<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/credential.c, branch v2.40.4</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.40.4</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.40.4'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2024-11-26T19:24:04Z</updated>
<entry>
<title>credential: disallow Carriage Returns in the protocol by default</title>
<updated>2024-11-26T19:24:04Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-11-04T13:48:22Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b01b9b81d36759cdcd07305e78765199e1bc2060'/>
<id>urn:sha1:b01b9b81d36759cdcd07305e78765199e1bc2060</id>
<content type='text'>
While Git has documented that the credential protocol is line-based,
with newlines as terminators, the exact shape of a newline has not been
documented.

From Git's perspective, which is firmly rooted in the Linux ecosystem,
it is clear that "a newline" means a Line Feed character.

However, even Git's credential protocol respects Windows line endings
(a Carriage Return character followed by a Line Feed character, "CR/LF")
by virtue of using `strbuf_getline()`.

There is a third category of line endings that has been used originally
by MacOS, and that is respected by the default line readers of .NET and
node.js: bare Carriage Returns.

Git cannot handle those, and what is worse: Git's remedy against
CVE-2020-5260 does not catch when credential helpers are used that
interpret bare Carriage Returns as newlines.

Git Credential Manager addressed this as CVE-2024-50338, but other
credential helpers may still be vulnerable. So let's not only disallow
Line Feed characters as part of the values in the credential protocol,
but also disallow Carriage Return characters.

In the unlikely event that a credential helper relies on Carriage
Returns in the protocol, introduce an escape hatch via the
`credential.protectProtocol` config setting.

This addresses CVE-2024-52006.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>credential: sanitize the user prompt</title>
<updated>2024-11-26T19:24:04Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-10-30T12:26:10Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7725b8100ffbbff2750ee4d61a0fcc1f53a086e8'/>
<id>urn:sha1:7725b8100ffbbff2750ee4d61a0fcc1f53a086e8</id>
<content type='text'>
When asking the user interactively for credentials, we want to avoid
misleading them e.g. via control sequences that pretend that the URL
targets a trusted host when it does not.

While Git learned, over the course of the preceding commits, to disallow
URLs containing URL-encoded control characters by default, credential
helpers are still allowed to specify values very freely (apart from Line
Feed and NUL characters, anything is allowed), and this would allow,
say, a username containing control characters to be specified that would
then be displayed in the interactive terminal prompt asking the user for
the password, potentially sending those control characters directly to
the terminal. This is undesirable because control characters can be used
to mislead users to divulge secret information to untrusted sites.

To prevent such an attack vector, let's add a `git_prompt()` that forces
the displayed text to be sanitized, i.e. displaying question marks
instead of control characters.

Note: While this commit's diff changes a lot of `user@host` strings to
`user%40host`, which may look suspicious on the surface, there is a good
reason for that: this string specifies a user name, not a
&lt;username&gt;@&lt;hostname&gt; combination! In the context of t5541, the actual
combination looks like this: `user%40@127.0.0.1:5541`. Therefore, these
string replacements document a net improvement introduced by this
commit, as `user@host@127.0.0.1` could have left readers wondering where
the user name ends and where the host name begins.

Hinted-at-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>credential_format(): also encode &lt;host&gt;[:&lt;port&gt;]</title>
<updated>2024-11-26T19:24:00Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-11-07T07:57:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c903985bf7e772e2d08275c1a95c8a55ab011577'/>
<id>urn:sha1:c903985bf7e772e2d08275c1a95c8a55ab011577</id>
<content type='text'>
An upcoming change wants to sanitize the credential password prompt
where a URL is displayed that may potentially come from a `.gitmodules`
file. To this end, the `credential_format()` function is employed.

To sanitize the host name (and optional port) part of the URL, we need a
new mode of the `strbuf_add_percentencode()` function because the
current mode is both too strict and too lenient: too strict because it
encodes `:`, `[` and `]` (which should be left unencoded in
`&lt;host&gt;:&lt;port&gt;` and in IPv6 addresses), and too lenient because it does
not encode invalid host name characters `/`, `_` and `~`.

