On Thu, Feb 23, 2017 at 01:03:39AM +0000, David Turner wrote: > So, I guess, this patch might be considered a security risk. But on the > other hand, even *without* this patch, and without http.allowempty at > all, I think a config which simply uses a https:// url without the magic :@ > would try SPNEGO. As I understand it, the http.allowempty config just > makes the traditional :@ urls work. No, it's a bit different. libcurl won't try to authenticate to a server unless it has a username (and possibly password). With the curl command line client, you use a dummy value or -u: to force it to do auth anyway (because you want, say, GSSAPI). http.emptyAuth just sets that option to “:” so libcurl will auth: if (curl_empty_auth) curl_easy_setopt(result, CURLOPT_USERPWD, ":"); I just use a dummy username for my URLs, but you can write :@ or any other permutation to get it to work without emptyAuth. As a consequence, you have to opt-in to that on a per-URL (or per-domain) basis, which is a bit more secure. > Actually, though, I am not sure this is as bad as it seems, because gssapi > might protect us. When I locally tried a fake server, git (libcurl) refused to > send my Kerberos credentials because "Server not found in Kerberos > database". I don't have a machine set up with NTLM authentication > (because, apparently, that would be insane), so I don't know how to > confirm that gssapi would operate off of a whitelist for NTLM as well. Yup. That's pretty much what I thought would happen, since the Kerberos server has no HTTP/malicious.evil.tld@YOURREALM.TLD service ticket. Again, I don't know how NTLM does things, or if it's wrapped in a suitable ticket format somehow. Last I base64-decoded an NTLM SPNEGO response, it did not contain the OID required by GSSAPI as a prefix; it instead contained an “NTLMSSP” header, which isn't a valid OID. I didn't delve much further, since I was pretty sure I didn't want to know more. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204