Skip to content

Commit

Permalink
credential: handle credential.<partial-URL>.<key> again
Browse files Browse the repository at this point in the history
In the patches for CVE-2020-11008, the ability to specify credential
settings in the config for partial URLs got lost. For example, it used
to be possible to specify a credential helper for a specific protocol:

	[credential "https://"]
		helper = my-https-helper

Likewise, it used to be possible to configure settings for a specific
host, e.g.:

	[credential "dev.azure.com"]
		useHTTPPath = true

Let's reinstate this behavior.

While at it, increase the test coverage to document and verify the
behavior with a couple other categories of partial URLs.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
  • Loading branch information
dscho authored and gitster committed Apr 24, 2020
1 parent f52b0cb commit 1229499
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 3 deletions.
27 changes: 27 additions & 0 deletions credential.c
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ int credential_match(const struct credential *want,
#undef CHECK
}


static int credential_from_potentially_partial_url(struct credential *c,

This comment was marked as off-topic.

Copy link
@Kerazb88

Kerazb88 Sep 17, 2023

credential.c

This comment was marked as off-topic.

Copy link
@RaduskaCibrikova

RaduskaCibrikova Mar 28, 2024

Co stim mám dělat

This comment was marked as off-topic.

Copy link
@NGUYENHOANGTRUONG12
const char *url);

static int credential_config_callback(const char *var, const char *value,
void *data)
{
Expand Down Expand Up @@ -82,6 +86,22 @@ static int select_all(const struct urlmatch_item *a,
return 0;
}

static int match_partial_url(const char *url, void *cb)
{
struct credential *c = cb;
struct credential want = CREDENTIAL_INIT;
int matches = 0;

if (credential_from_potentially_partial_url(&want, url) < 0)
warning(_("skipping credential lookup for key: credential.%s"),
url);
else
matches = credential_match(&want, c);
credential_clear(&want);

return matches;
}

static void credential_apply_config(struct credential *c)
{
char *normalized_url;
Expand All @@ -101,6 +121,7 @@ static void credential_apply_config(struct credential *c)
config.collect_fn = credential_config_callback;
config.cascade_fn = NULL;
config.select_fn = select_all;
config.fallback_match_fn = match_partial_url;
config.cb = c;

credential_format(c, &url);
Expand Down Expand Up @@ -468,6 +489,12 @@ static int credential_from_url_1(struct credential *c, const char *url,
return 0;
}

static int credential_from_potentially_partial_url(struct credential *c,
const char *url)
{
return credential_from_url_1(c, url, 1, 0);
}

int credential_from_url_gently(struct credential *c, const char *url, int quiet)
{
return credential_from_url_1(c, url, 0, quiet);
Expand Down
38 changes: 38 additions & 0 deletions t/t0300-credentials.sh
Original file line number Diff line number Diff line change
Expand Up @@ -575,4 +575,42 @@ test_expect_success 'credential system refuses to work with missing protocol' '
test_i18ncmp expect stderr
'

test_expect_success 'credential config with partial URLs' '
echo "echo password=yep" | write_script git-credential-yep &&
test_write_lines url=https://user@example.com/repo.git >stdin &&
for partial in \
example.com \
user@example.com \
https:// \
https://example.com \
https://example.com/ \
https://user@example.com \
https://user@example.com/ \
https://example.com/repo.git \
https://user@example.com/repo.git \
/repo.git
do
git -c credential.$partial.helper=yep \

This comment was marked as off-topic.

Copy link
@Kempy1

Kempy1 Jun 7, 2023

Vibrat penaze

credential fill <stdin >stdout &&
grep yep stdout ||
return 1
done &&
for partial in \
dont.use.this \
http:// \
/repo
do
git -c credential.$partial.helper=yep \
credential fill <stdin >stdout &&
! grep yep stdout ||
return 1
done &&
git -c credential.$partial.helper=yep \
-c credential.with%0anewline.username=uh-oh \
credential fill <stdin >stdout 2>stderr &&
test_i18ngrep "skipping credential lookup for key" stderr
'

test_done
10 changes: 7 additions & 3 deletions urlmatch.c
Original file line number Diff line number Diff line change
Expand Up @@ -572,10 +572,14 @@ int urlmatch_config_entry(const char *var, const char *value, void *cb)

config_url = xmemdupz(key, dot - key);
norm_url = url_normalize_1(config_url, &norm_info, 1);
if (norm_url)
retval = match_urls(url, &norm_info, &matched);
else if (collect->fallback_match_fn)
retval = collect->fallback_match_fn(config_url,
collect->cb);
else
retval = 0;
free(config_url);
if (!norm_url)
return 0;
retval = match_urls(url, &norm_info, &matched);
free(norm_url);
if (!retval)
return 0;
Expand Down
5 changes: 5 additions & 0 deletions urlmatch.h
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,11 @@ struct urlmatch_config {
* specificity rules) than existing.
*/
int (*select_fn)(const struct urlmatch_item *found, const struct urlmatch_item *existing);
/*
* An optional callback to allow e.g. for partial URLs; it shall
* return 1 or 0 depending whether `url` matches or not.
*/
int (*fallback_match_fn)(const char *url, void *cb);
};

int urlmatch_config_entry(const char *var, const char *value, void *cb);
Expand Down

14 comments on commit 1229499

@sirmeth

This comment was marked as off-topic.

@Bros962

This comment was marked as off-topic.

@Bros962

This comment was marked as off-topic.

@Bros962

This comment was marked as off-topic.

@Favourjacobmudiaga

This comment was marked as off-topic.

@JAYP1255

This comment was marked as off-topic.

@Kempy1

This comment was marked as off-topic.

@Kempy1

This comment was marked as off-topic.

@Hamed516

This comment was marked as off-topic.

@mennamahroos

This comment was marked as off-topic.

@mennamahroos

This comment was marked as off-topic.

@mennamahroos

This comment was marked as off-topic.

@mennamahroos

This comment was marked as off-topic.

@unwantedgpig

This comment was marked as spam.

Please sign in to comment.