So let's introduce and use a new mode specifically to encode the host
name and optional port part of a URI, leaving alpha-numerical
characters, periods, colons and brackets alone and encoding all others.

This only leads to a change of behavior for URLs that contain invalid
host names.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>credential: new attribute password_expiry_utc</title>
<updated>2023-02-22T23:18:58Z</updated>
<author>
<name>M Hickford</name>
<email>mirth.hickford@gmail.com</email>
</author>
<published>2023-02-18T06:32:57Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=d208bfdfef97a1e8fb746763b5057e0ad91e283b'/>
<id>urn:sha1:d208bfdfef97a1e8fb746763b5057e0ad91e283b</id>
<content type='text'>
Some passwords have an expiry date known at generation. This may be
years away for a personal access token or hours for an OAuth access
token.

When multiple credential helpers are configured, `credential fill` tries
each helper in turn until it has a username and password, returning
early. If Git authentication succeeds, `credential approve`
stores the successful credential in all helpers. If authentication
fails, `credential reject` erases matching credentials in all helpers.
Helpers implement corresponding operations: get, store, erase.

The credential protocol has no expiry attribute, so helpers cannot
store expiry information. Even if a helper returned an improvised
expiry attribute, git credential discards unrecognised attributes
between operations and between helpers.

This is a particular issue when a storage helper and a
credential-generating helper are configured together:

	[credential]
		helper = storage  # eg. cache or osxkeychain
		helper = generate  # eg. oauth

`credential approve` stores the generated credential in both helpers
without expiry information. Later `credential fill` may return an
expired credential from storage. There is no workaround, no matter how
clever the second helper. The user sees authentication fail (a retry
will succeed).

Introduce a password expiry attribute. In `credential fill`, ignore
expired passwords and continue to query subsequent helpers.

In the example above, `credential fill` ignores the expired password
and a fresh credential is generated. If authentication succeeds,
`credential approve` replaces the expired password in storage.
If authentication fails, the expired credential is erased by
`credential reject`. It is unnecessary but harmless for storage
helpers to self prune expired credentials.

Add support for the new attribute to credential-cache.
Eventually, I hope to see support in other popular storage helpers.

Example usage in a credential-generating helper
https://github.com/hickford/git-credential-oauth/pull/16

Signed-off-by: M Hickford &lt;mirth.hickford@gmail.com&gt;
Reviewed-by: Calvin Wan &lt;calvinwan@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>urlmatch.c: add and use a *_release() function</title>
<updated>2022-03-04T21:24:18Z</updated>
<author>
<name>Ævar Arnfjörð Bjarmason</name>
<email>avarab@gmail.com</email>
</author>
<published>2022-03-04T18:32:07Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a41e8e74674d53a46616b01f2c18e43c7f2f30a8'/>
<id>urn:sha1:a41e8e74674d53a46616b01f2c18e43c7f2f30a8</id>
<content type='text'>
Plug a memory leak in credential_apply_config() by adding and using a
new urlmatch_config_release() function. This just does a
string_list_clear() on the "vars" member.

This finished up work on normalizing the init/free pattern in this
API, started in 73ee449bbf2 (urlmatch.[ch]: add and use
URLMATCH_CONFIG_INIT, 2021-10-01).

Signed-off-by: Ævar Arnfjörð Bjarmason &lt;avarab@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>urlmatch.[ch]: add and use URLMATCH_CONFIG_INIT</title>
<updated>2021-10-01T21:22:51Z</updated>
<author>
<name>Ævar Arnfjörð Bjarmason</name>
<email>avarab@gmail.com</email>
</author>
<published>2021-10-01T10:27:33Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=73ee449bbf2918e29d26361e57f35a24f224e3be'/>
<id>urn:sha1:73ee449bbf2918e29d26361e57f35a24f224e3be</id>
<content type='text'>
Change the initialization pattern of "struct urlmatch_config" to use
an *_INIT macro and designated initializers. Right now there's no
other "struct" member of "struct urlmatch_config" which would require
its own *_INIT, but it's good practice not to assume that. Let's also
change this to a designated initializer while we're at it.

