diff options
| author | Glen Choo <chooglen@google.com> | 2022-11-11 22:35:06 +0000 |
|---|---|---|
| committer | Taylor Blau <me@ttaylorr.com> | 2022-11-14 17:42:46 -0500 |
| commit | b637a41ebe0e65b6d64dd65efaf848b4705dcbed (patch) | |
| tree | 3007cb8026fb16a7a4a4ff619fac90f247898b18 /bundle-uri.c | |
| parent | t: run t5551 tests with both HTTP and HTTP/2 (diff) | |
| download | git-b637a41ebe0e65b6d64dd65efaf848b4705dcbed.tar.gz git-b637a41ebe0e65b6d64dd65efaf848b4705dcbed.zip | |
http: redact curl h2h3 headers in info
With GIT_TRACE_CURL=1 or GIT_CURL_VERBOSE=1, sensitive headers like
"Authorization" and "Cookie" get redacted. However, since [1], curl's
h2h3 module (invoked when using HTTP/2) also prints headers in its
"info", which don't get redacted. For example,
echo 'github.com TRUE / FALSE 1698960413304 o foo=bar' >cookiefile &&
GIT_TRACE_CURL=1 GIT_TRACE_CURL_NO_DATA=1 git \
-c 'http.cookiefile=cookiefile' \
-c 'http.version=' \
ls-remote https://github.com/git/git refs/heads/main 2>output &&
grep 'cookie' output
produces output like:
23:04:16.920495 http.c:678 == Info: h2h3 [cookie: o=foo=bar]
23:04:16.920562 http.c:637 => Send header: cookie: o=<redacted>
Teach http.c to check for h2h3 headers in info and redact them using the
existing header redaction logic. This fixes the broken redaction logic
that we noted in the previous commit, so mark the redaction tests as
passing under HTTP2.
[1] https://github.com/curl/curl/commit/f8c3724aa90472c0e617ddbbc420aa199971eb77
Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Glen Choo <chooglen@google.com>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Diffstat (limited to 'bundle-uri.c')
0 files changed, 0 insertions, 0 deletions