<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/credential.c, branch v2.41.3</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.41.3</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.41.3'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2024-11-26T21:14:57Z</updated>
<entry>
<title>Sync with 2.40.4</title>
<updated>2024-11-26T21:14:57Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-10-29T23:27:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=676cddebf94fab8defe704b2f58c5b59912bb40c'/>
<id>urn:sha1:676cddebf94fab8defe704b2f58c5b59912bb40c</id>
<content type='text'>
* maint-2.40:
  Git 2.40.4
  credential: disallow Carriage Returns in the protocol by default
  credential: sanitize the user prompt
  credential_format(): also encode &lt;host&gt;[:&lt;port&gt;]
  t7300: work around platform-specific behaviour with long paths on MinGW
  compat/regex: fix argument order to calloc(3)
  mingw: drop bogus (and unneeded) declaration of `_pgmptr`
  ci: remove 'Upload failed tests' directories' step from linux32 jobs
</content>
</entry>
<entry>
<title>credential: disallow Carriage Returns in the protocol by default</title>
<updated>2024-11-26T19:24:04Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-11-04T13:48:22Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b01b9b81d36759cdcd07305e78765199e1bc2060'/>
<id>urn:sha1:b01b9b81d36759cdcd07305e78765199e1bc2060</id>
<content type='text'>
While Git has documented that the credential protocol is line-based,
with newlines as terminators, the exact shape of a newline has not been
documented.

From Git's perspective, which is firmly rooted in the Linux ecosystem,
it is clear that "a newline" means a Line Feed character.

However, even Git's credential protocol respects Windows line endings
(a Carriage Return character followed by a Line Feed character, "CR/LF")
by virtue of using `strbuf_getline()`.

There is a third category of line endings that has been used originally
by MacOS, and that is respected by the default line readers of .NET and
node.js: bare Carriage Returns.

Git cannot handle those, and what is worse: Git's remedy against
CVE-2020-5260 does not catch when credential helpers are used that
interpret bare Carriage Returns as newlines.

Git Credential Manager addressed this as CVE-2024-50338, but other
credential helpers may still be vulnerable. So let's not only disallow
Line Feed characters as part of the values in the credential protocol,
but also disallow Carriage Return characters.

In the unlikely event that a credential helper relies on Carriage
Returns in the protocol, introduce an escape hatch via the
`credential.protectProtocol` config setting.

This addresses CVE-2024-52006.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>credential: sanitize the user prompt</title>
<updated>2024-11-26T19:24:04Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-10-30T12:26:10Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7725b8100ffbbff2750ee4d61a0fcc1f53a086e8'/>
<id>urn:sha1:7725b8100ffbbff2750ee4d61a0fcc1f53a086e8</id>
<content type='text'>
When asking the user interactively for credentials, we want to avoid
misleading them e.g. via control sequences that pretend that the URL
targets a trusted host when it does not.

While Git learned, over the course of the preceding commits, to disallow
URLs containing URL-encoded control characters by default, credential
helpers are still allowed to specify values very freely (apart from Line
Feed and NUL characters, anything is allowed), and this would allow,
say, a username containing control characters to be specified that would
then be displayed in the interactive terminal prompt asking the user for
the password, potentially sending those control characters directly to
the terminal. This is undesirable because control characters can be used
to mislead users to divulge secret information to untrusted sites.

To prevent such an attack vector, let's add a `git_prompt()` that forces
the displayed text to be sanitized, i.e. displaying question marks
instead of control characters.

Note: While this commit's diff changes a lot of `user@host` strings to
`user%40host`, which may look suspicious on the surface, there is a good
reason for that: this string specifies a user name, not a
&lt;username&gt;@&lt;hostname&gt; combination! In the context of t5541, the actual
combination looks like this: `user%40@127.0.0.1:5541`. Therefore, these
string replacements document a net improvement introduced by this
commit, as `user@host@127.0.0.1` could have left readers wondering where
the user name ends and where the host name begins.

