summaryrefslogtreecommitdiff
path: root/refs
diff options
context:
space:
mode:
authorLibravatar Jonathan Nieder <jrnieder@gmail.com>2020-04-18 20:52:34 -0700
committerLibravatar Jonathan Nieder <jrnieder@gmail.com>2020-04-19 16:10:58 -0700
commita2b26ffb1a81aa23dd14453f4db05d8fe24ee7cc (patch)
treedb42a4e33101cf94f7d4ddc9dee822fdb6f7df85 /refs
parentcredential: refuse to operate when missing host or protocol (diff)
downloadtgif-a2b26ffb1a81aa23dd14453f4db05d8fe24ee7cc.tar.xz
fsck: convert gitmodules url to URL passed to curl
In 07259e74ec1 (fsck: detect gitmodules URLs with embedded newlines, 2020-03-11), git fsck learned to check whether URLs in .gitmodules could be understood by the credential machinery when they are handled by git-remote-curl. However, the check is overbroad: it checks all URLs instead of only URLs that would be passed to git-remote-curl. In principle a git:// or file:/// URL does not need to follow the same conventions as an http:// URL; in particular, git:// and file:// protocols are not succeptible to issues in the credential API because they do not support attaching credentials. In the HTTP case, the URL in .gitmodules does not always match the URL that would be passed to git-remote-curl and the credential machinery: Git's URL syntax allows specifying a remote helper followed by a "::" delimiter and a URL to be passed to it, so that git ls-remote http::https://example.com/repo.git invokes git-remote-http with https://example.com/repo.git as its URL argument. With today's checks, that distinction does not make a difference, but for a check we are about to introduce (for empty URL schemes) it will matter. .gitmodules files also support relative URLs. To ensure coverage for the https based embedded-newline attack, urldecode and check them directly for embedded newlines. Helped-by: Jeff King <peff@peff.net> Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Reviewed-by: Jeff King <peff@peff.net>
Diffstat (limited to 'refs')
0 files changed, 0 insertions, 0 deletions