Prepare git credential to read input with DOS line endings
#710
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
Author
|
/submit |
|
Submitted as [email protected] |
This comment has been minimized.
This comment has been minimized.
|
On the Git mailing list, Junio C Hamano wrote (reply to this): |
|
On the Git mailing list, Jeff King wrote (reply to this): |
Member
Author
|
@dscho Credential sources really contain several another places which use only LF line reading. I could add changes and some documentation. Should I add these commits as pull request to your branch? |
This comment has been minimized.
This comment has been minimized.
dscho
force-pushed
the
crlf-aware-git-credential
branch
3 times, most recently
from
1d96a95 to
61baea1
Compare
Member
Author
|
/submit |
|
Submitted as [email protected] To fetch this version into To fetch this version to local tag |
|
On the Git mailing list, Junio C Hamano wrote (reply to this): |
![gitgitgadget-git[bot]](https://avatars.githubusercontent.com/in/46807?s=60&v=4){kind=small}
| static int read_request(FILE *fh, struct credential *c, | ||
| struct strbuf *action, int *timeout) | ||
| { | ||
| static struct strbuf item = STRBUF_INIT; |
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
"Nikita Leonov via GitGitGadget" <[email protected]> writes:
> From: Nikita Leonov <[email protected]>
>
> This commit makes reading process regarding credentials compatible with
> 'CR/LF' line ending. It makes using git more convenient on systems like
> Windows.
I can see why this is a good thing for "store" and the two updated
pieces of the test script demonstrate it very well.
But it is unclear why and how cache-daemon benefits from this change.
That needs to be justified.
As to the log message (this is 70% style, but there are
consequences), we tend not to say "This commit does X"---because
such a statement is often insufficient to illustrate if the commit
indeed does X, and explain why it is a good thing to do X in the
first place.
Instead, we first explain that the current system does not do X (in
present tense, so we do NOT say "previously we did not do X"), then
explain why doing X would be a good thing, and finally give an order
to the codebase to start doing X. For this change, it might look
like this:
The credential subsystem has assumed that lines always end with
LF. On a system whose text file ends with CRLF (e.g. Windows),
this assumption causes the CR at the end of the line as an extra
byte appended to the data, and worse, there is no way to send an
"empty line" to signal an end of a group of lines, because such
a line would be taken as a line with a lone CR on it.
Because credential-store writes to and reads from a text file on
disk, which users may manually edit with their editor and turn
the line-ending to CRLF.
Accept lines that end with CR/LF, as well as those that end with
LF.
Note that the credential-cache--daemon is not touched, because
it is only about interacting with in-core cache, and there is
nowhere CRLF comes into the picture.
Note: I didn't know why we need to touch the daemon, and that is why
I wrote the paragraph on it as such, but I expect that the real log
message to justify the change would be quite different and explain
why the daemon code needs the same change well---such a description
would not be "Note that", but would come before the "Accept lines
that end with..." and after the paragraph about credential-store.
Thanks.
> Signed-off-by: Nikita Leonov <[email protected]>
> Signed-off-by: Johannes Schindelin <[email protected]>
> ---
> builtin/credential-cache--daemon.c | 4 ++--
> builtin/credential-store.c | 2 +-
> t/t0302-credential-store.sh | 16 ++++++----------
> 3 files changed, 9 insertions(+), 13 deletions(-)
>
> diff --git a/builtin/credential-cache--daemon.c b/builtin/credential-cache--daemon.c
> index c61f123a3b..17664bb0d5 100644
> --- a/builtin/credential-cache--daemon.c
> +++ b/builtin/credential-cache--daemon.c
> @@ -99,12 +99,12 @@ static int read_request(FILE *fh, struct credential *c,
> static struct strbuf item = STRBUF_INIT;
> const char *p;
>
> - strbuf_getline_lf(&item, fh);
> + strbuf_getline(&item, fh);
> if (!skip_prefix(item.buf, "action=", &p))
> return error("client sent bogus action line: %s", item.buf);
> strbuf_addstr(action, p);
>
> - strbuf_getline_lf(&item, fh);
> + strbuf_getline(&item, fh);
> if (!skip_prefix(item.buf, "timeout=", &p))
> return error("client sent bogus timeout line: %s", item.buf);
> *timeout = atoi(p);