Hinted-at-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>credential_format(): also encode &lt;host&gt;[:&lt;port&gt;]</title>
<updated>2024-11-26T19:24:00Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2024-11-07T07:57:52Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c903985bf7e772e2d08275c1a95c8a55ab011577'/>
<id>urn:sha1:c903985bf7e772e2d08275c1a95c8a55ab011577</id>
<content type='text'>
An upcoming change wants to sanitize the credential password prompt
where a URL is displayed that may potentially come from a `.gitmodules`
file. To this end, the `credential_format()` function is employed.

To sanitize the host name (and optional port) part of the URL, we need a
new mode of the `strbuf_add_percentencode()` function because the
current mode is both too strict and too lenient: too strict because it
encodes `:`, `[` and `]` (which should be left unencoded in
`&lt;host&gt;:&lt;port&gt;` and in IPv6 addresses), and too lenient because it does
not encode invalid host name characters `/`, `_` and `~`.

So let's introduce and use a new mode specifically to encode the host
name and optional port part of a URI, leaving alpha-numerical
characters, periods, colons and brackets alone and encoding all others.

This only leads to a change of behavior for URLs that contain invalid
host names.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>Merge branch 'mh/credential-oauth-refresh-token'</title>
<updated>2023-05-10T17:23:29Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-05-10T17:23:28Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=2ca91d1ee07f934fa7f57ba34c397b150eef023f'/>
<id>urn:sha1:2ca91d1ee07f934fa7f57ba34c397b150eef023f</id>
<content type='text'>
The credential subsystem learns to help OAuth framework.

* mh/credential-oauth-refresh-token:
  credential: new attribute oauth_refresh_token
</content>
</entry>
<entry>
<title>Merge branch 'tb/credential-long-lines'</title>
<updated>2023-05-10T17:23:27Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2023-05-10T17:23:27Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=fbbf60a9bc4d7139efa70a0246cec2b3f2cc63fb'/>
<id>urn:sha1:fbbf60a9bc4d7139efa70a0246cec2b3f2cc63fb</id>
<content type='text'>
The implementation of credential helpers used fgets() over fixed
size buffers to read protocol messages, causing the remainder of
the folded long line to trigger unexpected behaviour, which has
been corrected.

* tb/credential-long-lines:
  contrib/credential: embiggen fixed-size buffer in wincred
  contrib/credential: avoid fixed-size buffer in libsecret
  contrib/credential: .gitignore libsecret build artifacts
  contrib/credential: remove 'gnome-keyring' credential helper
  contrib/credential: avoid fixed-size buffer in osxkeychain
  t/lib-credential.sh: ensure credential helpers handle long headers
  credential.c: store "wwwauth[]" values in `credential_read()`
</content>
</entry>
<entry>
<title>credential.c: store "wwwauth[]" values in `credential_read()`</title>
<updated>2023-05-01T16:27:00Z</updated>
<author>
<name>Taylor Blau</name>
<email>me@ttaylorr.com</email>
</author>
<published>2023-05-01T15:53:48Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=16b305cd2ba1747bcc6d160665eccdbbf7f2ea10'/>
<id>urn:sha1:16b305cd2ba1747bcc6d160665eccdbbf7f2ea10</id>
<content type='text'>
Teach git-credential to read "wwwauth[]" value(s) when parsing the
output of a credential helper.

These extra headers are not needed for Git's own HTTP support to use the
feature internally, but the feature would not be available for a
scripted caller (say, git-remote-mediawiki providing the header in the
same way).

As a bonus, this also makes it easier to use wwwauth[] in synthetic
credential inputs in our test suite.

