls only GET requests are allowed to known repository hosts (such as GitHub) to prevent data leakage by sending data. Using this new environmental variable, a user can set "CURLOPT_CUSTOMREQUEST=GET" which will change the second request from a POST to a GET, bypassing web proxy restrictions on the type of requests allowed. Tested with GitHub, changing the request from POST to GET still results in the expected behavior of the repo successfully being cloned. Signed-off-by: agreenbhm agreenbhm@gmail.com Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1225%2Fagreenbhm%2Fmaster-v2 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1225/agreenbhm/master-v2 Pull-Request: https://github.com/gitgitgadget/git/pull/1225 Range-diff vs v1: 1: 8bf14c61c2a < -: ----------- Added Curl Option to Override Request Method -: ----------- > 1: 8734bf28344 Added Curl Option to Override Request Method v2 http.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/http.c b/http.c index 229da4d1488..eaf269fc5a7 100644 --- a/http.c +++ b/http.c @@ -75,6 +75,7 @@ static const char *http_proxy_ssl_key; static const char *http_proxy_ssl_ca_info; static struct credential proxy_cert_auth = CREDENTIAL_INIT; static int proxy_ssl_cert_password_required; +static const char *http_custom_request; static struct { const char *name; @@ -403,6 +404,9 @@ static int http_options(const char *var, const char *value, void *cb) return 0; } + if(!strcmp("http.customrequest", var)) + return git_config_string(&http_custom_request, var, value); + /* Fall back on the default ones */ return git_default_config(var, value, cb); } @@ -1099,6 +1103,7 @@ void http_init(struct remote *remote, const char *url, int proactive_auth) starts_with(url, "https://")) ssl_cert_password_required = 1; } + set_from_env(&http_custom_request, "CURLOPT_CUSTOMREQUEST"); curl_default = get_curl_handle(); } @@ -1212,7 +1217,7 @@ struct active_request_slot *get_active_slot(void) curl_easy_setopt(slot->curl, CURLOPT_COOKIEJAR, curl_cookie_file); curl_easy_setopt(slot->curl, CURLOPT_HTTPHEADER, pragma_header); curl_easy_setopt(slot->curl, CURLOPT_ERRORBUFFER, curl_errorstr); - curl_easy_setopt(slot->curl, CURLOPT_CUSTOMREQUEST, NULL); + curl_easy_setopt(slot->curl, CURLOPT_CUSTOMREQUEST, http_custom_request); curl_easy_setopt(slot->curl, CURLOPT_READFUNCTION, NULL); curl_easy_setopt(slot->curl, CURLOPT_WRITEFUNCTION, NULL); curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDS, NULL); base-commit: 6cd33dceed60949e2dbc32e3f0f5e67c4c882e1e -- gitgitgadget ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] Added Curl Option to Override Request Method v2 2022-04-26 15:57 ` [PATCH v2] Added Curl Option to Override Request Method v2 Drew Green via GitGitGadget @ 2022-04-26 21:28 ` brian m. carlson 2022-04-26 23:34 ` Drew Green 0 siblings, 1 reply; 5+ messages in thread From: brian m. carlson @ 2022-04-26 21:28 UTC (permalink / raw) To: Drew Green via GitGitGadget; +Cc: git, Drew Green [-- Attachment #1: Type: text/plain, Size: 1741 bytes --] On 2022-04-26 at 15:57:39, Drew Green via GitGitGadget wrote: > From: agreenbhm <agreenbhm@gmail.com> > > Added support for environment variable "CURLOPT_CUSTOMREQUEST" > and config option "http.customrequest" to allow setting the Curl > option to override the default request method used by HTTP Git > operations. Primary reason for this is to allow support for > cloning repositories where only GET requests > are allowed by a local web proxy but not POSTs. When cloning > a repo first a GET is made to the server and then a > POST is made to the "git-upload-pack" endpoint. In some > corporate environments with strong controls > only GET requests are allowed to known repository hosts (such > as GitHub) through a web proxy to prevent data leakage. Using this > new setting, a user can set the "CURLOPT_CUSTOMREQUEST=GET" env at runtime > or "http.customrequest = GET" in their config file which will > change the second request from a POST to a GET, bypassing > web proxy restrictions on the type of requests allowed. > Tested with GitHub, changing the request from POST to GET still > results in the expected behavior of the repo successfully being cloned. I don't think this is a good idea. It may happen that GitHub or other servers happen to accept a GET request here, but that is a bug and should be fixed. It is definitely not something we should depend on or rely on, and it isn't a documented part of the protocol. If your corporate environment doesn't allow POST requests, you may wish to use SSH for Git operations instead, or you may need to explain to your company why you cannot do your job with their proxy in place. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 262 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] Added Curl Option to Override Request Method v2 2022-04-26 21:28 ` brian m. carlson @ 2022-04-26 23:34 ` Drew Green 2022-04-27 0:49 ` brian m. carlson 0 siblings, 1 reply; 5+ messages in thread From: Drew Green @ 2022-04-26 23:34 UTC (permalink / raw) To: brian m. carlson, Drew Green via GitGitGadget, git, Drew Green On Tue, Apr 26, 2022 at 7:30 PM brian m. carlson <sandals@crustytoothpaste.net> wrote: > > On 2022-04-26 at 15:57:39, Drew Green via GitGitGadget wrote: > > From: agreenbhm <agreenbhm@gmail.com> > > > > Added support for environment variable "CURLOPT_CUSTOMREQUEST" > > and config option "http.customrequest" to allow setting the Curl > > option to override the default request method used by HTTP Git > > operations. Primary reason for this is to allow support for > > cloning repositories where only GET requests > > are allowed by a local web proxy but not POSTs. When cloning > > a repo first a GET is made to the server and then a > > POST is made to the "git-upload-pack" endpoint. In some > > corporate environments with strong controls > > only GET requests are allowed to known repository hosts (such > > as GitHub) through a web proxy to prevent data leakage. Using this > > new setting, a user can set the "CURLOPT_CUSTOMREQUEST=GET" env at runtime > > or "http.customrequest = GET" in their config file which will > > change the second request from a POST to a GET, bypassing > > web proxy restrictions on the type of requests allowed. > > Tested with GitHub, changing the request from POST to GET still > > results in the expected behavior of the repo successfully being cloned. > > I don't think this is a good idea. It may happen that GitHub or other > servers happen to accept a GET request here, but that is a bug and > should be fixed. It is definitely not something we should depend on or > rely on, and it isn't a documented part of the protocol. > > If your corporate environment doesn't allow POST requests, you may wish > to use SSH for Git operations instead, or you may need to explain to > your company why you cannot do your job with their proxy in place. > -- > brian m. carlson (he/him or they/them) > Toronto, Ontario, CA Brian - I understand what you're saying, however I don't think adding this feature is detrimental in any way. It is simply leveraging a feature of curl without any promises of resulting behavior. Why not allow users to take advantage of a library feature if it can help? -- Drew Green www.drewgreen.net PGP: 17BDDD7E ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] Added Curl Option to Override Request Method v2 2022-04-26 23:34 ` Drew Green @ 2022-04-27 0:49 ` brian m. carlson 0 siblings, 0 replies; 5+ messages in thread From: brian m. carlson @ 2022-04-27 0:49 UTC (permalink / raw) To: Drew Green; +Cc: Drew Green via GitGitGadget, git [-- Attachment #1: Type: text/plain, Size: 1711 bytes --] On 2022-04-26 at 23:34:32, Drew Green wrote: > Brian - I understand what you're saying, however I don't think adding > this feature is detrimental in any way. It is simply leveraging a > feature of curl without any promises of resulting behavior. Why not > allow users to take advantage of a library feature if it can help? Because the protocol is defined to use POST. We might well define GET to mean something different in the future. HTTP verbs are not interchangeable, and GET requests can be subject to caching while POST requests typically cannot. Similarly, GET requests are idempotent, while POST requests are not, and what you're proposing would allow creating non-idempotent GET requests, thereby violating the HTTP specification. Also, people will expect it to work and complain when it doesn't. People will complain that GitHub no longer supports it if we fix the bug[0] because Git has an option to use GET. People will also expect this support in Git LFS as well even though it cannot possibly work there, and be angry that we won't support it. I'm very much opposed to this. There are all sorts of broken proxies which break Git in various ways, and this is just another situation in which they do that. The solution is to use SSH, if that's available, or fix the proxy. A proxy that doesn't handle POST properly doesn't even speak HTTP/1.1 properly, and that was defined in 1999. There's really no excuse to have such software on the Internet today. Such a proxy wouldn't even be usable for a web browser. [0] It is my intention to fix this bug in GitHub's Git service in short order. -- brian m. carlson (he/him or they/them) Toronto, Ontario, CA [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 262 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-04-27 0:49 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-04-26 11:01 [PATCH] Added Curl Option to Override Request Method Drew Green via GitGitGadget 2022-04-26 15:57 ` [PATCH v2] Added Curl Option to Override Request Method v2 Drew Green via GitGitGadget 2022-04-26 21:28 ` brian m. carlson 2022-04-26 23:34 ` Drew Green 2022-04-27 0:49 ` brian m. carlson
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).