> diff --git a/builtin/credential-store.c b/builtin/credential-store.c
> index 5331ab151a..d4e90b68df 100644
> --- a/builtin/credential-store.c
> +++ b/builtin/credential-store.c
> @@ -23,7 +23,7 @@ static int parse_credential_file(const char *fn,
> return found_credential;
> }
>
> - while (strbuf_getline_lf(&line, fh) != EOF) {
> + while (strbuf_getline(&line, fh) != EOF) {
> if (!credential_from_url_gently(&entry, line.buf, 1) &&
> entry.username && entry.password &&
> credential_match(c, &entry)) {
> diff --git a/t/t0302-credential-store.sh b/t/t0302-credential-store.sh
> index 716bf1af9f..f2c672e4b6 100755
> --- a/t/t0302-credential-store.sh
> +++ b/t/t0302-credential-store.sh
> @@ -142,7 +142,7 @@ invalid_credential_test "scheme" ://user:[email protected]
> invalid_credential_test "valid host/path" https://user:pass@
> invalid_credential_test "username/password" https://[email protected]
>
> -test_expect_success 'get: credentials with DOS line endings are invalid' '
> +test_expect_success 'get: credentials with DOS line endings are valid' '
> printf "https://user:[email protected]\r\n" >"$HOME/.git-credentials" &&
> check fill store <<-\EOF
> protocol=https
> @@ -150,11 +150,9 @@ test_expect_success 'get: credentials with DOS line endings are invalid' '
> --
> protocol=https
> host=example.com
> - username=askpass-username
> - password=askpass-password
> + username=user
> + password=pass
> --
> - askpass: Username for '\''https://example.com'\'':
> - askpass: Password for '\''https://[email protected]'\'':
> --
> EOF
> '
> @@ -172,7 +170,7 @@ test_expect_success 'get: credentials with path and DOS line endings are valid'
> EOF
> '
>
> -test_expect_success 'get: credentials with DOS line endings are invalid if path is relevant' '
> +test_expect_success 'get: credentials with DOS line endings are valid if path is relevant' '
> printf "https://user:[email protected]/repo.git\r\n" >"$HOME/.git-credentials" &&
> test_config credential.useHttpPath true &&
> check fill store <<-\EOF
> @@ -181,11 +179,9 @@ test_expect_success 'get: credentials with DOS line endings are invalid if path
> protocol=https
> host=example.com
> path=repo.git
> - username=askpass-username
> - password=askpass-password
> + username=user
> + password=pass
> --
> - askpass: Username for '\''https://example.com/repo.git'\'':
> - askpass: Password for '\''https://[email protected]/repo.git'\'':
> --
> EOF
> '
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Mon, Sep 28, 2020 at 01:58:03PM -0700, Junio C Hamano wrote:
> "Nikita Leonov via GitGitGadget" <[email protected]> writes:
>
> > From: Nikita Leonov <[email protected]>
> >
> > This commit makes reading process regarding credentials compatible with
> > 'CR/LF' line ending. It makes using git more convenient on systems like
> > Windows.
>
> I can see why this is a good thing for "store" and the two updated
> pieces of the test script demonstrate it very well.
>
> But it is unclear why and how cache-daemon benefits from this change.
> That needs to be justified.
I suspect it doesn't need touched, because it is internal to git-daemon.
But it does handle CRLF for some lines, because the first patch
modified credential_read(), which the daemon builds on (and which _is_
user-facing via git-credential). So there's perhaps an argument that
these calls should just be made consistent, even though the only one who
would write them is our matching client. If that is the argument to be
made, I think it would make sense to do so in a separate patch, since
there's no functional change.
(I'm also slightly puzzled that anybody on Windows would care about
credential-cache, since it require unix sockets. But maybe in a world of
WSL people are actually able to mix the two. I confess I haven't kept up
with the state of things in Windows).
-Peff
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Jeff King <[email protected]> writes:
> On Mon, Sep 28, 2020 at 01:58:03PM -0700, Junio C Hamano wrote:
>
>> "Nikita Leonov via GitGitGadget" <[email protected]> writes:
>>
>> > From: Nikita Leonov <[email protected]>
>> >
>> > This commit makes reading process regarding credentials compatible with
>> > 'CR/LF' line ending. It makes using git more convenient on systems like
>> > Windows.
>>
>> I can see why this is a good thing for "store" and the two updated
>> pieces of the test script demonstrate it very well.
>>
>> But it is unclear why and how cache-daemon benefits from this change.
>> That needs to be justified.
>
> I suspect it doesn't need touched, because it is internal to git-daemon.
