`GIT_TRACE_REDACT`::
By default, when tracing is activated, Git redacts the values of
- cookies, the "Authorization:" header, and the "Proxy-Authorization:"
- header. Set this variable to `0` to prevent this redaction.
+ cookies, the "Authorization:" header, the "Proxy-Authorization:"
+ header and packfile URIs. Set this variable to `0` to prevent this
+ redaction.
`GIT_LITERAL_PATHSPECS`::
Setting this variable to `1` will cause Git to treat all
receive_wanted_refs(&reader, sought, nr_sought);
/* get the pack(s) */
+ if (git_env_bool("GIT_TRACE_REDACT", 1))
+ reader.options |= PACKET_READ_REDACT_URI_PATH;
if (process_section_header(&reader, "packfile-uris", 1))
receive_packfile_uris(&reader, &packfile_uris);
+ /* We don't expect more URIs. Reset to avoid expensive URI check. */
+ reader.options &= ~PACKET_READ_REDACT_URI_PATH;
+
process_section_header(&reader, "packfile", 0);
/*
return (val < 0) ? val : (val << 8) | hex2chr(lenbuf_hex + 2);
}
+static char *find_packfile_uri_path(const char *buffer)
+{
+ const char *URI_MARK = "://";
+ char *path;
+ int len;
+
+ /* First char is sideband mark */
+ buffer += 1;
+
+ len = strspn(buffer, "0123456789abcdefABCDEF");
+ /* size of SHA1 and SHA256 hash */
+ if (!(len == 40 || len == 64) || buffer[len] != ' ')
+ return NULL; /* required "<hash>SP" not seen */
+
+ path = strstr(buffer + len + 1, URI_MARK);
+ if (!path)
+ return NULL;
+
+ path = strchr(path + strlen(URI_MARK), '/');
+ if (!path || !*(path + 1))
+ return NULL;
+
+ /* position after '/' */
+ return ++path;
+}
+
enum packet_read_status packet_read_with_status(int fd, char **src_buffer,
size_t *src_len, char *buffer,
unsigned size, int *pktlen,
{
int len;
char linelen[4];
+ char *uri_path_start;
if (get_packet_data(fd, src_buffer, src_len, linelen, 4, options) < 0) {
*pktlen = -1;
len--;
buffer[len] = 0;
- packet_trace(buffer, len, 0);
+ if (options & PACKET_READ_REDACT_URI_PATH &&
+ (uri_path_start = find_packfile_uri_path(buffer))) {
+ const char *redacted = "<redacted>";
+ struct strbuf tracebuf = STRBUF_INIT;
+ strbuf_insert(&tracebuf, 0, buffer, len);
+ strbuf_splice(&tracebuf, uri_path_start - buffer,
+ strlen(uri_path_start), redacted, strlen(redacted));
+ packet_trace(tracebuf.buf, tracebuf.len, 0);
+ strbuf_release(&tracebuf);
+ } else {
+ packet_trace(buffer, len, 0);
+ }
if ((options & PACKET_READ_DIE_ON_ERR_PACKET) &&
starts_with(buffer, "ERR "))
#define PACKET_READ_CHOMP_NEWLINE (1u<<1)
#define PACKET_READ_DIE_ON_ERR_PACKET (1u<<2)
#define PACKET_READ_GENTLE_ON_READ_ERROR (1u<<3)
+#define PACKET_READ_REDACT_URI_PATH (1u<<4)
int packet_read(int fd, char *buffer, unsigned size, int options);
/*
test_i18ngrep "disallowed submodule name" err
'
+test_expect_success 'packfile-uri path redacted in trace' '
+ P="$HTTPD_DOCUMENT_ROOT_PATH/http_parent" &&
+ rm -rf "$P" http_child log &&
+
+ git init "$P" &&
+ git -C "$P" config "uploadpack.allowsidebandall" "true" &&
+
+ echo my-blob >"$P/my-blob" &&
+ git -C "$P" add my-blob &&
+ git -C "$P" commit -m x &&
+
+ git -C "$P" hash-object my-blob >objh &&
+ git -C "$P" pack-objects "$HTTPD_DOCUMENT_ROOT_PATH/mypack" <objh >packh &&
+ git -C "$P" config --add \
+ "uploadpack.blobpackfileuri" \
+ "$(cat objh) $(cat packh) $HTTPD_URL/dumb/mypack-$(cat packh).pack" &&
+
+ GIT_TRACE_PACKET="$(pwd)/log" \
+ git -c protocol.version=2 \
+ -c fetch.uriprotocols=http,https \
+ clone "$HTTPD_URL/smart/http_parent" http_child &&
+
+ grep -F "clone< \\1$(cat packh) $HTTPD_URL/<redacted>" log
+'
+
+test_expect_success 'packfile-uri path not redacted in trace when GIT_TRACE_REDACT=0' '
+ P="$HTTPD_DOCUMENT_ROOT_PATH/http_parent" &&
+ rm -rf "$P" http_child log &&
+
+ git init "$P" &&
+ git -C "$P" config "uploadpack.allowsidebandall" "true" &&
+
+ echo my-blob >"$P/my-blob" &&
+ git -C "$P" add my-blob &&
+ git -C "$P" commit -m x &&
+
+ git -C "$P" hash-object my-blob >objh &&
+ git -C "$P" pack-objects "$HTTPD_DOCUMENT_ROOT_PATH/mypack" <objh >packh &&
+ git -C "$P" config --add \
+ "uploadpack.blobpackfileuri" \
+ "$(cat objh) $(cat packh) $HTTPD_URL/dumb/mypack-$(cat packh).pack" &&
+
+ GIT_TRACE_PACKET="$(pwd)/log" \
+ GIT_TRACE_REDACT=0 \
+ git -c protocol.version=2 \
+ -c fetch.uriprotocols=http,https \
+ clone "$HTTPD_URL/smart/http_parent" http_child &&
+
+ grep -F "clone< \\1$(cat packh) $HTTPD_URL/dumb/mypack-$(cat packh).pack" log
+'
+
test_expect_success 'http:// --negotiate-only' '
SERVER="$HTTPD_DOCUMENT_ROOT_PATH/server" &&
URI="$HTTPD_URL/smart/server" &&