diff options
author | Glen Choo <chooglen@google.com> | 2022-11-11 22:35:06 +0000 |
---|---|---|
committer | Taylor Blau <me@ttaylorr.com> | 2022-11-14 17:42:46 -0500 |
commit | b637a41ebe0e65b6d64dd65efaf848b4705dcbed (patch) | |
tree | 3007cb8026fb16a7a4a4ff619fac90f247898b18 /t | |
parent | 73c49a447461449ada646b74dfa5dcb0e9f3e879 (diff) | |
download | git-b637a41ebe0e65b6d64dd65efaf848b4705dcbed.tar.gz |
http: redact curl h2h3 headers in info
With GIT_TRACE_CURL=1 or GIT_CURL_VERBOSE=1, sensitive headers like
"Authorization" and "Cookie" get redacted. However, since [1], curl's
h2h3 module (invoked when using HTTP/2) also prints headers in its
"info", which don't get redacted. For example,
echo 'github.com TRUE / FALSE 1698960413304 o foo=bar' >cookiefile &&
GIT_TRACE_CURL=1 GIT_TRACE_CURL_NO_DATA=1 git \
-c 'http.cookiefile=cookiefile' \
-c 'http.version=' \
ls-remote https://github.com/git/git refs/heads/main 2>output &&
grep 'cookie' output
produces output like:
23:04:16.920495 http.c:678 == Info: h2h3 [cookie: o=foo=bar]
23:04:16.920562 http.c:637 => Send header: cookie: o=<redacted>
Teach http.c to check for h2h3 headers in info and redact them using the
existing header redaction logic. This fixes the broken redaction logic
that we noted in the previous commit, so mark the redaction tests as
passing under HTTP2.
[1] https://github.com/curl/curl/commit/f8c3724aa90472c0e617ddbbc420aa199971eb77
Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Glen Choo <chooglen@google.com>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Diffstat (limited to 't')
-rwxr-xr-x | t/t5551-http-fetch-smart.sh | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/t/t5551-http-fetch-smart.sh b/t/t5551-http-fetch-smart.sh index 9826631926..bc0719a4fc 100755 --- a/t/t5551-http-fetch-smart.sh +++ b/t/t5551-http-fetch-smart.sh @@ -200,7 +200,7 @@ test_expect_success 'redirects send auth to new location' ' expect_askpass both user@host auth/smart/repo.git ' -test_expect_success !HTTP2 'GIT_TRACE_CURL redacts auth details' ' +test_expect_success 'GIT_TRACE_CURL redacts auth details' ' rm -rf redact-auth trace && set_askpass user@host pass@host && GIT_TRACE_CURL="$(pwd)/trace" git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth && @@ -212,7 +212,7 @@ test_expect_success !HTTP2 'GIT_TRACE_CURL redacts auth details' ' grep -i "Authorization: Basic <redacted>" trace ' -test_expect_success !HTTP2 'GIT_CURL_VERBOSE redacts auth details' ' +test_expect_success 'GIT_CURL_VERBOSE redacts auth details' ' rm -rf redact-auth trace && set_askpass user@host pass@host && GIT_CURL_VERBOSE=1 git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth 2>trace && @@ -482,7 +482,7 @@ test_expect_success 'fetch by SHA-1 without tag following' ' --no-tags origin $(cat bar_hash) ' -test_expect_success !HTTP2 'cookies are redacted by default' ' +test_expect_success 'cookies are redacted by default' ' rm -rf clone && echo "Set-Cookie: Foo=1" >cookies && echo "Set-Cookie: Bar=2" >>cookies && |