From: Jeff King <peff@peff.net>
To: Derrick Stolee <stolee@gmail.com>
Cc: Derrick Stolee via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, gitster@pobox.com, me@ttaylorr.com,
avarab@gmail.com, christian.couder@gmail.com,
johannes.schindelin@gmx.de, jrnieder@gmail.com,
Derrick Stolee <derrickstolee@github.com>,
Derrick Stolee <dstolee@microsoft.com>,
"brian m. carlson" <sandals@crustytoothpaste.net>,
Robert Coup <robert.coup@koordinates.com>
Subject: Re: [PATCH] urlmatch: do not allow passwords in URLs by default
Date: Mon, 3 May 2021 10:53:05 -0400 [thread overview]
Message-ID: <YJAOUZv0gTWrWd9L@coredump.intra.peff.net> (raw)
In-Reply-To: <237482e4-8e21-5cd0-010e-09fb4ba8d27e@gmail.com>
On Mon, May 03, 2021 at 07:54:50AM -0400, Derrick Stolee wrote:
> > I'm not really opposed to disallowing this entirely (with an escape
> > hatch, as you have here), because it really is an awful practice for a
> > lot of reasons. But another option we discussed previously was to allow
> > the initial clone, but not store the password, which would result in the
> > user being prompted for subsequent fetches:
> >
> > https://lore.kernel.org/git/20190519050724.GA26179@sigill.intra.peff.net/
> >
> > I think that third patch there is just too gross. But with the first
> > two, if you do have a credential helper configured, then:
> >
> > git clone https://user:pass@example.com/repo.git
> >
> > would do what you want: clone with that user/pass, and then store the
> > result in the credential helper.
>
> This seems like the best approach, as it presents the highest likelihood
> of working as expected in the automated scenarios. I will take a look to
> see how I could adapt those patches and maybe make the third one better.
IIRC, there was nothing too wrong with the patches. Reviewers had a few
small comments/fixups, but mostly I was on the fence on whether it was a
good idea at all, since it was not really my itch, and it was all
motivated by third-hand complaints about the behavior. Since nobody
brought it up more since then, I hadn't come back to it.
So I think it probably just needs a bit of polish, and to decide on
patch 3. If it helps, I've been rebasing it forward as:
https://github.com/peff/git jk/clone-url-password-wip
but it's not part of my daily build, so caveat structor.
I don't think the third patch is wrong in _how_ it works. It's mostly
whether it's a good idea at all: we are not storing the file in
.git/config, but we are still storing it in ~/.git-credentials. That's
moderately better, but still not very secure.
If you do have a credential helper defined, then with just patch 2
everything would Just Work as you'd hope (and even with patch 3, we'll
skip using credential-store if you have something better defined).
> Is it possible that some Git installations have no credential helper? We
> can keep the "git clone" working in that scenario by storing the password
> in memory until the process completes, but later "git fetch" commands
> will fail.
I expect lots of installations have no helper configured. I don't think
any Linux distro packages ship with one configured. I think Apple Git
ships with osxkeychain configured, but I don't know whether the homebrew
recipe does, too. And of course anybody building from source is on their
own.
Hopefully some of those people install and configure a credential helper
on their own, but I expect it is wishful thinking to imagine that it's a
majority. :)
Even with just the first two patches, I believe the "in memory" thing
you suggest would already work. We feed the full URL to the transport
code, which can make us of it for the duration of the clone process.
It's only what we write into .git/config that is changed (so yes, future
fetches would fail).
-Peff
next prev parent reply other threads:[~2021-05-03 14:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-30 18:37 [PATCH] urlmatch: do not allow passwords in URLs by default Derrick Stolee via GitGitGadget
2021-04-30 18:50 ` Jeff King
2021-05-03 11:54 ` Derrick Stolee
2021-05-03 14:53 ` Jeff King [this message]
2021-05-01 2:00 ` brian m. carlson
2021-05-01 6:39 ` Christian Couder
2021-05-03 3:38 ` Junio C Hamano
2021-05-01 8:44 ` Ævar Arnfjörð Bjarmason
2021-05-01 8:52 ` Ævar Arnfjörð Bjarmason
2021-05-03 8:40 ` Robert Coup
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YJAOUZv0gTWrWd9L@coredump.intra.peff.net \
--to=peff@peff.net \
--cc=avarab@gmail.com \
--cc=christian.couder@gmail.com \
--cc=derrickstolee@github.com \
--cc=dstolee@microsoft.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=johannes.schindelin@gmx.de \
--cc=jrnieder@gmail.com \
--cc=me@ttaylorr.com \
--cc=robert.coup@koordinates.com \
--cc=sandals@crustytoothpaste.net \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).