> But it does handle CRLF for some lines, because the first patch
> modified credential_read(), which the daemon builds on (and which _is_
> user-facing via git-credential). So there's perhaps an argument that
> these calls should just be made consistent, even though the only one who
> would write them is our matching client. If that is the argument to be
> made, I think it would make sense to do so in a separate patch, since
> there's no functional change.
>
> (I'm also slightly puzzled that anybody on Windows would care about
> credential-cache, since it require unix sockets. But maybe in a world of
> WSL people are actually able to mix the two. I confess I haven't kept up
> with the state of things in Windows).
True, so some, if not all, parts of these changes start to look more
and more like "I change LF to CRLF purely for political correctness,
even I know nobody sends CRLF in these cases (or "even I do not know
if anybody sends CRLF in these cases", which essentially amounts to
the same thing but may be worse)", needless code churns.
Sigh.
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Junio & Peff,
On Wed, 30 Sep 2020, Junio C Hamano wrote:
> Jeff King <[email protected]> writes:
>
> > On Mon, Sep 28, 2020 at 01:58:03PM -0700, Junio C Hamano wrote:
> >
> >> "Nikita Leonov via GitGitGadget" <[email protected]> writes:
> >>
> >> > From: Nikita Leonov <[email protected]>
> >> >
> >> > This commit makes reading process regarding credentials compatible with
> >> > 'CR/LF' line ending. It makes using git more convenient on systems like
> >> > Windows.
> >>
> >> I can see why this is a good thing for "store" and the two updated
> >> pieces of the test script demonstrate it very well.
> >>
> >> But it is unclear why and how cache-daemon benefits from this change.
> >> That needs to be justified.
> >
> > I suspect it doesn't need touched, because it is internal to git-daemon.
> > But it does handle CRLF for some lines, because the first patch
> > modified credential_read(), which the daemon builds on (and which _is_
> > user-facing via git-credential). So there's perhaps an argument that
> > these calls should just be made consistent, even though the only one who
> > would write them is our matching client. If that is the argument to be
> > made, I think it would make sense to do so in a separate patch, since
> > there's no functional change.
> >
> > (I'm also slightly puzzled that anybody on Windows would care about
> > credential-cache, since it require unix sockets. But maybe in a world of
> > WSL people are actually able to mix the two. I confess I haven't kept up
> > with the state of things in Windows).
>
> True, so some, if not all, parts of these changes start to look more
> and more like "I change LF to CRLF purely for political correctness,
> even I know nobody sends CRLF in these cases (or "even I do not know
> if anybody sends CRLF in these cases", which essentially amounts to
> the same thing but may be worse)", needless code churns.
Indeed. I did not make the connection that `credential-cache--daemon` uses
Unix sockets internally (and hence if you try to use it on Windows, you
are greeted with the message "credential-cache--daemon unavailable; no
unix socket support").
Will drop this part from the next iteration.
Ciao,
Dscho
|
This branch is now known as |
|
This patch series was integrated into seen via ba9504e. |
| static int read_request(FILE *fh, struct credential *c, | ||
| struct strbuf *action, int *timeout) | ||
| { | ||
| static struct strbuf item = STRBUF_INIT; |
There was a problem hiding this comment.
On the Git mailing list, Carlo Arenas wrote (reply to this):
On Mon, Sep 28, 2020 at 4:41 AM Nikita Leonov via GitGitGadget
<[email protected]> wrote:
> diff --git a/t/t0302-credential-store.sh b/t/t0302-credential-store.sh
> index 716bf1af9f..f2c672e4b6 100755
> --- a/t/t0302-credential-store.sh
> +++ b/t/t0302-credential-store.sh
> @@ -142,7 +142,7 @@ invalid_credential_test "scheme" ://user:[email protected]
> invalid_credential_test "valid host/path" https://user:pass@
> invalid_credential_test "username/password" https://[email protected]
>
> -test_expect_success 'get: credentials with DOS line endings are invalid' '
> +test_expect_success 'get: credentials with DOS line endings are valid' '
> printf "https://user:[email protected]\r\n" >"$HOME/.git-credentials" &&
> check fill store <<-\EOF
> protocol=https
> @@ -150,11 +150,9 @@ test_expect_success 'get: credentials with DOS line endings are invalid' '
> --
> protocol=https
> host=example.com
> - username=askpass-username
> - password=askpass-password
> + username=user
> + password=pass
> --
> - askpass: Username for '\''https://example.com'\'':
> - askpass: Password for '\''https://[email protected]'\'':
> --
> EOF
> '
> @@ -172,7 +170,7 @@ test_expect_success 'get: credentials with path and DOS line endings are valid'
> EOF
> '
>
> -test_expect_success 'get: credentials with DOS line endings are invalid if path is relevant' '
> +test_expect_success 'get: credentials with DOS line endings are valid if path is relevant' '
note that this test was put in place to protect users from regressions
like the one we got after the release of 2.26.1 where users that had
'\r' as part of their credentials were getting an error[1]
while I am sympathetic to the change (indeed I proposed something
similar, but was reminded by Peff that while it looks like a text file
it was designed to be considered opaque and therefore should use UNIX
LF as record terminator by specification), I am concerned this could
result in a similar regression since we know they are still users out
there that had modified this file manually (something that was not
recommended) and are currently relying on the fact that these lines
are invalid and therefore silently ignored.
