Re: git smart-http do not authent to allow git ls-remote to be called anonymously

[Jeff King <peff@peff.net>]

On Sun, Sep 30, 2012 at 10:35:35PM +0800, 乙酸鋰 wrote:

> I use smart-http on Apache.
> If nothing to be pushed / pulled, I do not want password to be
> supplied. And allow git ls-remote to run without password
> 
> *.git/info/refs?service=git-upload-pack
> *.git/info/refs?service=git-receive-pack
> 
> I only need authentication on
> 
> *.git/git-upload-pack
> *.git/git-receive-pack
> 
> /etc/apache/httpd.conf
> 
> <LocationMatch "^/git/.*/git-(upload|receive)-pack$">
>     AuthType Basic
>     AuthName "staff only"
>     AuthUserFile /etc/apache/apache.pwd
>     Require valid-user
> </LocationMatch>
> 
> However this does not work. It does not ask for password at all.

What is "it" in the final sentence? Does the server not tell the git
client that authorization is required, and actually serve the request?
If so, then that is a bug in your apache config.

Or is it that the server tells git that it needs authorization, but git
does not prompt, and instead just fails with "Authentication failed". In
that case, the issue is that you need a newer git client. Traditionally
the client expected to handle authentication during the initial
"info/refs" request. I added support for handling authentication during
later requests in commit b81401c, which is in git v1.7.11.7 and
v1.7.12.1.

You should reconsider whether this is what you really want, though. With
the configuration you showed, anyone will be able to get a list of all
refs and their sha1s. So they would know all your branch names, and they
could even potentially find out what's in your branches by making
offline guesses and comparing them to your branch sha1s (the feasibility
of this would depend on exactly what you're storing).

-Peff