[PATCH] Added Curl Option to Override Request Method

[PATCH] Added Curl Option to Override Request Method

[Drew Green via GitGitGadget]

From: agreenbhm <agreenbhm@gmail.com>

Added support for environment variable "CURLOPT_CUSTOMREQUEST"
to allow setting the curl option to override the default request
method used by HTTP Git operations.  Primary reason for this is to
allow support for cloning repositories where only GET requests
are allowed but not POSTs.  When cloning a repo first a GET is
made to the server and then a POST is made to the "git-upload-pack"
endpoint.  In some corporate environments with strong controls
only GET requests are allowed to known repository hosts (such
as GitHub) to prevent data leakage by sending data.  Using this
new environmental variable, a user can set
"CURLOPT_CUSTOMREQUEST=GET" which will change the second request
from a POST to a GET, bypassing web proxy restrictions on the type
of requests allowed.  Tested with GitHub, changing the request
from POST to GET still results in the expected behavior of the
repo successfully being cloned.

Signed-off-by: agreenbhm <agreenbhm@gmail.com>
---
    Added Curl Option to Override Request Method
    
    Added support for environment variable "CURLOPT_CUSTOMREQUEST" to allow
    setting the curl option to override the default request method used by
    HTTP Git operations. Primary reason for this is to allow support for
    cloning repositories where only GET requests are allowed but not POSTs.
    When cloning a repo first a GET is made to the server and then a POST is
    made to the "git-upload-pack" endpoint. In some corporate environments
    with strong controls only GET requests are allowed to known repository
    hosts (such as GitHub) to prevent data leakage by sending data. Using
    this new environmental variable, a user can set
    "CURLOPT_CUSTOMREQUEST=GET" which will change the second request from a
    POST to a GET, bypassing web proxy restrictions on the type of requests
    allowed. Tested with GitHub, changing the request from POST to GET still
    results in the expected behavior of the repo successfully being cloned.
    
    Signed-off-by: agreenbhm agreenbhm@gmail.com

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1225%2Fagreenbhm%2Fmaster-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1225/agreenbhm/master-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/1225

 http.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/http.c b/http.c
index 229da4d1488..2ca13b848a5 100644
--- a/http.c
+++ b/http.c
@@ -1235,6 +1235,8 @@ struct active_request_slot *get_active_slot(void)
 	curl_easy_setopt(slot->curl, CURLOPT_HTTPAUTH, http_auth_methods);
 	if (http_auth.password || curl_empty_auth_enabled())
 		init_curl_http_auth(slot->curl);
+	if(getenv("CURLOPT_CUSTOMREQUEST"))
+		curl_easy_setopt(slot->curl, CURLOPT_CUSTOMREQUEST, getenv("CURLOPT_CUSTOMREQUEST"));
 
 	return slot;
 }

base-commit: 6cd33dceed60949e2dbc32e3f0f5e67c4c882e1e
-- 
gitgitgadget

[PATCH v2] Added Curl Option to Override Request Method v2

[Drew Green via GitGitGadget]

From: agreenbhm <agreenbhm@gmail.com>

Added support for environment variable "CURLOPT_CUSTOMREQUEST"
and config option "http.customrequest" to allow setting the Curl
option to override the default request method used by HTTP Git
operations.  Primary reason for this is to allow support for
cloning repositories where only GET requests
are allowed by a local web proxy but not POSTs.  When cloning
a repo first a GET is made to the server and then a
POST is made to the "git-upload-pack" endpoint.  In some
corporate environments with strong controls
only GET requests are allowed to known repository hosts (such
as GitHub) through a web proxy to prevent data leakage.  Using this
new setting, a user can set the "CURLOPT_CUSTOMREQUEST=GET" env at runtime
or "http.customrequest = GET" in their config file which will
change the second request from a POST to a GET, bypassing
web proxy restrictions on the type of requests allowed.
Tested with GitHub, changing the request from POST to GET still
results in the expected behavior of the repo successfully being cloned.

This is v2 of this patch, which refactored the placement of the env
and added the ability to set the config file option.

Signed-off-by: agreenbhm <agreenbhm@gmail.com>
---
    Added Curl Option to Override Request Method
    
    Added support for environment variable "CURLOPT_CUSTOMREQUEST" to allow
    setting the curl option to override the default request method used by
    HTTP Git operations. Primary reason for this is to allow support for
    cloning repositories where only GET requests are allowed but not POSTs.
    When cloning a repo first a GET is made to the server and then a POST is
    made to the "git-upload-pack" endpoint. In some corporate environments
    with strong controls only GET requests are allowed to known repository
    hosts (such as GitHub) to prevent data leakage by sending data. Using
    this new environmental variable, a user can set
    "CURLOPT_CUSTOMREQUEST=GET" which will change the second request from a
    POST to a GET, bypassing web proxy restrictions on the type of requests
    allowed. Tested with GitHub, changing the request from POST to GET still
    results in the expected behavior of the repo successfully being cloned.
    
