<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/http.c, branch v2.35.7</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.35.7</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.35.7'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2023-02-06T08:29:44Z</updated>
<entry>
<title>Sync with 2.34.7</title>
<updated>2023-02-06T08:29:44Z</updated>
<author>
<name>Johannes Schindelin</name>
<email>johannes.schindelin@gmx.de</email>
</author>
<published>2023-02-06T08:29:44Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=6a53a59bf9986f99c1a8dd0f36e2b9d6033e89f2'/>
<id>urn:sha1:6a53a59bf9986f99c1a8dd0f36e2b9d6033e89f2</id>
<content type='text'>
* maint-2.34:
  Git 2.34.7
  http: support CURLOPT_PROTOCOLS_STR
  http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION
  http-push: prefer CURLOPT_UPLOAD to CURLOPT_PUT
  Git 2.33.7
  Git 2.32.6
  Git 2.31.7
  Git 2.30.8
  apply: fix writing behind newly created symbolic links
  dir-iterator: prevent top-level symlinks without FOLLOW_SYMLINKS
  clone: delay picking a transport until after get_repo_path()
  t5619: demonstrate clone_local() with ambiguous transport
</content>
</entry>
<entry>
<title>http: support CURLOPT_PROTOCOLS_STR</title>
<updated>2023-02-06T08:27:09Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2023-01-17T03:04:48Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=f44e6a21057b0d8aae7c36f10537353330813f62'/>
<id>urn:sha1:f44e6a21057b0d8aae7c36f10537353330813f62</id>
<content type='text'>
The CURLOPT_PROTOCOLS (and matching CURLOPT_REDIR_PROTOCOLS) flag was
deprecated in curl 7.85.0, and using it generate compiler warnings as of
curl 7.87.0. The path forward is to use CURLOPT_PROTOCOLS_STR, but we
can't just do so unilaterally, as it was only introduced less than a
year ago in 7.85.0.

Until that version becomes ubiquitous, we have to either disable the
deprecation warning or conditionally use the "STR" variant on newer
versions of libcurl. This patch switches to the new variant, which is
nice for two reasons:

  - we don't have to worry that silencing curl's deprecation warnings
    might cause us to miss other more useful ones

  - we'd eventually want to move to the new variant anyway, so this gets
    us set up (albeit with some extra ugly boilerplate for the
    conditional)

There are a lot of ways to split up the two cases. One way would be to
abstract the storage type (strbuf versus a long), how to append
(strbuf_addstr vs bitwise OR), how to initialize, which CURLOPT to use,
and so on. But the resulting code looks pretty magical:

  GIT_CURL_PROTOCOL_TYPE allowed = GIT_CURL_PROTOCOL_TYPE_INIT;
  if (...http is allowed...)
	GIT_CURL_PROTOCOL_APPEND(&amp;allowed, "http", CURLOPT_HTTP);

and you end up with more "#define GIT_CURL_PROTOCOL_TYPE" macros than
actual code.

On the other end of the spectrum, we could just implement two separate
functions, one that handles a string list and one that handles bits. But
then we end up repeating our list of protocols (http, https, ftp, ftp).

This patch takes the middle ground. The run-time code is always there to
handle both types, and we just choose which one to feed to curl.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>http: prefer CURLOPT_SEEKFUNCTION to CURLOPT_IOCTLFUNCTION</title>
<updated>2023-02-06T08:27:09Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2023-01-17T03:04:44Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=4bd481e0ad9c6e78e320288886ffdad8f76dcfc1'/>
<id>urn:sha1:4bd481e0ad9c6e78e320288886ffdad8f76dcfc1</id>
<content type='text'>
The IOCTLFUNCTION option has been deprecated, and generates a compiler
warning in recent versions of curl. We can switch to using SEEKFUNCTION
instead. It was added in 2008 via curl 7.18.0; our INSTALL file already
indicates we require at least curl 7.19.4.

But there's one catch: curl says we should use CURL_SEEKFUNC_{OK,FAIL},
and those didn't arrive until 7.19.5. One workaround would be to use a
bare 0/1 here (or define our own macros).  But let's just bump the
minimum required version to 7.19.5. That version is only a minor version
bump from our existing requirement, and is only a 2 month time bump for
versions that are almost 13 years old. So it's not likely that anybody
cares about the distinction.

Switching means we have to rewrite the ioctl functions into seek
functions. In some ways they are simpler (seeking is the only
operation), but in some ways more complex (the ioctl allowed only a full
rewind, but now we can seek to arbitrary offsets).