Carlo
[1] https://lore.kernel.org/git/[email protected]/
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Carlo Arenas <[email protected]> writes:
>> -test_expect_success 'get: credentials with DOS line endings are invalid if path is relevant' '
>> +test_expect_success 'get: credentials with DOS line endings are valid if path is relevant' '
>
> note that this test was put in place to protect users from regressions
> like the one we got after the release of 2.26.1 where users that had
> '\r' as part of their credentials were getting an error[1]
>
> while I am sympathetic to the change (indeed I proposed something
> similar, but was reminded by Peff that while it looks like a text file
> it was designed to be considered opaque and therefore should use UNIX
> LF as record terminator by specification), I am concerned this could
> result in a similar regression since we know they are still users out
> there that had modified this file manually (something that was not
> recommended) and are currently relying on the fact that these lines
> are invalid and therefore silently ignored.
>
> Carlo
>
> [1] https://lore.kernel.org/git/[email protected]/
I think you meant to remind us and this thread of the earlier review
and discussion thread, which begins at
https://lore.kernel.org/git/[email protected]/
And thanks for doing so---I totally forgot about it.
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Mon, Sep 28, 2020 at 04:26:38PM -0700, Carlo Arenas wrote:
> > -test_expect_success 'get: credentials with DOS line endings are invalid if path is relevant' '
> > +test_expect_success 'get: credentials with DOS line endings are valid if path is relevant' '
>
> note that this test was put in place to protect users from regressions
> like the one we got after the release of 2.26.1 where users that had
> '\r' as part of their credentials were getting an error[1]
>
> while I am sympathetic to the change (indeed I proposed something
> similar, but was reminded by Peff that while it looks like a text file
> it was designed to be considered opaque and therefore should use UNIX
> LF as record terminator by specification), I am concerned this could
> result in a similar regression since we know they are still users out
> there that had modified this file manually (something that was not
> recommended) and are currently relying on the fact that these lines
> are invalid and therefore silently ignored.
Going over that old thread, I'm not sure that anybody raised a real use
case where somebody expected a CR at the end of a line. The discussion
was mostly about whether proposed changes would or would not be
compatible with existing behavior.
I think that:
- we'd never write a raw CR ourselves, as we'd urlencode the character
- if somebody did put in a raw CR manually like:
https://example.com\r\n
then we'd currently fail to match "example.com". Which is probably
not what they wanted. I suspect that \r in a hostname is bogus
anyway (certainly curl will complain about it).
- you could do the same in a path:
https://example.com/foo\r\n
which _is_ legal, but I think we'd generally ignore it completely
unless credential.usehttppath is set (for network-accessible
requests, that is; you could probably point your local cert file at
something bogus, but I think the main areas of interest here are
people manipulating the credential protocol via malicious urls).
So I'm OK loosening the format in the name of convenience, as long as
we're confident that it's not opening up any security problems. I can't
think of any such problems, though.
It sounds from your email like you may have found me arguing the
opposite. That's entirely possible. ;) But I couldn't find it in the
thread Junio linked.
-Peff
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Jeff King <[email protected]> writes:
> I think that:
>
> - we'd never write a raw CR ourselves, as we'd urlencode the character
>
> - if somebody did put in a raw CR manually like:
>
> https://example.com\r\n
>
> then we'd currently fail to match "example.com". Which is probably
> not what they wanted. I suspect that \r in a hostname is bogus
> anyway (certainly curl will complain about it).
I may be misremembering, but an argument I recall against the kind
of change we are dicussing now was that we ignore such an entry
right now, and the user may have added an entry for the host anew,
possibly with a more recent password. Changing the parsing to
ignore CR would silently resurrect such a stale entry that the user
has written off as unused, and depending on the order of entries in
the file, a site that used to work may start failing suddenly.
I don't think I'd care too heavily either way. As long as other
people will deal with possible backward-incompatibility fallout,
I do not mind seeing the change ;-).
I still don't see why we need to touch the cache-daemon, though.
Thanks.
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Mon, Sep 28, 2020 at 05:41:14PM -0700, Junio C Hamano wrote:
> Jeff King <[email protected]> writes:
>
> > I think that:
> >
> > - we'd never write a raw CR ourselves, as we'd urlencode the character
> >
> > - if somebody did put in a raw CR manually like:
> >
> > https://example.com\r\n
> >
> > then we'd currently fail to match "example.com". Which is probably
> > not what they wanted. I suspect that \r in a hostname is bogus
> > anyway (certainly curl will complain about it).
>
> I may be misremembering, but an argument I recall against the kind
> of change we are dicussing now was that we ignore such an entry
> right now, and the user may have added an entry for the host anew,
> possibly with a more recent password. Changing the parsing to
> ignore CR would silently resurrect such a stale entry that the user
> has written off as unused, and depending on the order of entries in
> the file, a site that used to work may start failing suddenly.
Yeah, that is probably what would happen. I have to admit that it's such
an obscure case that I'm not sure I really care. It's unlikely in
practice, and if somebody did report such a case, I think my first
response would be "well, why did you have a broken entry stuck in your
file?".
> I still don't see why we need to touch the cache-daemon, though.
Yeah, I touched on that more in another response.
-Peff
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Wed, Sep 30, 2020 at 03:25:09PM -0700, Junio C Hamano wrote:
> OK, so what's the final verdict from us? This is good enough to
> move forward as-is?
I'd prefer to see the credential-cache--daemon changes either dropped,
or split out into a separate patch with the justification of: this
probably doesn't matter in practice, but it makes the whole protocol
between client and server treat CRLF consistently.
I had also raised a question in:
https://lore.kernel.org/git/[email protected]/
about whether they just care about the empty line, or about CRLF on data
lines. If the former (which is what the commit message claims), then I
think we can do something much simpler. But I suspect it is the latter,
and it is simply the commit message that is a bit misleading.
Other than those nits, I think the series is OK.
-Peff
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Jeff King <[email protected]> writes:
> On Wed, Sep 30, 2020 at 03:25:09PM -0700, Junio C Hamano wrote:
>
>> OK, so what's the final verdict from us? This is good enough to
>> move forward as-is?
>
> I'd prefer to see the credential-cache--daemon changes either dropped,
> or split out into a separate patch with the justification of: this
> probably doesn't matter in practice, but it makes the whole protocol
> between client and server treat CRLF consistently.
>
> I had also raised a question in:
>
> https://lore.kernel.org/git/[email protected]/
>
> about whether they just care about the empty line, or about CRLF on data
> lines. If the former (which is what the commit message claims), then I
> think we can do something much simpler. But I suspect it is the latter,
> and it is simply the commit message that is a bit misleading.
>
> Other than those nits, I think the series is OK.
Sure. But credential-store side is also iffy; it is not like they
want CRLF on data lines (if they want CR in data, that needs to be
encoded). The only reason I can think of that the change to
"-store" makes any difference is when people edit it, but the file
is not designed to be manually edited, so even that part of the
series needs a better justification. It's not like "We want to be
compatible" without "why it is better to be compatible" is a good
rationale, when we define the file format not to be manually edited
in the first place.
Thanks.
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Wed, Sep 30, 2020 at 03:56:27PM -0700, Junio C Hamano wrote:
> > Other than those nits, I think the series is OK.
>
> Sure. But credential-store side is also iffy; it is not like they
> want CRLF on data lines (if they want CR in data, that needs to be
> encoded). The only reason I can think of that the change to
> "-store" makes any difference is when people edit it, but the file
> is not designed to be manually edited, so even that part of the
> series needs a better justification. It's not like "We want to be
> compatible" without "why it is better to be compatible" is a good
> rationale, when we define the file format not to be manually edited
> in the first place.
Yeah, I agree that just teaching git-credential's stdin to handle CR
would be an OK stopping point. I don't have a strong opinion on
credential-store's on disk format. At least allowing CRLF there is
_plausibly_ useful, unlike credential-cache--daemon's pipe. And I doubt
that making the change would hurt anybody.