Signed-off-by: Ævar Arnfjörð Bjarmason &lt;avarab@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>credential: fix leak in credential_apply_config()</title>
<updated>2021-08-25T18:41:30Z</updated>
<author>
<name>Mike Hommey</name>
<email>mh@glandium.org</email>
</author>
<published>2021-08-20T08:44:13Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=5146c2f148e903db2d906dae372803d9c8c3bbcf'/>
<id>urn:sha1:5146c2f148e903db2d906dae372803d9c8c3bbcf</id>
<content type='text'>
Signed-off-by: Mike Hommey &lt;mh@glandium.org&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>*.c *_init(): define in terms of corresponding *_INIT macro</title>
<updated>2021-07-01T19:32:22Z</updated>
<author>
<name>Ævar Arnfjörð Bjarmason</name>
<email>avarab@gmail.com</email>
</author>
<published>2021-07-01T10:51:26Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=5726a6b4012cd41701927a6637b9f2070e7760ee'/>
<id>urn:sha1:5726a6b4012cd41701927a6637b9f2070e7760ee</id>
<content type='text'>
Change the common patter in the codebase of duplicating the
initialization logic between an *_INIT macro and a
corresponding *_init() function to use the macro as the canonical
source of truth.

Now we no longer need to keep the function up-to-date with the macro
version. This implements a suggestion by Jeff King who found that
under -O2 [1] modern compilers will init new version in place without
the extra copy[1]. The performance of a single *_init() won't matter
in most cases, but even if it does we're going to be producing
efficient machine code to perform these operations.

1. https://lore.kernel.org/git/YNyrDxUO1PlGJvCn@coredump.intra.peff.net/

Signed-off-by: Ævar Arnfjörð Bjarmason &lt;avarab@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>credential: treat CR/LF as line endings in the credential protocol</title>
<updated>2020-10-03T17:41:03Z</updated>
<author>
<name>Nikita Leonov</name>
<email>nykyta.leonov@gmail.com</email>
</author>
<published>2020-10-03T13:29:12Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=356c473295097f4aeaacc1a2dcd70271b7080788'/>
<id>urn:sha1:356c473295097f4aeaacc1a2dcd70271b7080788</id>
<content type='text'>
This fix makes using Git credentials more friendly to Windows users: it
allows a credential helper to communicate using CR/LF line endings ("DOS
line endings" commonly found on Windows) instead of LF-only line endings
("Unix line endings").

Note that this changes the behavior a bit: if a credential helper
produces, say, a password with a trailing Carriage Return character,
that will now be culled even when the rest of the lines end only in Line
Feed characters, indicating that the Carriage Return was not meant to be
part of the line ending.

In practice, it seems _very_ unlikely that something like this happens.
Passwords usually need to consist of non-control characters, URLs need
to have special characters URL-encoded, and user names, well, are names.

However, it _does_ help on Windows, where CR/LF line endings are common:
as unrecognized commands are simply ignored by the credential machinery,
even a command like `quit\r` (which is clearly intended to abort) would
simply be ignored (silently) by Git.

So let's change the credential machinery to accept both CR/LF and LF
line endings.

While we do this for the credential helper protocol, we do _not_ adjust
`git credential-cache--daemon` (which won't work on Windows, anyway,
because it requires Unix sockets) nor `git credential-store` (which
writes the file `~/.git-credentials` which we consider an implementation
detail that should be opaque to the user, read: we do expect users _not_
to edit this file manually).

Signed-off-by: Nikita Leonov &lt;nykyta.leonov@gmail.com&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>run_command: teach API users to use embedded 'args' more</title>
<updated>2020-08-26T22:32:37Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2020-08-26T22:25:03Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=afbdba391eaf3c473eff8f12437ff510935b520f'/>
<id>urn:sha1:afbdba391eaf3c473eff8f12437ff510935b520f</id>
<content type='text'>
The child_process structure has an embedded strvec for formulating
the command line argument list these days, but code that predates
the wide use of it prepared a separate char *argv[] array and
manually set the child_process.argv pointer point at it.

Teach these old-style code to lose the separate argv[] array.

Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