Curl will only ever use SEEK_SET (per their documentation), so I didn't
bother implementing anything else, since it would naturally be
completely untested. This seems unlikely to change, but I added an
assertion just in case.

Likewise, I doubt curl will ever try to seek outside of the buffer sizes
we've told it, but I erred on the defensive side here, rather than do an
out-of-bounds read.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
</content>
</entry>
<entry>
<title>run-command API users: use strvec_pushv(), not argv assignment</title>
<updated>2021-11-26T06:15:07Z</updated>
<author>
<name>Ævar Arnfjörð Bjarmason</name>
<email>avarab@gmail.com</email>
</author>
<published>2021-11-25T22:52:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=6def0ff8785eb12ccc24ceebea04355e13ae24b6'/>
<id>urn:sha1:6def0ff8785eb12ccc24ceebea04355e13ae24b6</id>
<content type='text'>
Migrate those run-command API users that assign directly to the "argv"
member to use a strvec_pushv() of "args" instead.

In these cases it did not make sense to further refactor these
callers, e.g. daemon.c could be made to construct the arguments closer
to handle(), but that would require moving the construction from its
cmd_main() and pass "argv" through two intermediate functions.

It would be possible for a change like this to introduce a regression
if we were doing:

      cp.argv = argv;
      argv[1] = "foo";

And changed the code, as is being done here, to:

      strvec_pushv(&amp;cp.args, argv);
      argv[1] = "foo";

But as viewing this change with the "-W" flag reveals none of these
functions modify variable that's being pushed afterwards in a way that
would introduce such a logic error.

Signed-off-by: Ævar Arnfjörð Bjarmason &lt;avarab@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'ab/designated-initializers-more'</title>
<updated>2021-10-18T22:47:57Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2021-10-18T22:47:57Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a4b9fb6a5cf1f7cf015b3d114b364730f6b74ead'/>
<id>urn:sha1:a4b9fb6a5cf1f7cf015b3d114b364730f6b74ead</id>
<content type='text'>
Code clean-up.

* ab/designated-initializers-more:
  builtin/remote.c: add and use SHOW_INFO_INIT
  builtin/remote.c: add and use a REF_STATES_INIT
  urlmatch.[ch]: add and use URLMATCH_CONFIG_INIT
  builtin/blame.c: refactor commit_info_init() to COMMIT_INFO_INIT macro
  daemon.c: refactor hostinfo_init() to HOSTINFO_INIT macro
</content>
</entry>
<entry>
<title>Merge branch 'ab/http-pinned-public-key-mismatch'</title>
<updated>2021-10-11T17:21:47Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2021-10-11T17:21:47Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=97492aacffee48dd217164f6af4b9d1db1aa6646'/>
<id>urn:sha1:97492aacffee48dd217164f6af4b9d1db1aa6646</id>
<content type='text'>
HTTPS error handling updates.

* ab/http-pinned-public-key-mismatch:
  http: check CURLE_SSL_PINNEDPUBKEYNOTMATCH when emitting errors
</content>
</entry>
<entry>
<title>Merge branch 'jk/http-redact-fix'</title>
<updated>2021-10-04T04:49:19Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2021-10-04T04:49:19Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=58e2bc452b0539977eff6431d63867030429e2f4'/>
<id>urn:sha1:58e2bc452b0539977eff6431d63867030429e2f4</id>
<content type='text'>
Sensitive data in the HTTP trace were supposed to be redacted, but
we failed to do so in HTTP/2 requests.

* jk/http-redact-fix:
  http: match headers case-insensitively when redacting
</content>
</entry>
<entry>
<title>urlmatch.[ch]: add and use URLMATCH_CONFIG_INIT</title>
<updated>2021-10-01T21:22:51Z</updated>
<author>
<name>Ævar Arnfjörð Bjarmason</name>
<email>avarab@gmail.com</email>
</author>
<published>2021-10-01T10:27:33Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=73ee449bbf2918e29d26361e57f35a24f224e3be'/>
<id>urn:sha1:73ee449bbf2918e29d26361e57f35a24f224e3be</id>
<content type='text'>
Change the initialization pattern of "struct urlmatch_config" to use
an *_INIT macro and designated initializers. Right now there's no
other "struct" member of "struct urlmatch_config" which would require
its own *_INIT, but it's good practice not to assume that. Let's also
change this to a designated initializer while we're at it.