-Peff
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Jeff King <[email protected]> writes:
> Yeah, I agree that just teaching git-credential's stdin to handle CR
> would be an OK stopping point. I don't have a strong opinion on
> credential-store's on disk format. At least allowing CRLF there is
> _plausibly_ useful, unlike credential-cache--daemon's pipe. And I doubt
> that making the change would hurt anybody.
I agree 100% with all of the above, including the part that says it
is also OK to let credential-store read from its files with line
ending converted to CRLF.
Thanks.
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi,
On Thu, 1 Oct 2020, Junio C Hamano wrote:
> Jeff King <[email protected]> writes:
>
> > Yeah, I agree that just teaching git-credential's stdin to handle CR
> > would be an OK stopping point. I don't have a strong opinion on
> > credential-store's on disk format. At least allowing CRLF there is
> > _plausibly_ useful, unlike credential-cache--daemon's pipe. And I doubt
> > that making the change would hurt anybody.
>
> I agree 100% with all of the above, including the part that says it
> is also OK to let credential-store read from its files with line
> ending converted to CRLF.
After mulling over this, I am more inclined to drop the credential-store
changes, too. That file _is_ an implementation detail, and not intended
for interactive editing. And as Carlo pointed out so correctly, the
regression tests were not introduced "just for fun", they really want to
make sure that we keep handling CR/LF the way we currently do.
So I will drop both credential-cache--daemon and credential-store changes
from the next iteration.
Ciao,
Dscho
|
User |
|
User |
| } | ||
|
|
||
| int credential_read(struct credential *c, FILE *fp) | ||
| { |
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Mon, Sep 28, 2020 at 11:40:22AM +0000, Nikita Leonov via GitGitGadget wrote:
> From: Nikita Leonov <[email protected]>
>
> This fix makes using Git credentials more friendly to Windows users. In
> previous version it was unable to finish input correctly without
> configuration changes (tested in PowerShell, CMD, Cygwin).
>
> We know credential filling should be finished by empty input, but the
> current implementation does not take into account CR/LF ending, and
> hence instead of the empty string we get '\r', which is interpreted as
> an incorrect string.
>
> So this commit changes default reading function to a more Windows
> compatible reading function.
Unlike the credential-store file case, where we expect the data to be
URL-encoded anyway (and so any true "\r" in the data would not be found
in raw form), this means that the credential protocol can no longer
represent "\r" at the end of a value.
And we'd match "example.com\r" and "example.com" as the same (unlikely,
since carriage returns aren't allowed in hostnames, and curl will
complain about this). We'd also match "cert://some/path\r" and
"cert://some/path". Or "https://example.com/path\r" and its match, if
you have credential.useHTTPPath set.
That may be acceptable if it makes things more convenient. Those are all
pretty obscure cases, and I find it hard to believe an attacker could
hijack credentials using this (it implies that the only difference
between their malicious url and a known-good one is a trailing CR).
This part of the commit message confused me a little:
> We know credential filling should be finished by empty input, but the
> current implementation does not take into account CR/LF ending, and
> hence instead of the empty string we get '\r', which is interpreted as
> an incorrect string.
If all we care about is the empty line, and not data lines, then we
could do this:
diff --git a/credential.c b/credential.c
index efc29dc5e1..73143c5ed0 100644
--- a/credential.c
+++ b/credential.c
@@ -206,7 +206,7 @@ int credential_read(struct credential *c, FILE *fp)
char *key = line.buf;
char *value = strchr(key, '=');
- if (!line.len)
+ if (!line.len || (line.len == 1 && line.buf[0] == '\r'))
break;
if (!value) {
without impacting the ability to send raw CR in the lines with actual
data. But I imagine that a trailing CR in all of the data would also
cause problems.
-Peff
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Peff,
On Mon, 28 Sep 2020, Jeff King wrote:
> On Mon, Sep 28, 2020 at 11:40:22AM +0000, Nikita Leonov via GitGitGadget wrote:
>
> > From: Nikita Leonov <[email protected]>
> >
> > This fix makes using Git credentials more friendly to Windows users. In
> > previous version it was unable to finish input correctly without
> > configuration changes (tested in PowerShell, CMD, Cygwin).
> >
> > We know credential filling should be finished by empty input, but the
> > current implementation does not take into account CR/LF ending, and
> > hence instead of the empty string we get '\r', which is interpreted as
> > an incorrect string.
> >
> > So this commit changes default reading function to a more Windows
> > compatible reading function.
