From: Junio C Hamano <gitster@pobox•com>
To: Knut Franke <k.franke@science-computing•de>
Cc: git@vger•kernel.org, Eric Sunshine <sunshine@sunshineco•com>
Subject: Re: [PATCH 2/2] http: use credential API to handle proxy authentication
Date: Mon, 02 Nov 2015 14:54:51 -0800 [thread overview]
Message-ID: <xmqqbnbcdnb8.fsf@gitster.mtv.corp.google.com> (raw)
In-Reply-To: <1446483264-15123-3-git-send-email-k.franke@science-computing.de> (Knut Franke's message of "Mon, 2 Nov 2015 17:54:24 +0100")
Knut Franke <k.franke@science-computing•de> writes:
> Currently, the only way to pass proxy credentials to curl is by including them
> in the proxy URL. Usually, this means they will end up on disk unencrypted, one
> way or another (by inclusion in ~/.gitconfig, shell profile or history). Since
> proxy authentication often uses a domain user, credentials can be security
> sensitive; therefore, a safer way of passing credentials is desirable.
>
> If the configured proxy contains a username but not a password, query the
> credential API for one. Also, make sure we approve/reject proxy credentials
> properly.
>
> For consistency reasons, add parsing of http_proxy/https_proxy/all_proxy
> environment variables, which would otherwise be evaluated as a fallback by curl.
> Without this, we would have different semantics for git configuration and
> environment variables.
>
> Signed-off-by: Knut Franke <k.franke@science-computing•de>
> Reviewed-by: Junio C Hamano <gitster@pobox•com>
> Reviewed-by: Eric Sunshine <sunshine@sunshineco•com>
As 1/2, I never reviewed this version yet.
> ---
> http.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
> http.h | 1 +
> 2 files changed, 75 insertions(+), 2 deletions(-)
>
> diff --git a/http.c b/http.c
> index 1172819..5708c7a 100644
> --- a/http.c
> +++ b/http.c
> @@ -62,7 +62,7 @@ static const char *ssl_cainfo;
> static long curl_low_speed_limit = -1;
> static long curl_low_speed_time = -1;
> static int curl_ftp_no_epsv;
> -static const char *curl_http_proxy;
> +static const char *curl_http_proxy = NULL;
> static const char *http_proxy_authmethod = NULL;
We do not do unnecessary initialization of file-scope globals to 0
or NULL. The existing definition of curl_http_proxy is correct;
the one for http_proxy_authmethod needs to be changed to match.
> static void init_curl_proxy_auth(CURL *result)
> {
> + if (proxy_auth.username) {
> + if (!proxy_auth.password)
> + credential_fill(&proxy_auth);
> +#if LIBCURL_VERSION_NUM >= 0x071301
> + curl_easy_setopt(result, CURLOPT_PROXYUSERNAME,
> + proxy_auth.username);
> + curl_easy_setopt(result, CURLOPT_PROXYPASSWORD,
> + proxy_auth.password);
> +#else
> + struct strbuf s = STRBUF_INIT;
> + strbuf_addstr_urlencode(&s, proxy_auth.username, 1);
> + strbuf_addch(&s, ':');
> + strbuf_addstr_urlencode(&s, proxy_auth.password, 1);
> + curl_proxyuserpwd = strbuf_detach(&s, NULL);
> + curl_easy_setopt(result, CURLOPT_PROXYUSERPWD, curl_proxyuserpwd);
> +#endif
I think #else clause of this thing would introduce decl-after-stmt
compilation error.
next prev parent reply other threads:[~2015-11-02 22:54 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-26 17:55 [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-10-26 17:55 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-10-26 20:33 ` [PATCH 1/2] http: allow selection of proxy authentication method Junio C Hamano
2015-10-27 8:47 ` Knut Franke
2015-10-28 9:40 ` [PATCH v2] http proxy authentication improvements Knut Franke
2015-10-28 9:40 ` [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-10-28 16:51 ` Junio C Hamano
2015-10-28 16:59 ` Junio C Hamano
2015-10-30 18:01 ` Knut Franke
2015-10-30 19:19 ` Junio C Hamano
2015-10-28 18:54 ` Eric Sunshine
2015-10-28 9:40 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-10-28 18:58 ` Eric Sunshine
2015-10-30 18:24 ` Knut Franke
2015-10-30 19:31 ` Junio C Hamano
2015-10-30 19:35 ` Eric Sunshine
2015-11-02 16:54 ` [PATCH v3 0/2] Knut Franke
2015-11-02 16:54 ` [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-11-02 22:46 ` Junio C Hamano
2015-11-03 9:07 ` Knut Franke
2015-11-03 19:46 ` Junio C Hamano
2015-11-02 16:54 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-11-02 22:54 ` Junio C Hamano [this message]
2015-11-03 9:31 ` Knut Franke
2015-11-03 18:12 ` Eric Sunshine
2015-11-04 9:13 ` [PATCH v4 0/2] Knut Franke
2015-11-04 9:13 ` [PATCH 1/2] http: allow selection of proxy authentication method Knut Franke
2015-11-04 19:42 ` Junio C Hamano
2015-11-04 9:13 ` [PATCH 2/2] http: use credential API to handle proxy authentication Knut Franke
2015-11-04 19:41 ` Eric Sunshine
2015-11-04 19:53 ` Junio C Hamano
2015-11-05 8:24 ` Jeff King
2015-11-05 11:56 ` Knut Franke
2015-11-05 17:30 ` Jeff King
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqbnbcdnb8.fsf@gitster.mtv.corp.google.com \
--to=gitster@pobox$(echo .)com \
--cc=git@vger$(echo .)kernel.org \
--cc=k.franke@science-computing$(echo .)de \
--cc=sunshine@sunshineco$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox