From: Robert Coup <robert.coup@koordinates.com>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: Derrick Stolee via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, gitster@pobox.com, Jeff King <peff@peff.net>,
me@ttaylorr.com, christian.couder@gmail.com,
johannes.schindelin@gmx.de, jrnieder@gmail.com,
Derrick Stolee <derrickstolee@github.com>,
Derrick Stolee <dstolee@microsoft.com>
Subject: Re: [PATCH] urlmatch: do not allow passwords in URLs by default
Date: Mon, 3 May 2021 09:40:01 +0100 [thread overview]
Message-ID: <CAFLLRp+LA8WNsmOYPEBbNuSR4o8TBOqZpX-_P8fh6h46tNWmCw@mail.gmail.com> (raw)
In-Reply-To: <87czuayfy9.fsf@evledraar.gmail.com>
On Sat, 1 May 2021 at 10:13, Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
>
> Unlike SSH this is a thing that the HTTP protocol supports, so I don't
> think it's the place of git to go out of its way by default to break
> working URL schemas by making hard breaking assumptions about the user's
> workflow.
>
> I think a much better way to address this issue, if it's an issue that
> needs to be addressed, is on the server-side. The service operator is in
> a much better position to know if URL passwords are a bad idea in their
> case (e.g. is the software frequently used in certain ways, is there no
> transport security, are we using debug URL tracing etc).
A URL scheme of the form https://user:password@example.com/my.git gets
translated by the http *client* into a request of the form:
<Connect via TLS to example.com:443>
GET /my.git HTTP/1.1
Host: example.com
Authorization: Basic dXNlcjpwYXNzd29yZAo=
... some more headers ...
So the server can't determine whether either/both the username or
password in the Authorization header were retrieved from a credential
helper, were parsed from a URL string, or came via a terminal prompt.
Conceivably If the server only uses a non-default Authorization method
("Token", "Bearer", "Key", etc) or uses a separate header (eg:
"MyGitHosting-Auth") then it could conceivably block Basic
Authorization, and afaik Git only supports that approach via
http.extraHeader - which doesn't go via any credential helpers, and is
essentially obscuring authentication as something else (and is pretty
user-hostile).
Rob :)
prev parent reply other threads:[~2021-05-03 8:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-30 18:37 [PATCH] urlmatch: do not allow passwords in URLs by default Derrick Stolee via GitGitGadget
2021-04-30 18:50 ` Jeff King
2021-05-03 11:54 ` Derrick Stolee
2021-05-03 14:53 ` Jeff King
2021-05-01 2:00 ` brian m. carlson
2021-05-01 6:39 ` Christian Couder
2021-05-03 3:38 ` Junio C Hamano
2021-05-01 8:44 ` Ævar Arnfjörð Bjarmason
2021-05-01 8:52 ` Ævar Arnfjörð Bjarmason
2021-05-03 8:40 ` Robert Coup [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFLLRp+LA8WNsmOYPEBbNuSR4o8TBOqZpX-_P8fh6h46tNWmCw@mail.gmail.com \
--to=robert.coup@koordinates.com \
--cc=avarab@gmail.com \
--cc=christian.couder@gmail.com \
--cc=derrickstolee@github.com \
--cc=dstolee@microsoft.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=jrnieder@gmail.com \
--cc=me@ttaylorr.com \
--cc=peff@peff.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).