>
> Unlike the credential-store file case, where we expect the data to be
> URL-encoded anyway (and so any true "\r" in the data would not be found
> in raw form), this means that the credential protocol can no longer
> represent "\r" at the end of a value.
Indeed.
> And we'd match "example.com\r" and "example.com" as the same (unlikely,
> since carriage returns aren't allowed in hostnames, and curl will
> complain about this). We'd also match "cert://some/path\r" and
> "cert://some/path". Or "https://example.com/path\r" and its match, if
> you have credential.useHTTPPath set.
True. It's a problem with all of those URLs that end in Carriage Returns
;-)
> That may be acceptable if it makes things more convenient. Those are all
> pretty obscure cases, and I find it hard to believe an attacker could
> hijack credentials using this (it implies that the only difference
> between their malicious url and a known-good one is a trailing CR).
Indeed.
> This part of the commit message confused me a little:
>
> > We know credential filling should be finished by empty input, but the
> > current implementation does not take into account CR/LF ending, and
> > hence instead of the empty string we get '\r', which is interpreted as
> > an incorrect string.
>
> If all we care about is the empty line, and not data lines, then we
> could do this:
>
> diff --git a/credential.c b/credential.c
> index efc29dc5e1..73143c5ed0 100644
> --- a/credential.c
> +++ b/credential.c
> @@ -206,7 +206,7 @@ int credential_read(struct credential *c, FILE *fp)
> char *key = line.buf;
> char *value = strchr(key, '=');
>
> - if (!line.len)
> + if (!line.len || (line.len == 1 && line.buf[0] == '\r'))
> break;
>
> if (!value) {
>
> without impacting the ability to send raw CR in the lines with actual
> data. But I imagine that a trailing CR in all of the data would also
> cause problems.
I checked again with github.com/git-for-windows/git/pull/2516, where the
patch originally entered the public eye, but could not find any background
information.
But I would highly doubt that the empty lines were the biggest problem:
Sure, we would fail to recognize an empty line with CR/LF line endings
when reading with `strbuf_getline_lf()`, but we would totally
misunderstand the entire rest of the lines, too. For example, we would
mistake `quit\r` for an unknown command, and hence simply ignore it.
I do agree, however, that your confusion validly points out a flaw in the
commit message: the "empty line" comment is a red herring.
Therefore, I spent some time pouring over the commit message. This is my
current version:
credential: treat CR/LF as line endings in the credential protocol
This fix makes using Git credentials more friendly to Windows users: it
allows a credential helper to communicate using CR/LF line endings ("DOS
line endings" commonly found on Windows) instead of LF-only line endings
("Unix line endings").
Note that this changes the behavior a bit: if a credential helper
produces, say, a password with a trailing Carriage Return character,
that will now be culled even when the rest of the lines end only in Line
Feed characters, indicating that the Carriage Return was not meant to be
part of the line ending.
In practice, it seems _very_ unlikely that something like this happens.
Passwords usually need to consist of non-control characters, URLs need
to have special characters URL-encoded, and user names, well, are names.
So let's change the credential machinery to accept both CR/LF and LF
line endings.
While we do this for the credential helper protocol, we do _not_ do
adjust `git credential-cache--daemon` (which won't work on Windows,
anyway, because it requires Unix sockets) nor `git credential-store`
(which writes the file `~/.git-credentials` which we consider an
implementation detail that should be opaque to the user, read: we do
expect users _not_ to edit this file manually).
What do you think?
Ciao,
Dscho
There was a problem hiding this comment.
On the Git mailing list, Jeff King wrote (reply to this):
On Fri, Oct 02, 2020 at 01:37:23PM +0200, Johannes Schindelin wrote:
> But I would highly doubt that the empty lines were the biggest problem:
> Sure, we would fail to recognize an empty line with CR/LF line endings
> when reading with `strbuf_getline_lf()`, but we would totally
> misunderstand the entire rest of the lines, too. For example, we would
> mistake `quit\r` for an unknown command, and hence simply ignore it.
>
> I do agree, however, that your confusion validly points out a flaw in the
> commit message: the "empty line" comment is a red herring.
>
> Therefore, I spent some time pouring over the commit message. This is my
> current version:
> [...]
> What do you think?
