git@vger.kernel.org mailing list mirror (one of many)
 help / color / mirror / code / Atom feed
From: Junio C Hamano <gitster@pobox.com>
To: "Torsten Bögershausen" <tboegi@web.de>
Cc: Mike Hommey <mh@glandium.org>, git@vger.kernel.org
Subject: Re: [PATCH v4 01/11] add fetch-pack --diag-url tests for some corner cases
Date: Fri, 06 May 2016 08:52:14 -0700	[thread overview]
Message-ID: <xmqqoa8j5glt.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <4349487f-716e-dadf-795b-cf790b03e02d@web.de> ("Torsten Bögershausen"'s message of "Fri, 6 May 2016 06:17:04 +0200")

Torsten Bögershausen <tboegi@web.de> writes:

> ssh itself does not use a password:
> ...
> Neither does Git.
> ...
> The user:password came in here:
> Commit 92722efec01f67a54b
> clone: do not use port number as dir name
>
> Actually, looking back, it may have been better to say
> git clone ssh://aaaa:bbbb@host:/path
> is illegal and simply die() out.

RFC2396, which updated RFC1738, discourages the use of :password
in "3.2.2 Server-based Naming Authority", for obvious reasons.

   Some URL schemes use the format "user:password" in the userinfo
   field.  This practice is NOT RECOMMENDED ...

and then this is marked as deprecated in RFC3986 "3.2.1. User
Information".

   Use of the format "user:password" in the userinfo field is
   deprecated.  Applications should not render as clear text any
   data after the first colon (":") character found within a
   userinfo subcomponent unless the data after the colon is the
   empty string (indicating no password).

However, at the parser level that _knows_ the syntax, you shouldn't
be unilaterally turning these "not recommended" and "deprecated" to
"forbidden".  It should be prepared to see ':' to its input, if only
to correctly recognize that as an attempt to express :password, in
order to be able to hide the data after the first colon when running
in verbose mode for example.

I'd recommend that the parser to allow <user>:<password>@<host>, and
at least notice ':' that appears before the first '@' as having a
depreated form of <userinfo>.  After stripping <scheme>:// from the
front, it is OK to assume that everything before the first '@' is
<userinfo> (in RFC2396 lingo), and everything in <userinfo> that is
before the first ':' is <user> when doing so.  

>>> ...  When you are constrained by the Common Internet
>>> Scheme Syntax, i.e.
>>>
>>>     <scheme>://<user>:<password>@<host>:<port>/<url-path>
>>>
>>> you cannot have arbitrary characters in these parts; within the user
>>> and password field, any ":", "@", or "/" must be encoded.

  reply	other threads:[~2016-05-06 15:52 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-01  6:02 [PATCH v3 0/6] connect: various cleanups Mike Hommey
2016-05-01  6:02 ` [PATCH 1/6] connect: remove get_port() Mike Hommey
2016-05-01 10:10   ` Torsten Bögershausen
2016-05-01 21:43     ` Mike Hommey
2016-05-03  5:03     ` Jeff King
2016-05-03  5:11       ` Mike Hommey
2016-05-01  6:02 ` [PATCH 2/6] connect: uniformize and group CONNECT_DIAG_URL handling code Mike Hommey
2016-05-01 13:37   ` Torsten Bögershausen
2016-05-01 23:20     ` Mike Hommey
2016-05-02  4:56   ` Torsten Bögershausen
2016-05-02  8:31     ` Mike Hommey
2016-05-02 11:29       ` Torsten Bögershausen
2016-05-02 12:38         ` Mike Hommey
2016-05-02 22:05         ` Junio C Hamano
2016-05-02 23:14           ` Junio C Hamano
2016-05-01  6:02 ` [PATCH 3/6] connect: only match the host with core.gitProxy Mike Hommey
2016-05-01  6:02 ` [PATCH 4/6] connect: pass separate host and port to git_tcp_connect and git_proxy_connect Mike Hommey
2016-05-01  6:02 ` [PATCH 5/6] connect: don't xstrdup target_host Mike Hommey
2016-05-01  6:02 ` [PATCH 6/6] connect: move ssh command line preparation to a separate function Mike Hommey
2016-05-03  8:50 ` [PATCH v4 00/11] connect: various cleanups Mike Hommey
2016-05-03  8:50   ` [PATCH v4 01/11] add fetch-pack --diag-url tests for some corner cases Mike Hommey
2016-05-03 16:07     ` Torsten Bögershausen
2016-05-03 16:07     ` Junio C Hamano
2016-05-03 16:30       ` Torsten Bögershausen
2016-05-03 22:48       ` Mike Hommey
2016-05-05 21:52         ` Mike Hommey
2016-05-06  4:17           ` Torsten Bögershausen
2016-05-06 15:52             ` Junio C Hamano [this message]
2016-05-03  8:50   ` [PATCH v4 02/11] connect: call get_host_and_port() earlier Mike Hommey
2016-05-03  8:50   ` [PATCH v4 03/11] connect: only match the host with core.gitProxy Mike Hommey
2016-05-03  8:50   ` [PATCH v4 04/11] connect: fill the host header in the git protocol with the host and port variables Mike Hommey
2016-05-03  8:50   ` [PATCH v4 05/11] connect: make parse_connect_url() return separated host and port Mike Hommey
2016-05-03  8:50   ` [PATCH v4 06/11] connect: group CONNECT_DIAG_URL handling code Mike Hommey
2016-05-03  8:50   ` [PATCH v4 07/11] connect: make parse_connect_url() return the user part of the url as a separate value Mike Hommey
2016-05-03  8:50   ` [PATCH v4 08/11] connect: change the --diag-url output to separate user and host Mike Hommey
2016-05-03 16:20     ` Torsten Bögershausen
2016-05-03 17:23       ` Eric Sunshine
2016-05-03 22:50         ` Mike Hommey
2016-05-03  8:50   ` [PATCH v4 09/11] connect: use "-l user" instead of "user@" on ssh command line Mike Hommey
2016-05-03 16:25     ` Torsten Bögershausen
2016-05-03 17:50       ` Junio C Hamano
2016-05-03 17:33     ` Eric Sunshine
2016-05-03 22:52       ` Mike Hommey
2016-05-03  8:50   ` [PATCH v4 10/11] connect: actively reject git:// urls with a user part Mike Hommey
2016-05-03  8:50   ` [PATCH v4 11/11] connect: move ssh command line preparation to a separate function Mike Hommey
2016-05-03 12:30     ` [PATCH v4.1 " Mike Hommey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: http://vger.kernel.org/majordomo-info.html

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xmqqoa8j5glt.fsf@gitster.mtv.corp.google.com \
    --to=gitster@pobox.com \
    --cc=git@vger.kernel.org \
    --cc=mh@glandium.org \
    --cc=tboegi@web.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://80x24.org/mirrors/git.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).