Signed-off-by: Ævar Arnfjörð Bjarmason &lt;avarab@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: check CURLE_SSL_PINNEDPUBKEYNOTMATCH when emitting errors</title>
<updated>2021-09-27T17:58:07Z</updated>
<author>
<name>Ævar Arnfjörð Bjarmason</name>
<email>avarab@gmail.com</email>
</author>
<published>2021-09-24T10:08:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3e8084f1884ffea25b80f76b7a1bd0e5b3200c8a'/>
<id>urn:sha1:3e8084f1884ffea25b80f76b7a1bd0e5b3200c8a</id>
<content type='text'>
Change the error shown when a http.pinnedPubKey doesn't match to point
the http.pinnedPubKey variable added in aeff8a61216 (http: implement
public key pinning, 2016-02-15), e.g.:

    git -c http.pinnedPubKey=sha256/someNonMatchingKey ls-remote https://github.com/git/git.git
    fatal: unable to access 'https://github.com/git/git.git/' with http.pinnedPubkey configuration: SSL: public key does not match pinned public key!

Before this we'd emit the exact same thing without the " with
http.pinnedPubkey configuration". The advantage of doing this is that
we're going to get a translated message (everything after the ":" is
hardcoded in English in libcurl), and we've got a reference to the
git-specific configuration variable that's causing the error.

Unfortunately we can't test this easily, as there are no tests that
require https:// in the test suite, and t/lib-httpd.sh doesn't know
how to set up such tests. See [1] for the start of a discussion about
what it would take to have divergent "t/lib-httpd/apache.conf" test
setups. #leftoverbits

1. https://lore.kernel.org/git/YUonS1uoZlZEt+Yd@coredump.intra.peff.net/

Signed-off-by: Ævar Arnfjörð Bjarmason &lt;avarab@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: match headers case-insensitively when redacting</title>
<updated>2021-09-23T04:24:58Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2021-09-22T22:11:53Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=b66c77a64e696eb5e5994a58c0d50073f8e93bf1'/>
<id>urn:sha1:b66c77a64e696eb5e5994a58c0d50073f8e93bf1</id>
<content type='text'>
When HTTP/2 is in use, we fail to correctly redact "Authorization" (and
other) headers in our GIT_TRACE_CURL output.

We get the headers in our CURLOPT_DEBUGFUNCTION callback, curl_trace().
It passes them along to curl_dump_header(), which in turn checks
redact_sensitive_header(). We see the headers as a text buffer like:

  Host: ...
  Authorization: Basic ...

After breaking it into lines, we match each header using skip_prefix().
This is case-sensitive, even though HTTP headers are case-insensitive.
This has worked reliably in the past because these headers are generated
by curl itself, which is predictable in what it sends.

But when HTTP/2 is in use, instead we get a lower-case "authorization:"
header, and we fail to match it. The fix is simple: we should match with
skip_iprefix().

Testing is more complicated, though. We do have a test for the redacting
feature, but we don't hit the problem case because our test Apache setup
does not understand HTTP/2. You can reproduce the issue by applying this
on top of the test change in this patch:

	diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf
	index afa91e38b0..19267c7107 100644
	--- a/t/lib-httpd/apache.conf
	+++ b/t/lib-httpd/apache.conf
	@@ -29,6 +29,9 @@ ErrorLog error.log
	 	LoadModule setenvif_module modules/mod_setenvif.so
	 &lt;/IfModule&gt;

	+LoadModule http2_module modules/mod_http2.so
	+Protocols h2c
	+
	 &lt;IfVersion &lt; 2.4&gt;
	 LockFile accept.lock
	 &lt;/IfVersion&gt;
	@@ -64,8 +67,8 @@ LockFile accept.lock
	 &lt;IfModule !mod_access_compat.c&gt;
	 	LoadModule access_compat_module modules/mod_access_compat.so
	 &lt;/IfModule&gt;
	-&lt;IfModule !mod_mpm_prefork.c&gt;
	-	LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
	+&lt;IfModule !mod_mpm_event.c&gt;
	+	LoadModule mpm_event_module modules/mod_mpm_event.so
	 &lt;/IfModule&gt;
	 &lt;IfModule !mod_unixd.c&gt;
	 	LoadModule unixd_module modules/mod_unixd.so
	diff --git a/t/t5551-http-fetch-smart.sh b/t/t5551-http-fetch-smart.sh
	index 1c2a444ae7..ff74f0ae8a 100755
	--- a/t/t5551-http-fetch-smart.sh
	+++ b/t/t5551-http-fetch-smart.sh
	@@ -24,6 +24,10 @@ test_expect_success 'create http-accessible bare repository' '
	 	git push public main:main
	 '

	+test_expect_success 'prefer http/2' '
	+	git config --global http.version HTTP/2
	+'
	+
	 setup_askpass_helper

	 test_expect_success 'clone http repository' '

but this has a few issues:

  - it's not necessarily portable. The http2 apache module might not be
    available on all systems. Further, the http2 module isn't compatible
    with the prefork mpm, so we have to switch to something else. But we
    don't necessarily know what's available. It would be nice if we
    could have conditional config, but IfModule only tells us if a
    module is already loaded, not whether it is available at all.

