mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Robert Coup <>
To: "Ævar Arnfjörð Bjarmason" <>
Cc: Derrick Stolee via GitGitGadget <>,,, Jeff King <>,,,,,
	Derrick Stolee <>,
	Derrick Stolee <>
Subject: Re: [PATCH] urlmatch: do not allow passwords in URLs by default
Date: Mon, 3 May 2021 09:40:01 +0100	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On Sat, 1 May 2021 at 10:13, Ævar Arnfjörð Bjarmason <> wrote:
> Unlike SSH this is a thing that the HTTP protocol supports, so I don't
> think it's the place of git to go out of its way by default to break
> working URL schemas by making hard breaking assumptions about the user's
> workflow.
> I think a much better way to address this issue, if it's an issue that
> needs to be addressed, is on the server-side. The service operator is in
> a much better position to know if URL passwords are a bad idea in their
> case (e.g. is the software frequently used in certain ways, is there no
> transport security, are we using debug URL tracing etc).

A URL scheme of the form gets
translated by the http *client* into a request of the form:

  <Connect via TLS to>
  GET /my.git HTTP/1.1
  Authorization: Basic dXNlcjpwYXNzd29yZAo=
  ... some more headers ...

So the server can't determine whether either/both the username or
password in the Authorization header were retrieved from a credential
helper, were parsed from a URL string, or came via a terminal prompt.
Conceivably If the server only uses a non-default Authorization method
("Token", "Bearer", "Key", etc) or uses a separate header (eg:
"MyGitHosting-Auth") then it could conceivably block Basic
Authorization, and afaik Git only supports that approach via
http.extraHeader - which doesn't go via any credential helpers, and is
essentially obscuring authentication as something else (and is pretty

Rob :)

      reply	other threads:[~2021-05-03  8:40 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-30 18:37 [PATCH] urlmatch: do not allow passwords in URLs by default Derrick Stolee via GitGitGadget
2021-04-30 18:50 ` Jeff King
2021-05-03 11:54   ` Derrick Stolee
2021-05-03 14:53     ` Jeff King
2021-05-01  2:00 ` brian m. carlson
2021-05-01  6:39 ` Christian Couder
2021-05-03  3:38   ` Junio C Hamano
2021-05-01  8:44 ` Ævar Arnfjörð Bjarmason
2021-05-01  8:52 ` Ævar Arnfjörð Bjarmason
2021-05-03  8:40   ` Robert Coup [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

  List information:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).