Co-authored-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Taylor Blau &lt;me@ttaylorr.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>treewide: remove cache.h inclusion due to previous changes</title>
<updated>2023-04-24T19:47:33Z</updated>
<author>
<name>Elijah Newren</name>
<email>newren@gmail.com</email>
</author>
<published>2023-04-22T20:17:23Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=5e3f94dfe3c69bc2a711a9dc3b1635e7ff91ab54'/>
<id>urn:sha1:5e3f94dfe3c69bc2a711a9dc3b1635e7ff91ab54</id>
<content type='text'>
Signed-off-by: Elijah Newren &lt;newren@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>treewide: be explicit about dependence on strbuf.h</title>
<updated>2023-04-24T19:47:31Z</updated>
<author>
<name>Elijah Newren</name>
<email>newren@gmail.com</email>
</author>
<published>2023-04-22T20:17:08Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=69a63fe663874716d2b5bf49b90c550f8279358e'/>
<id>urn:sha1:69a63fe663874716d2b5bf49b90c550f8279358e</id>
<content type='text'>
Signed-off-by: Elijah Newren &lt;newren@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>credential: new attribute oauth_refresh_token</title>
<updated>2023-04-21T16:38:30Z</updated>
<author>
<name>M Hickford</name>
<email>mirth.hickford@gmail.com</email>
</author>
<published>2023-04-21T09:47:59Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a5c76569e798ad3656afe6b67f37cbbb2e47f28c'/>
<id>urn:sha1:a5c76569e798ad3656afe6b67f37cbbb2e47f28c</id>
<content type='text'>
Git authentication with OAuth access token is supported by every popular
Git host including GitHub, GitLab and BitBucket [1][2][3]. Credential
helpers Git Credential Manager (GCM) and git-credential-oauth generate
OAuth credentials [4][5]. Following RFC 6749, the application prints a
link for the user to authorize access in browser. A loopback redirect
communicates the response including access token to the application.

For security, RFC 6749 recommends that OAuth response also includes
expiry date and refresh token [6]. After expiry, applications can use
the refresh token to generate a new access token without user
reauthorization in browser. GitLab and BitBucket set the expiry at two
hours [2][3]. (GitHub doesn't populate expiry or refresh token.)

However the Git credential protocol has no attribute to store the OAuth
refresh token (unrecognised attributes are silently discarded). This
means that the user has to regularly reauthorize the helper in browser.
On a browserless system, this is particularly intrusive, requiring a
second device.

Introduce a new attribute oauth_refresh_token. This is especially
useful when a storage helper and a read-only OAuth helper are configured
together. Recall that `credential fill` calls each helper until it has a
non-expired password.

```
[credential]
	helper = storage  # eg. cache or osxkeychain
	helper = oauth
```

The OAuth helper can use the stored refresh token forwarded by
`credential fill` to generate a fresh access token without opening the
browser. See
https://github.com/hickford/git-credential-oauth/pull/3/files
for an implementation tested with this patch.

Add support for the new attribute to credential-cache. Eventually, I
hope to see support in other popular storage helpers.

Alternatives considered: ask helpers to store all unrecognised
attributes. This seems excessively complex for no obvious gain.
Helpers would also need extra information to distinguish between
confidential and non-confidential attributes.

Workarounds: GCM abuses the helper get/store/erase contract to store the
refresh token during credential *get* as the password for a fictitious
host [7] (I wrote this hack). This workaround is only feasible for a
monolithic helper with its own storage.

[1] https://github.blog/2012-09-21-easier-builds-and-deployments-using-git-over-https-and-oauth/
[2] https://docs.gitlab.com/ee/api/oauth2.html#access-git-over-https-with-access-token
[3] https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/#Cloning-a-repository-with-an-access-token
[4] https://github.com/GitCredentialManager/git-credential-manager
[5] https://github.com/hickford/git-credential-oauth
[6] https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
[7] https://github.com/GitCredentialManager/git-credential-manager/blob/66b94e489ad8cc1982836355493e369770b30211/src/shared/GitLab/GitLabHostProvider.cs#L207

Signed-off-by: M Hickford &lt;mirth.hickford@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
