<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/t/lib-httpd/apache.conf, branch v2.21.4</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.21.4</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.21.4'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2019-02-06T20:20:23Z</updated>
<entry>
<title>t5551: test server-side ERR packet</title>
<updated>2019-02-06T20:20:23Z</updated>
<author>
<name>Josh Steadmon</name>
<email>steadmon@google.com</email>
</author>
<published>2019-02-06T19:19:10Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=30dea56536e78ad8a9533d51ad1d8c9c85c3c7bd'/>
<id>urn:sha1:30dea56536e78ad8a9533d51ad1d8c9c85c3c7bd</id>
<content type='text'>
When a smart HTTP server sends an error message via pkt-line, we detect
the error due to using PACKET_READ_DIE_ON_ERR_PACKET. This case was
added by 2d103c31c2 (pack-protocol.txt: accept error packets in any
context, 2018-12-29), but not covered by tests.

Signed-off-by: Josh Steadmon &lt;steadmon@google.com&gt;
Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jt/fetch-v2-sideband'</title>
<updated>2019-02-05T22:26:11Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2019-02-05T22:26:11Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=5f8b86db94e789bc07258f98cc5ba25d18273d83'/>
<id>urn:sha1:5f8b86db94e789bc07258f98cc5ba25d18273d83</id>
<content type='text'>
"git fetch" and "git upload-pack" learned to send all exchange over
the sideband channel while talking the v2 protocol.

* jt/fetch-v2-sideband:
  tests: define GIT_TEST_SIDEBAND_ALL
  {fetch,upload}-pack: sideband v2 fetch response
  sideband: reverse its dependency on pkt-line
  pkt-line: introduce struct packet_writer
  pack-protocol.txt: accept error packets in any context
  Use packet_reader instead of packet_read_line
</content>
</entry>
<entry>
<title>tests: define GIT_TEST_SIDEBAND_ALL</title>
<updated>2019-01-17T19:25:07Z</updated>
<author>
<name>Jonathan Tan</name>
<email>jonathantanmy@google.com</email>
</author>
<published>2019-01-16T19:28:15Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=07c3c2aa16370fd97551b7d1aa6af3d051e7cf8f'/>
<id>urn:sha1:07c3c2aa16370fd97551b7d1aa6af3d051e7cf8f</id>
<content type='text'>
Define a GIT_TEST_SIDEBAND_ALL environment variable meant to be used
from tests. When set to true, this overrides uploadpack.allowsidebandall
to true, allowing the entire test suite to be run as if this
configuration is in place for all repositories.

As of this patch, all tests pass whether GIT_TEST_SIDEBAND_ALL is unset
or set to 1.

Signed-off-by: Jonathan Tan &lt;jonathantanmy@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>test: test GIT_CURL_VERBOSE=1 shows an error</title>
<updated>2019-01-10T23:00:56Z</updated>
<author>
<name>Masaya Suzuki</name>
<email>masayasuzuki@google.com</email>
</author>
<published>2019-01-10T19:33:50Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e4871cd50c87610469a08b7fa8ef46677d2b8b7b'/>
<id>urn:sha1:e4871cd50c87610469a08b7fa8ef46677d2b8b7b</id>
<content type='text'>
This tests GIT_CURL_VERBOSE shows an error when an URL returns 500. This
exercises the code in remote_curl.

Signed-off-by: Masaya Suzuki &lt;masayasuzuki@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>upload-pack: test negotiation with changing repository</title>
<updated>2018-06-28T16:33:29Z</updated>
<author>
<name>Brandon Williams</name>
<email>bmwill@google.com</email>
</author>
<published>2018-06-27T22:30:18Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=3374292e55564fa6107b31a63a5e5432cd8c2265'/>
<id>urn:sha1:3374292e55564fa6107b31a63a5e5432cd8c2265</id>
<content type='text'>
Add tests to check the behavior of fetching from a repository which
changes between rounds of negotiation (for example, when different
servers in a load-balancing agreement participate in the same stateless
RPC negotiation). This forms a baseline of comparison to the ref-in-want
functionality (which will be introduced to the client in subsequent
commits), and ensures that subsequent commits do not change existing
behavior.

As part of this effort, a mechanism to substitute strings in a single
HTTP response is added.

Signed-off-by: Brandon Williams &lt;bmwill@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: fix v1 protocol tests with apache httpd &lt; 2.4</title>
<updated>2018-01-04T18:45:57Z</updated>
<author>
<name>Todd Zullinger</name>
<email>tmz@pobox.com</email>
</author>
<published>2017-12-31T02:32:34Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a812952aab1c889528ce941c99e0d8a6db05a754'/>
<id>urn:sha1:a812952aab1c889528ce941c99e0d8a6db05a754</id>
<content type='text'>
The apache config used by tests was updated to use the SetEnvIf
directive to set the Git-Protocol header in 19113a26b6 ("http: tell
server that the client understands v1", 2017-10-16).

Setting the Git-Protocol header is restricted to httpd &gt;= 2.4, but
mod_setenvif and the SetEnvIf directive work with lower versions, at
least as far back as 2.0, according to the httpd documentation:

    https://httpd.apache.org/docs/2.0/mod/mod_setenvif.html

Drop the restriction.  Tested with httpd 2.2 and 2.4.

Signed-off-by: Todd Zullinger &lt;tmz@pobox.com&gt;
Acked-by: Brandon Williams &lt;bmwill@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: tell server that the client understands v1</title>
<updated>2017-10-17T01:51:29Z</updated>
<author>
<name>Brandon Williams</name>
<email>bmwill@google.com</email>
</author>
<published>2017-10-16T17:55:29Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=19113a26b667527dc983920bf526b5c938d475bb'/>
<id>urn:sha1:19113a26b667527dc983920bf526b5c938d475bb</id>
<content type='text'>
Tell a server that protocol v1 can be used by sending the http header
'Git-Protocol' with 'version=1' indicating this.

Also teach the apache http server to pass through the 'Git-Protocol'
header as an environment variable 'GIT_PROTOCOL'.

Signed-off-by: Brandon Williams &lt;bmwill@google.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>http: attempt updating base URL only if no error</title>
<updated>2017-02-28T19:35:53Z</updated>
<author>
<name>Jonathan Tan</name>
<email>jonathantanmy@google.com</email>
</author>
<published>2017-02-28T02:53:11Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8e27391a5fdc9194c4ed3ed6c64ec4750a1a08b5'/>
<id>urn:sha1:8e27391a5fdc9194c4ed3ed6c64ec4750a1a08b5</id>
<content type='text'>
http.c supports HTTP redirects of the form

  http://foo/info/refs?service=git-upload-pack
  -&gt; http://anything
  -&gt; http://bar/info/refs?service=git-upload-pack

(that is to say, as long as the Git part of the path and the query
string is preserved in the final redirect destination, the intermediate
steps can have any URL). However, if one of the intermediate steps
results in an HTTP exception, a confusing "unable to update url base
from redirection" message is printed instead of a Curl error message
with the HTTP exception code.

This was introduced by 2 commits. Commit c93c92f ("http: update base
URLs when we see redirects", 2013-09-28) introduced a best-effort
optimization that required checking if only the "base" part of the URL
differed between the initial request and the final redirect destination,
but it performed the check before any HTTP status checking was done. If
something went wrong, the normal code path was still followed, so this
did not cause any confusing error messages until commit 6628eb4 ("http:
always update the base URL for redirects", 2016-12-06), which taught
http to die if the non-"base" part of the URL differed.

Therefore, teach http to check the HTTP status before attempting to
check if only the "base" part of the URL differed. This commit teaches
http_request_reauth to return early without updating options-&gt;base_url
upon an error; the only invoker of this function that passes a non-NULL
"options" is remote-curl.c (through "http_get_strbuf"), which only uses
options-&gt;base_url for an informational message in the situations that
this commit cares about (that is, when the return value is not HTTP_OK).

