git.ipfire.org Git - thirdparty/git.git/commit

author	Koji Nakamaru <koji.nakamaru@gree.net>
	Fri, 14 Nov 2025 06:04:30 +0000 (06:04 +0000)
committer	Junio C Hamano <gitster@pobox.com>
	Fri, 14 Nov 2025 16:47:54 +0000 (08:47 -0800)
commit	4580bcd2354aab9369164d936f7ccaa21fc98c98
tree	ad2f4efb41eb47597029ccf0a57e8dca1cce07dc	tree \| snapshot
parent	fd372d9b1a69a01a676398882bbe3840bf51fe72	commit \| diff

osxkeychain: avoid incorrectly skipping store operation

git-credential-osxkeychain skips storing a credential if its "get"
action sets "state[]=osxkeychain:seen=1". This behavior was introduced
in e1ab45b2 (osxkeychain: state to skip unnecessary store operations,
2024-05-15), which appeared in v2.46.

However, this state[] persists even if a credential returned by
"git-credential-osxkeychain get" is invalid and a subsequent helper's
"get" operation returns a valid credential. Another subsequent helper
(such as [1]) may expect git-credential-osxkeychain to store the valid
credential, but the "store" operation is incorrectly skipped because it
only checks "state[]=osxkeychain:seen=1".

To solve this issue, "state[]=osxkeychain:seen" needs to contain enough
information to identify whether the current "store" input matches the
output from the previous "get" operation (and not a credential from
another helper).

Set "state[]=osxkeychain:seen" to a value encoding the credential output
by "get", and compare it with a value encoding the credential input by
"store".

[1]: https://github.com/hickford/git-credential-oauth

Reported-by: Petter Sælen <petter@saelen.eu>
Helped-by: Junio C Hamano <gitster@pobox.com>
Helped-by: brian m. carlson <sandals@crustytoothpaste.net>
Signed-off-by: Koji Nakamaru <koji.nakamaru@gree.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

contrib/credential/osxkeychain/Makefile		diff \| blob \| blame \| history
contrib/credential/osxkeychain/git-credential-osxkeychain.c		diff \| blob \| blame \| history
contrib/credential/osxkeychain/meson.build		diff \| blob \| blame \| history