[PATCH 3/9] credential: parse URL without host as empty host, not unset
We may feed a URL like "cert:///path/to/cert.pem" into the credential
machinery to get the key for a client-side certificate. That
credential has no hostname field, which is about to be disallowed (to
avoid confusion with protocols where a helper _would_ expect a
hostname).
This means as of the next patch, credential helpers won't work for
unlocking certs. Let's fix that by doing two things:
- when we parse a url with an empty host, set the host field to the
empty string (asking only to match stored entries with an empty
host) rather than NULL (asking to match _any_ host).
- when we build a cert:// credential by hand, similarly assign an
empty string
It's the latter that is more likely to impact real users in practice,
since it's what's used for http connections. But we don't have good
infrastructure to test it.
The url-parsing version will help anybody using git-credential in a
script, and is easy to test.
Signed-off-by: Jeff King <peff@peff.net>
Reviewed-by: Taylor Blau <me@ttaylorr.com>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
Gbp-Pq: Name CVE-2020-11008-3.patch
This commit is contained in:
Jeff King
Lu zhiping
parent
63532648e0
commit
9b06bee7aa
|
|
@ -376,8 +376,7 @@ int credential_from_url_gently(struct credential *c, const char *url,
|
|||
|
||||
if (proto_end - url > 0)
|
||||
c->protocol = xmemdupz(url, proto_end - url);
|
||||
if (slash - host > 0)
|
||||
c->host = url_decode_mem(host, slash - host);
|
||||
c->host = url_decode_mem(host, slash - host);
|
||||
/* Trim leading and trailing slashes from path */
|
||||
while (*slash == '/')
|
||||
slash++;
|
||||
|
|
|
|||
1
http.c
1
http.c
|
|
@ -558,6 +558,7 @@ static int has_cert_password(void)
|
|||
return 0;
|
||||
if (!cert_auth.password) {
|
||||
cert_auth.protocol = xstrdup("cert");
|
||||
cert_auth.host = xstrdup("");
|
||||
cert_auth.username = xstrdup("");
|
||||
cert_auth.path = xstrdup(ssl_cert);
|
||||
credential_fill(&cert_auth);
|
||||
|
|
|
|||
|
|
@ -413,4 +413,21 @@ test_expect_success 'url parser ignores embedded newlines' '
|
|||
EOF
|
||||
'
|
||||
|
||||
test_expect_success 'host-less URLs are parsed as empty host' '
|
||||
check fill "verbatim foo bar" <<-\EOF
|
||||
url=cert:///path/to/cert.pem
|
||||
--
|
||||
protocol=cert
|
||||
host=
|
||||
path=path/to/cert.pem
|
||||
username=foo
|
||||
password=bar
|
||||
--
|
||||
verbatim: get
|
||||
verbatim: protocol=cert
|
||||
verbatim: host=
|
||||
verbatim: path=path/to/cert.pem
|
||||
EOF
|
||||
'
|
||||
|
||||
test_done
|
||||
|
|
|
|||
Loading…
Reference in New Issue