delta/git.git/http.c, branch sb/string-list-split-appends github.com: git/git.git Merge branch 'jc/http-socks5h' into maint 2016-05-02T21:24:10+00:00 Junio C Hamano gitster@pobox.com 2016-05-02T21:24:10+00:00 6b9eee2bb2934d94a5bbcbcdd28b851d71ffc5ae The socks5:// proxy support added back in 2.6.4 days was not aware that socks5h:// proxies behave differently. * jc/http-socks5h: http: differentiate socks5:// and socks5h:// 
The socks5:// proxy support added back in 2.6.4 days was not aware
that socks5h:// proxies behave differently.

* jc/http-socks5h:
  http: differentiate socks5:// and socks5h://
http: differentiate socks5:// and socks5h:// 2016-04-10T18:03:17+00:00 Junio C Hamano gitster@pobox.com 2016-04-08T19:16:06+00:00 87f8a0b279def4da439b5e0e41f517a05ef110f0 Felix Ruess <felix.ruess@gmail.com> noticed that with configuration $ git config --global 'http.proxy=socks5h://127.0.0.1:1080' connections to remote sites time out, waiting for DNS resolution. The logic to detect various flavours of SOCKS proxy and ask the libcurl layer to use appropriate one understands the proxy string that begin with socks5, socks4a, etc., but does not know socks5h, and we end up using CURLPROXY_SOCKS5. The correct one to use is CURLPROXY_SOCKS5_HOSTNAME. https://curl.haxx.se/libcurl/c/CURLOPT_PROXY.html says ..., socks5h:// (the last one to enable socks5 and asking the proxy to do the resolving, also known as CURLPROXY_SOCKS5_HOSTNAME type). which is consistent with the way the breakage was reported. Tested-by: Felix Ruess <felix.ruess@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 
Felix Ruess <felix.ruess@gmail.com> noticed that with configuration

    $ git config --global 'http.proxy=socks5h://127.0.0.1:1080'

connections to remote sites time out, waiting for DNS resolution.

The logic to detect various flavours of SOCKS proxy and ask the
libcurl layer to use appropriate one understands the proxy string
that begin with socks5, socks4a, etc., but does not know socks5h,
and we end up using CURLPROXY_SOCKS5.  The correct one to use is
CURLPROXY_SOCKS5_HOSTNAME.

https://curl.haxx.se/libcurl/c/CURLOPT_PROXY.html says

  ..., socks5h:// (the last one to enable socks5 and asking the
  proxy to do the resolving, also known as CURLPROXY_SOCKS5_HOSTNAME
  type).

which is consistent with the way the breakage was reported.

Tested-by: Felix Ruess <felix.ruess@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Merge branch 'jx/http-no-proxy' 2016-03-10T18:56:43+00:00 Junio C Hamano gitster@pobox.com 2016-03-10T18:56:43+00:00 f4a48e870892b18a7205c9315821e4b6a831ade4 * jx/http-no-proxy: http: honor no_http env variable to bypass proxy 
* jx/http-no-proxy:
  http: honor no_http env variable to bypass proxy
http: honor no_http env variable to bypass proxy 2016-02-29T19:28:39+00:00 Jiang Xin xin.jiang@huawei.com 2016-02-29T15:16:57+00:00 d445fda44dbf031dccdfd384b2418ea50988a756 Curl and its families honor several proxy related environment variables: * http_proxy and https_proxy define proxy for http/https connections. * no_proxy (a comma separated hosts) defines hosts bypass the proxy. This command will bypass the bad-proxy and connect to the host directly: no_proxy=* https_proxy=http://bad-proxy/ \ curl -sk https://google.com/ Before commit 372370f (http: use credential API to handle proxy auth...), Environment variable "no_proxy" will take effect if the config variable "http.proxy" is not set. So the following comamnd won't fail if not behind a firewall. no_proxy=* https_proxy=http://bad-proxy/ \ git ls-remote https://github.com/git/git But commit 372370f not only read git config variable "http.proxy", but also read "http_proxy" and "https_proxy" environment variables, and set the curl option using: curl_easy_setopt(result, CURLOPT_PROXY, proxy_auth.host); This caused "no_proxy" environment variable not working any more. Set extra curl option "CURLOPT_NOPROXY" will fix this issue. Signed-off-by: Jiang Xin <xin.jiang@huawei.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 
Curl and its families honor several proxy related environment variables:

* http_proxy and https_proxy define proxy for http/https connections.
* no_proxy (a comma separated hosts) defines hosts bypass the proxy.

This command will bypass the bad-proxy and connect to the host directly:

    no_proxy=* https_proxy=http://bad-proxy/ \
    curl -sk https://google.com/

Before commit 372370f (http: use credential API to handle proxy auth...),
Environment variable "no_proxy" will take effect if the config variable
"http.proxy" is not set.  So the following comamnd won't fail if not
behind a firewall.

    no_proxy=* https_proxy=http://bad-proxy/ \
    git ls-remote https://github.com/git/git

But commit 372370f not only read git config variable "http.proxy", but
also read "http_proxy" and "https_proxy" environment variables, and set
the curl option using:

    curl_easy_setopt(result, CURLOPT_PROXY, proxy_auth.host);

This caused "no_proxy" environment variable not working any more.

Set extra curl option "CURLOPT_NOPROXY" will fix this issue.

Signed-off-by: Jiang Xin <xin.jiang@huawei.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Merge branch 'ce/https-public-key-pinning' 2016-02-24T21:25:58+00:00 Junio C Hamano gitster@pobox.com 2016-02-24T21:25:58+00:00 e79112d21024beb997951381db21a70b087d459d You can now set http.[<url>.]pinnedpubkey to specify the pinned public key when building with recent enough versions of libcURL. * ce/https-public-key-pinning: http: implement public key pinning 
You can now set http.[<url>.]pinnedpubkey to specify the pinned
public key when building with recent enough versions of libcURL.

* ce/https-public-key-pinning:
  http: implement public key pinning
Merge branch 'bc/http-empty-auth' 2016-02-24T21:25:57+00:00 Junio C Hamano gitster@pobox.com 2016-02-24T21:25:57+00:00 65ba75ba7daae3298139f18cf866a23d01f4dd48 Some authentication methods do not need username or password, but libcurl needs some hint that it needs to perform authentication. Supplying an empty username and password string is a valid way to do so, but you can set the http.[<url>.]emptyAuth configuration variable to achieve the same, if you find it cleaner. * bc/http-empty-auth: http: add option to try authentication without username 
Some authentication methods do not need username or password, but
libcurl needs some hint that it needs to perform authentication.
Supplying an empty username and password string is a valid way to
do so, but you can set the http.[<url>.]emptyAuth configuration
variable to achieve the same, if you find it cleaner.

* bc/http-empty-auth:
  http: add option to try authentication without username
Merge branch 'ew/force-ipv4' 2016-02-24T21:25:54+00:00 Junio C Hamano gitster@pobox.com 2016-02-24T21:25:54+00:00 e84d5e9fa178a027b1c8b9f6e22c9173dcda03b3 "git fetch" and friends that make network connections can now be told to only use ipv4 (or ipv6). * ew/force-ipv4: connect & http: support -4 and -6 switches for remote operations 
"git fetch" and friends that make network connections can now be
told to only use ipv4 (or ipv6).

* ew/force-ipv4:
  connect & http: support -4 and -6 switches for remote operations
http: implement public key pinning 2016-02-16T03:21:48+00:00 Christoph Egger christoph@christoph-egger.org 2016-02-15T14:04:22+00:00 aeff8a61216bf6e0d663c08c583bc8552fa3c344 Add the http.pinnedpubkey configuration option for public key pinning. It allows any string supported by libcurl -- base64(sha256(pubkey)) or filename of the full public key. If cURL does not support pinning (is too old) output a warning to the user. Signed-off-by: Christoph Egger <christoph@christoph-egger.org> Signed-off-by: Junio C Hamano <gitster@pobox.com> 
Add the http.pinnedpubkey configuration option for public key
pinning. It allows any string supported by libcurl --
base64(sha256(pubkey)) or filename of the full public key.

If cURL does not support pinning (is too old) output a warning to the
user.

Signed-off-by: Christoph Egger <christoph@christoph-egger.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
http: add option to try authentication without username 2016-02-15T22:13:37+00:00 brian m. carlson sandals@crustytoothpaste.net 2016-02-15T18:44:46+00:00 121061f67fd47aed5b2f3a7deb82af15215636bd Performing GSS-Negotiate authentication using Kerberos does not require specifying a username or password, since that information is already included in the ticket itself. However, libcurl refuses to perform authentication if it has not been provided with a username and password. Add an option, http.emptyAuth, that provides libcurl with an empty username and password to make it attempt authentication anyway. Signed-off-by: Junio C Hamano <gitster@pobox.com> 
Performing GSS-Negotiate authentication using Kerberos does not require
specifying a username or password, since that information is already
included in the ticket itself.  However, libcurl refuses to perform
authentication if it has not been provided with a username and password.
Add an option, http.emptyAuth, that provides libcurl with an empty
username and password to make it attempt authentication anyway.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
connect & http: support -4 and -6 switches for remote operations 2016-02-12T19:34:14+00:00 Eric Wong normalperson@yhbt.net 2016-02-03T04:09:14+00:00 c915f11eb4922e154e29cf62d3b549d65c06a170 Sometimes it is necessary to force IPv4-only or IPv6-only operation on networks where name lookups may return a non-routable address and stall remote operations. The ssh(1) command has an equivalent switches which we may pass when we run them. There may be old ssh(1) implementations out there which do not support these switches; they should report the appropriate error in that case. rsync support is untouched for now since it is deprecated and scheduled to be removed. Signed-off-by: Eric Wong <normalperson@yhbt.net> Reviewed-by: Torsten Bögershausen <tboegi@web.de> Signed-off-by: Junio C Hamano <gitster@pobox.com> 
Sometimes it is necessary to force IPv4-only or IPv6-only operation
on networks where name lookups may return a non-routable address and
stall remote operations.

The ssh(1) command has an equivalent switches which we may pass when
we run them.  There may be old ssh(1) implementations out there
which do not support these switches; they should report the
appropriate error in that case.

rsync support is untouched for now since it is deprecated and
scheduled to be removed.

Signed-off-by: Eric Wong <normalperson@yhbt.net>
Reviewed-by: Torsten Bögershausen <tboegi@web.de>
Signed-off-by: Junio C Hamano <gitster@pobox.com>