summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLibravatar Johannes Schindelin <johannes.schindelin@gmx.de>2020-04-24 11:49:52 +0000
committerLibravatar Junio C Hamano <gitster@pobox.com>2020-04-29 08:37:36 -0700
commit9a121b0d226dd0017318be0d18120aeb766f1235 (patch)
tree04944a76b4e56059b833e564bce2db6e91780295
parentcredential: optionally allow partial URLs in credential_from_url_gently() (diff)
downloadtgif-9a121b0d226dd0017318be0d18120aeb766f1235.tar.xz
credential: handle `credential.<partial-URL>.<key>` again
In the patches for CVE-2020-11008, the ability to specify credential settings in the config for partial URLs got lost. For example, it used to be possible to specify a credential helper for a specific protocol: [credential "https://"] helper = my-https-helper Likewise, it used to be possible to configure settings for a specific host, e.g.: [credential "dev.azure.com"] useHTTPPath = true Let's reinstate this behavior. While at it, increase the test coverage to document and verify the behavior with a couple other categories of partial URLs. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Reviewed-by: Carlo Marcelo Arenas Belón <carenas@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rw-r--r--credential.c18
-rwxr-xr-xt/t0300-credentials.sh38
2 files changed, 55 insertions, 1 deletions
diff --git a/credential.c b/credential.c
index 7dbbf26f17..c1a9ca4e48 100644
--- a/credential.c
+++ b/credential.c
@@ -35,6 +35,10 @@ int credential_match(const struct credential *want,
#undef CHECK
}
+
+static int credential_from_potentially_partial_url(struct credential *c,
+ const char *url);
+
static int credential_config_callback(const char *var, const char *value,
void *data)
{
@@ -53,7 +57,13 @@ static int credential_config_callback(const char *var, const char *value,
char *url = xmemdupz(key, dot - key);
int matched;
- credential_from_url(&want, url);
+ if (credential_from_potentially_partial_url(&want, url) < 0) {
+ warning(_("skipping credential lookup for key: %s"),
+ var);
+ credential_clear(&want);
+ free(url);
+ return 0;
+ }
matched = credential_match(&want, c);
credential_clear(&want);
@@ -430,6 +440,12 @@ static int credential_from_url_1(struct credential *c, const char *url,
return 0;
}
+static int credential_from_potentially_partial_url(struct credential *c,
+ const char *url)
+{
+ return credential_from_url_1(c, url, 1, 0);
+}
+
int credential_from_url_gently(struct credential *c, const char *url, int quiet)
{
return credential_from_url_1(c, url, 0, quiet);
diff --git a/t/t0300-credentials.sh b/t/t0300-credentials.sh
index efed3ea295..da4b315d6d 100755
--- a/t/t0300-credentials.sh
+++ b/t/t0300-credentials.sh
@@ -448,4 +448,42 @@ test_expect_success 'credential system refuses to work with missing protocol' '
test_i18ncmp expect stderr
'
+test_expect_success 'credential config with partial URLs' '
+ echo "echo password=yep" | write_script git-credential-yep &&
+ test_write_lines url=https://user@example.com/repo.git >stdin &&
+ for partial in \
+ example.com \
+ user@example.com \
+ https:// \
+ https://example.com \
+ https://example.com/ \
+ https://user@example.com \
+ https://user@example.com/ \
+ https://example.com/repo.git \
+ https://user@example.com/repo.git \
+ /repo.git
+ do
+ git -c credential.$partial.helper=yep \
+ credential fill <stdin >stdout &&
+ grep yep stdout ||
+ return 1
+ done &&
+
+ for partial in \
+ dont.use.this \
+ http:// \
+ /repo
+ do
+ git -c credential.$partial.helper=yep \
+ credential fill <stdin >stdout &&
+ ! grep yep stdout ||
+ return 1
+ done &&
+
+ git -c credential.$partial.helper=yep \
+ -c credential.with%0anewline.username=uh-oh \
+ credential fill <stdin >stdout 2>stderr &&
+ test_i18ngrep "skipping credential lookup for key" stderr
+'
+
test_done