git.ipfire.org Git - thirdparty/git.git/commit

author	Glen Choo <chooglen@google.com>
	Fri, 11 Nov 2022 22:35:06 +0000 (22:35 +0000)
committer	Taylor Blau <me@ttaylorr.com>
	Mon, 14 Nov 2022 22:42:46 +0000 (17:42 -0500)
commit	b637a41ebe0e65b6d64dd65efaf848b4705dcbed
tree	3007cb8026fb16a7a4a4ff619fac90f247898b18	tree \| snapshot
parent	73c49a447461449ada646b74dfa5dcb0e9f3e879	commit \| diff

http: redact curl h2h3 headers in info

With GIT_TRACE_CURL=1 or GIT_CURL_VERBOSE=1, sensitive headers like
"Authorization" and "Cookie" get redacted. However, since [1], curl's
h2h3 module (invoked when using HTTP/2) also prints headers in its
"info", which don't get redacted. For example,

  echo 'github.com TRUE / FALSE 1698960413304 o foo=bar' >cookiefile &&
  GIT_TRACE_CURL=1 GIT_TRACE_CURL_NO_DATA=1 git \
    -c 'http.cookiefile=cookiefile' \
    -c 'http.version=' \
    ls-remote https://github.com/git/git refs/heads/main 2>output &&
  grep 'cookie' output

produces output like:

  23:04:16.920495 http.c:678              == Info: h2h3 [cookie: o=foo=bar]
  23:04:16.920562 http.c:637              => Send header: cookie: o=<redacted>

Teach http.c to check for h2h3 headers in info and redact them using the
existing header redaction logic. This fixes the broken redaction logic
that we noted in the previous commit, so mark the redaction tests as
passing under HTTP2.

[1] https://github.com/curl/curl/commit/f8c3724aa90472c0e617ddbbc420aa199971eb77

Helped-by: Jeff King <peff@peff.net>
Signed-off-by: Glen Choo <chooglen@google.com>
Signed-off-by: Taylor Blau <me@ttaylorr.com>

http.c		diff \| blob \| blame \| history
t/t5551-http-fetch-smart.sh		diff \| blob \| blame \| history