    Signed-off-by: agreenbhm agreenbhm@gmail.com

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1225%2Fagreenbhm%2Fmaster-v2
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1225/agreenbhm/master-v2
Pull-Request: https://github.com/gitgitgadget/git/pull/1225

Range-diff vs v1:

 1:  8bf14c61c2a < -:  ----------- Added Curl Option to Override Request Method
 -:  ----------- > 1:  8734bf28344 Added Curl Option to Override Request Method v2


 http.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/http.c b/http.c
index 229da4d1488..eaf269fc5a7 100644
--- a/http.c
+++ b/http.c
@@ -75,6 +75,7 @@ static const char *http_proxy_ssl_key;
 static const char *http_proxy_ssl_ca_info;
 static struct credential proxy_cert_auth = CREDENTIAL_INIT;
 static int proxy_ssl_cert_password_required;
+static const char *http_custom_request;
 
 static struct {
 	const char *name;
@@ -403,6 +404,9 @@ static int http_options(const char *var, const char *value, void *cb)
 		return 0;
 	}
 
+	if(!strcmp("http.customrequest", var))
+		return git_config_string(&http_custom_request, var, value);
+
 	/* Fall back on the default ones */
 	return git_default_config(var, value, cb);
 }
@@ -1099,6 +1103,7 @@ void http_init(struct remote *remote, const char *url, int proactive_auth)
 		    starts_with(url, "https://"))
 			ssl_cert_password_required = 1;
 	}
+	set_from_env(&http_custom_request, "CURLOPT_CUSTOMREQUEST");
 
 	curl_default = get_curl_handle();
 }
@@ -1212,7 +1217,7 @@ struct active_request_slot *get_active_slot(void)
 		curl_easy_setopt(slot->curl, CURLOPT_COOKIEJAR, curl_cookie_file);
 	curl_easy_setopt(slot->curl, CURLOPT_HTTPHEADER, pragma_header);
 	curl_easy_setopt(slot->curl, CURLOPT_ERRORBUFFER, curl_errorstr);
-	curl_easy_setopt(slot->curl, CURLOPT_CUSTOMREQUEST, NULL);
+	curl_easy_setopt(slot->curl, CURLOPT_CUSTOMREQUEST, http_custom_request);
 	curl_easy_setopt(slot->curl, CURLOPT_READFUNCTION, NULL);
 	curl_easy_setopt(slot->curl, CURLOPT_WRITEFUNCTION, NULL);
 	curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDS, NULL);

base-commit: 6cd33dceed60949e2dbc32e3f0f5e67c4c882e1e
-- 
gitgitgadget

Re: [PATCH v2] Added Curl Option to Override Request Method v2

[brian m. carlson]

[-- Attachment #1: Type: text/plain, Size: 1741 bytes --]

On 2022-04-26 at 15:57:39, Drew Green via GitGitGadget wrote:
> From: agreenbhm <agreenbhm@gmail.com>
> 
> Added support for environment variable "CURLOPT_CUSTOMREQUEST"
> and config option "http.customrequest" to allow setting the Curl
> option to override the default request method used by HTTP Git
> operations.  Primary reason for this is to allow support for
> cloning repositories where only GET requests
> are allowed by a local web proxy but not POSTs.  When cloning
> a repo first a GET is made to the server and then a
> POST is made to the "git-upload-pack" endpoint.  In some
> corporate environments with strong controls
> only GET requests are allowed to known repository hosts (such
> as GitHub) through a web proxy to prevent data leakage.  Using this
> new setting, a user can set the "CURLOPT_CUSTOMREQUEST=GET" env at runtime
> or "http.customrequest = GET" in their config file which will
> change the second request from a POST to a GET, bypassing
> web proxy restrictions on the type of requests allowed.
> Tested with GitHub, changing the request from POST to GET still
> results in the expected behavior of the repo successfully being cloned.

I don't think this is a good idea.  It may happen that GitHub or other
servers happen to accept a GET request here, but that is a bug and
should be fixed.  It is definitely not something we should depend on or
rely on, and it isn't a documented part of the protocol.

If your corporate environment doesn't allow POST requests, you may wish
to use SSH for Git operations instead, or you may need to explain to
your company why you cannot do your job with their proxy in place.
-- 
brian m. carlson (he/him or they/them)
Toronto, Ontario, CA

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 262 bytes --]