    This might be a non-issue. The http tests are already optional, and
    modern-enough systems may just have both of these. But...

  - if we do this, then we'd no longer be testing HTTP/1.1 at all. I'm
    not sure how much that matters since it's all handled by curl under
    the hood, but I'd worry that some detail leaks through. We'd
    probably want two scripts running similar tests, one with HTTP/2 and
    one with HTTP/1.1.

  - speaking of which, a later test fails with the patch above! The
    problem is that it is making sure we used a chunked
    transfer-encoding by looking for that header in the trace. But
    HTTP/2 doesn't support that, as it has its own streaming mechanisms
    (the overall operation works fine; we just don't see the header in
    the trace).

Furthermore, even with the changes above, this test still does not
detect the current failure, because we see _both_ HTTP/1.1 and HTTP/2
requests, which confuse it. Quoting only the interesting bits from the
resulting trace file, we first see:

  =&gt; Send header: GET /auth/smart/repo.git/info/refs?service=git-upload-pack HTTP/1.1
  =&gt; Send header: Connection: Upgrade, HTTP2-Settings
  =&gt; Send header: Upgrade: h2c
  =&gt; Send header: HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA

  &lt;= Recv header: HTTP/1.1 401 Unauthorized
  &lt;= Recv header: Date: Wed, 22 Sep 2021 20:03:32 GMT
  &lt;= Recv header: Server: Apache/2.4.49 (Debian)
  &lt;= Recv header: WWW-Authenticate: Basic realm="git-auth"

So the client asks for HTTP/2, but Apache does not do the upgrade for
the 401 response. Then the client repeats with credentials:

  =&gt; Send header: GET /auth/smart/repo.git/info/refs?service=git-upload-pack HTTP/1.1
  =&gt; Send header: Authorization: Basic &lt;redacted&gt;
  =&gt; Send header: Connection: Upgrade, HTTP2-Settings
  =&gt; Send header: Upgrade: h2c
  =&gt; Send header: HTTP2-Settings: AAMAAABkAAQCAAAAAAIAAAAA

  &lt;= Recv header: HTTP/1.1 101 Switching Protocols
  &lt;= Recv header: Upgrade: h2c
  &lt;= Recv header: Connection: Upgrade
  &lt;= Recv header: HTTP/2 200
  &lt;= Recv header: content-type: application/x-git-upload-pack-advertisement

So the client does properly redact there, because we're speaking
HTTP/1.1, and the server indicates it can do the upgrade. And then the
client will make further requests using HTTP/2:

  =&gt; Send header: POST /auth/smart/repo.git/git-upload-pack HTTP/2
  =&gt; Send header: authorization: Basic dXNlckBob3N0OnBhc3NAaG9zdA==
  =&gt; Send header: content-type: application/x-git-upload-pack-request

And there we can see that the credential is _not_ redacted. This part of
the test is what gets confused:

	# Ensure that there is no "Basic" followed by a base64 string, but that
	# the auth details are redacted
	! grep "Authorization: Basic [0-9a-zA-Z+/]" trace &amp;&amp;
	grep "Authorization: Basic &lt;redacted&gt;" trace

The first grep does not match the un-redacted HTTP/2 header, because
it insists on an uppercase "A". And the second one does find the
HTTP/1.1 header. So as far as the test is concerned, everything is OK,
but it failed to notice the un-redacted lines.

We can make this test (and the other related ones) more robust by adding
"-i" to grep case-insensitively. This isn't really doing anything for
now, since we're not actually speaking HTTP/2, but it future-proofs the
tests for a day when we do (either we add explicit HTTP/2 test support,
or it's eventually enabled by default by our Apache+curl test setup).
And it doesn't hurt in the meantime for the tests to be more careful.

The change to use "grep -i", coupled with the changes to use HTTP/2
shown above, causes the test to fail with the current code, and pass
after this patch is applied.

And finally, there's one other way to demonstrate the issue (and how I
actually found it originally). Looking at GIT_TRACE_CURL output against
github.com, you'll see the unredacted output, even if you didn't set
http.version. That's because setting it is only necessary for curl to
send the extra headers in its HTTP/1.1 request that say "Hey, I speak
HTTP/2; upgrade if you do, too". But for a production site speaking
https, the server advertises via ALPN, a TLS extension, that it supports
HTTP/2, and the client can immediately start using it.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