The included test checks that the redirect scheme at the beginning of
this commit message works, and that returning a 502 in the middle of the
redirect scheme produces the correct result. Note that this is different
from the test in commit 6628eb4 ("http: always update the base URL for
redirects", 2016-12-06) in that this commit tests that a Git-shaped URL
(http://.../info/refs?service=git-upload-pack) works, whereas commit
6628eb4 tests that a non-Git-shaped URL
(http://.../info/refs/foo?service=git-upload-pack) does not work (even
though Git is processing that URL) and is an error that is fatal, not
silently swallowed.

Signed-off-by: Jonathan Tan &lt;jonathantanmy@google.com&gt;
Acked-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jk/http-walker-limit-redirect-2.9'</title>
<updated>2016-12-19T22:45:32Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2016-12-19T22:45:31Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=8a2882f23ecce3a8742743555a408e508d4db806'/>
<id>urn:sha1:8a2882f23ecce3a8742743555a408e508d4db806</id>
<content type='text'>
Transport with dumb http can be fooled into following foreign URLs
that the end user does not intend to, especially with the server
side redirects and http-alternates mechanism, which can lead to
security issues.  Tighten the redirection and make it more obvious
to the end user when it happens.

* jk/http-walker-limit-redirect-2.9:
  http: treat http-alternates like redirects
  http: make redirects more obvious
  remote-curl: rename shadowed options variable
  http: always update the base URL for redirects
  http: simplify update_url_from_redirect
</content>
</entry>
<entry>
<title>http: make redirects more obvious</title>
<updated>2016-12-06T20:32:48Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2016-12-06T18:24:41Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=50d3413740d1da599cdc0106e6e916741394cc98'/>
<id>urn:sha1:50d3413740d1da599cdc0106e6e916741394cc98</id>
<content type='text'>
We instruct curl to always follow HTTP redirects. This is
convenient, but it creates opportunities for malicious
servers to create confusing situations. For instance,
imagine Alice is a git user with access to a private
repository on Bob's server. Mallory runs her own server and
wants to access objects from Bob's repository.

Mallory may try a few tricks that involve asking Alice to
clone from her, build on top, and then push the result:

  1. Mallory may simply redirect all fetch requests to Bob's
     server. Git will transparently follow those redirects
     and fetch Bob's history, which Alice may believe she
     got from Mallory. The subsequent push seems like it is
     just feeding Mallory back her own objects, but is
     actually leaking Bob's objects. There is nothing in
     git's output to indicate that Bob's repository was
     involved at all.

     The downside (for Mallory) of this attack is that Alice
     will have received Bob's entire repository, and is
     likely to notice that when building on top of it.

  2. If Mallory happens to know the sha1 of some object X in
     Bob's repository, she can instead build her own history
     that references that object. She then runs a dumb http
     server, and Alice's client will fetch each object
     individually. When it asks for X, Mallory redirects her
     to Bob's server. The end result is that Alice obtains
     objects from Bob, but they may be buried deep in
     history. Alice is less likely to notice.

Both of these attacks are fairly hard to pull off. There's a
social component in getting Mallory to convince Alice to
work with her. Alice may be prompted for credentials in
accessing Bob's repository (but not always, if she is using
a credential helper that caches). Attack (1) requires a
certain amount of obliviousness on Alice's part while making
a new commit. Attack (2) requires that Mallory knows a sha1
in Bob's repository, that Bob's server supports dumb http,
and that the object in question is loose on Bob's server.

But we can probably make things a bit more obvious without
any loss of functionality. This patch does two things to
that end.

First, when we encounter a whole-repo redirect during the
initial ref discovery, we now inform the user on stderr,
making attack (1) much more obvious.

Second, the decision to follow redirects is now
configurable. The truly paranoid can set the new
http.followRedirects to false to avoid any redirection
entirely. But for a more practical default, we will disallow
redirects only after the initial ref discovery. This is
enough to thwart attacks similar to (2), while still
allowing the common use of redirects at the repository
level. Since c93c92f30 (http: update base URLs when we see
redirects, 2013-09-28) we re-root all further requests from
the redirect destination, which should generally mean that
no further redirection is necessary.

As an escape hatch, in case there really is a server that
needs to redirect individual requests, the user can set
http.followRedirects to "true" (and this can be done on a
per-server basis via http.*.followRedirects config).

Reported-by: Jann Horn &lt;jannh@google.com&gt;
Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
