From: Junio C Hamano <gitster@pobox.com>
To: "Torsten Bögershausen" <tboegi@web.de>
Cc: Mike Hommey <mh@glandium.org>, git@vger.kernel.org
Subject: Re: [PATCH v4 01/11] add fetch-pack --diag-url tests for some corner cases
Date: Fri, 06 May 2016 08:52:14 -0700 [thread overview]
Message-ID: <xmqqoa8j5glt.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <4349487f-716e-dadf-795b-cf790b03e02d@web.de> ("Torsten Bögershausen"'s message of "Fri, 6 May 2016 06:17:04 +0200")
Torsten Bögershausen <tboegi@web.de> writes:
> ssh itself does not use a password:
> ...
> Neither does Git.
> ...
> The user:password came in here:
> Commit 92722efec01f67a54b
> clone: do not use port number as dir name
>
> Actually, looking back, it may have been better to say
> git clone ssh://aaaa:bbbb@host:/path
> is illegal and simply die() out.
RFC2396, which updated RFC1738, discourages the use of :password
in "3.2.2 Server-based Naming Authority", for obvious reasons.
Some URL schemes use the format "user:password" in the userinfo
field. This practice is NOT RECOMMENDED ...
and then this is marked as deprecated in RFC3986 "3.2.1. User
Information".
Use of the format "user:password" in the userinfo field is
deprecated. Applications should not render as clear text any
data after the first colon (":") character found within a
userinfo subcomponent unless the data after the colon is the
empty string (indicating no password).
However, at the parser level that _knows_ the syntax, you shouldn't
be unilaterally turning these "not recommended" and "deprecated" to
"forbidden". It should be prepared to see ':' to its input, if only
to correctly recognize that as an attempt to express :password, in
order to be able to hide the data after the first colon when running
in verbose mode for example.
I'd recommend that the parser to allow <user>:<password>@<host>, and
at least notice ':' that appears before the first '@' as having a
depreated form of <userinfo>. After stripping <scheme>:// from the
front, it is OK to assume that everything before the first '@' is
<userinfo> (in RFC2396 lingo), and everything in <userinfo> that is
before the first ':' is <user> when doing so.
>>> ... When you are constrained by the Common Internet
>>> Scheme Syntax, i.e.
>>>
>>> <scheme>://<user>:<password>@<host>:<port>/<url-path>
>>>
>>> you cannot have arbitrary characters in these parts; within the user
>>> and password field, any ":", "@", or "/" must be encoded.
next prev parent reply other threads:[~2016-05-06 15:52 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-01 6:02 [PATCH v3 0/6] connect: various cleanups Mike Hommey
2016-05-01 6:02 ` [PATCH 1/6] connect: remove get_port() Mike Hommey
2016-05-01 10:10 ` Torsten Bögershausen
2016-05-01 21:43 ` Mike Hommey
2016-05-03 5:03 ` Jeff King
2016-05-03 5:11 ` Mike Hommey
2016-05-01 6:02 ` [PATCH 2/6] connect: uniformize and group CONNECT_DIAG_URL handling code Mike Hommey
2016-05-01 13:37 ` Torsten Bögershausen
2016-05-01 23:20 ` Mike Hommey
2016-05-02 4:56 ` Torsten Bögershausen
2016-05-02 8:31 ` Mike Hommey
2016-05-02 11:29 ` Torsten Bögershausen
2016-05-02 12:38 ` Mike Hommey
2016-05-02 22:05 ` Junio C Hamano
2016-05-02 23:14 ` Junio C Hamano
2016-05-01 6:02 ` [PATCH 3/6] connect: only match the host with core.gitProxy Mike Hommey
2016-05-01 6:02 ` [PATCH 4/6] connect: pass separate host and port to git_tcp_connect and git_proxy_connect Mike Hommey
2016-05-01 6:02 ` [PATCH 5/6] connect: don't xstrdup target_host Mike Hommey
2016-05-01 6:02 ` [PATCH 6/6] connect: move ssh command line preparation to a separate function Mike Hommey
2016-05-03 8:50 ` [PATCH v4 00/11] connect: various cleanups Mike Hommey
2016-05-03 8:50 ` [PATCH v4 01/11] add fetch-pack --diag-url tests for some corner cases Mike Hommey
2016-05-03 16:07 ` Torsten Bögershausen
2016-05-03 16:07 ` Junio C Hamano
2016-05-03 16:30 ` Torsten Bögershausen
2016-05-03 22:48 ` Mike Hommey
2016-05-05 21:52 ` Mike Hommey
2016-05-06 4:17 ` Torsten Bögershausen
2016-05-06 15:52 ` Junio C Hamano [this message]
2016-05-03 8:50 ` [PATCH v4 02/11] connect: call get_host_and_port() earlier Mike Hommey
2016-05-03 8:50 ` [PATCH v4 03/11] connect: only match the host with core.gitProxy Mike Hommey
2016-05-03 8:50 ` [PATCH v4 04/11] connect: fill the host header in the git protocol with the host and port variables Mike Hommey
2016-05-03 8:50 ` [PATCH v4 05/11] connect: make parse_connect_url() return separated host and port Mike Hommey
2016-05-03 8:50 ` [PATCH v4 06/11] connect: group CONNECT_DIAG_URL handling code Mike Hommey
2016-05-03 8:50 ` [PATCH v4 07/11] connect: make parse_connect_url() return the user part of the url as a separate value Mike Hommey
2016-05-03 8:50 ` [PATCH v4 08/11] connect: change the --diag-url output to separate user and host Mike Hommey
2016-05-03 16:20 ` Torsten Bögershausen
2016-05-03 17:23 ` Eric Sunshine
2016-05-03 22:50 ` Mike Hommey
2016-05-03 8:50 ` [PATCH v4 09/11] connect: use "-l user" instead of "user@" on ssh command line Mike Hommey
2016-05-03 16:25 ` Torsten Bögershausen
2016-05-03 17:50 ` Junio C Hamano
2016-05-03 17:33 ` Eric Sunshine
2016-05-03 22:52 ` Mike Hommey
2016-05-03 8:50 ` [PATCH v4 10/11] connect: actively reject git:// urls with a user part Mike Hommey
2016-05-03 8:50 ` [PATCH v4 11/11] connect: move ssh command line preparation to a separate function Mike Hommey
2016-05-03 12:30 ` [PATCH v4.1 " Mike Hommey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqoa8j5glt.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox.com \
--cc=git@vger.kernel.org \
--cc=mh@glandium.org \
--cc=tboegi@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).