From: Junio C Hamano <gitster@pobox.com>
To: Crls <kaploceh@gmail.com>
Cc: Theodore Ts'o <tytso@mit.edu>, git@vger.kernel.org
Subject: Re: ctrl-z ignored by git; creates blobs from non-existent repos
Date: Sun, 15 Jan 2023 18:07:57 -0800 [thread overview]
Message-ID: <xmqqmt6jdyf6.fsf@gitster.g> (raw)
In-Reply-To: <Y8SCZvMu7DZZH1Pl@localhost.my.domain> (Crls's message of "Sun, 15 Jan 2023 17:47:02 -0500")
Crls <kaploceh@gmail.com> writes:
> ... Coincidentally speaking, why does a username warrants a prompt
> from git, is simply beyond me. I mean, that is certainly the more
> far-fetched reasoning of implementation I've read in a long long
> time.
>
> Can you git-clone a user? What about the user's settings? What
> about the remainder its gpg tokens and so forth? In other words,
> if a user's repo is not found, why even prompting for a username?
> The latter, that is, the user's repo, is redundant, when the
> prompt is clearly asking for a username, and not a repo.
When you "git clone", you'd give a repository path to the server.
If the repository is not open to the general anonymous public, then
the server needs to check who you are (by asking username) and
verify that you are who you claim to be (by asking password).
Here two things you need to pay attention to.
- A user can be the
owner of more than one repositories, and
- a repository can be accessed by users other than its owner.
So even after the repository is known by the server, the server
still needs to ask you who you are.
Imagine that there are many projects hosted at the same site, the
repository path is named after the codename of the project, and the
project codename is need-to-know secret.
If the server side reacted differently between an attempt to clone
existing repositories and missing ones, an attacker can try
git clone https://site.example.com/projects/$X
with many X's and observe the behaviour of the server. If the
server is known to respond with "no such repository" for a missing
one, while responding with "please identify you" for an existing
one, you can easily tell if a word $X is a project codename, that is
supposed to be secret.
> Preventing the disclosure of information has nothing to do with
> the issue here. If anything seems clear to me, is that prompting
> for a username, does indeed disclose usernames, private, public
> and whatnot from either github or gitlab.
When you need to identify yourself to GitHub or GitLab, you'd give
your username and password. You know that GitHub or GitLab have the
username so it is not secret to them. Otherwise they wouldn't be
able to even recognise you.
So I am not sure how it "seems clear" that asking for the username
is a problem. The observed behaviour to ask for the username even
for a missing repository is all about avoiding to disclose one bit
of information: whether a repository exists at the given URL.
prev parent reply other threads:[~2023-01-16 2:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-13 22:01 ctrl-z ignored by git; creates blobs from non-existent repos Crls
2023-01-15 15:45 ` Theodore Ts'o
2023-01-15 18:36 ` Jeff King
2023-01-15 22:47 ` Crls
2023-01-15 23:33 ` Jeff King
2023-01-17 22:40 ` Crls
2023-01-16 2:07 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqmt6jdyf6.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=kaploceh@gmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).