I think we are on the same page, and this revision does a good job of
fixing my complaint about the commit message. Thanks. One minor typo:
> While we do this for the credential helper protocol, we do _not_ do
> adjust `git credential-cache--daemon` (which won't work on Windows,
s/do$//
-Peff
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Peff,
On Fri, 2 Oct 2020, Jeff King wrote:
> On Fri, Oct 02, 2020 at 01:37:23PM +0200, Johannes Schindelin wrote:
>
> > But I would highly doubt that the empty lines were the biggest problem:
> > Sure, we would fail to recognize an empty line with CR/LF line endings
> > when reading with `strbuf_getline_lf()`, but we would totally
> > misunderstand the entire rest of the lines, too. For example, we would
> > mistake `quit\r` for an unknown command, and hence simply ignore it.
> >
> > I do agree, however, that your confusion validly points out a flaw in the
> > commit message: the "empty line" comment is a red herring.
> >
> > Therefore, I spent some time pouring over the commit message. This is my
> > current version:
> > [...]
> > What do you think?
>
> I think we are on the same page, and this revision does a good job of
> fixing my complaint about the commit message. Thanks. One minor typo:
>
> > While we do this for the credential helper protocol, we do _not_ do
> > adjust `git credential-cache--daemon` (which won't work on Windows,
>
> s/do$//
Thanks, fixed!
Ciao,
Dscho
There was a problem hiding this comment.
On the Git mailing list, Junio C Hamano wrote (reply to this):
Johannes Schindelin <[email protected]> writes:
> Therefore, I spent some time pouring over the commit message. This is my
> current version:
>
> credential: treat CR/LF as line endings in the credential protocol
>
> This fix makes using Git credentials more friendly to Windows users: it
> allows a credential helper to communicate using CR/LF line endings ("DOS
> line endings" commonly found on Windows) instead of LF-only line endings
> ("Unix line endings").
>
> Note that this changes the behavior a bit: if a credential helper
> produces, say, a password with a trailing Carriage Return character,
> that will now be culled even when the rest of the lines end only in Line
> Feed characters, indicating that the Carriage Return was not meant to be
> part of the line ending.
>
> In practice, it seems _very_ unlikely that something like this happens.
> Passwords usually need to consist of non-control characters, URLs need
> to have special characters URL-encoded, and user names, well, are names.
>
> So let's change the credential machinery to accept both CR/LF and LF
> line endings.
>
> While we do this for the credential helper protocol, we do _not_ do
> adjust `git credential-cache--daemon` (which won't work on Windows,
> anyway, because it requires Unix sockets) nor `git credential-store`
> (which writes the file `~/.git-credentials` which we consider an
> implementation detail that should be opaque to the user, read: we do
> expect users _not_ to edit this file manually).
>
> What do you think?
I am not Peff, but I was also drawn into the same confusion by the
"we never see an empty line" red herring.
There are some micronits, but the above made a lot easier to
understand (I think you could even add "quit\r" bit to make it even
easier to understand) than the original description.
Thanks.
There was a problem hiding this comment.
On the Git mailing list, Johannes Schindelin wrote (reply to this):
Hi Junio,
On Fri, 2 Oct 2020, Junio C Hamano wrote:
> Johannes Schindelin <[email protected]> writes:
>
> > Therefore, I spent some time pouring over the commit message. This is my
> > current version:
> >
> > credential: treat CR/LF as line endings in the credential protocol
> >
> > This fix makes using Git credentials more friendly to Windows users: it
> > allows a credential helper to communicate using CR/LF line endings ("DOS
> > line endings" commonly found on Windows) instead of LF-only line endings
> > ("Unix line endings").
> >
> > Note that this changes the behavior a bit: if a credential helper
> > produces, say, a password with a trailing Carriage Return character,
> > that will now be culled even when the rest of the lines end only in Line
> > Feed characters, indicating that the Carriage Return was not meant to be
> > part of the line ending.
> >
> > In practice, it seems _very_ unlikely that something like this happens.
> > Passwords usually need to consist of non-control characters, URLs need
> > to have special characters URL-encoded, and user names, well, are names.
> >
> > So let's change the credential machinery to accept both CR/LF and LF
> > line endings.
> >
> > While we do this for the credential helper protocol, we do _not_ do
> > adjust `git credential-cache--daemon` (which won't work on Windows,
> > anyway, because it requires Unix sockets) nor `git credential-store`
> > (which writes the file `~/.git-credentials` which we consider an
> > implementation detail that should be opaque to the user, read: we do
> > expect users _not_ to edit this file manually).
> >
> > What do you think?
>
> I am not Peff, but I was also drawn into the same confusion by the
> "we never see an empty line" red herring.
:-)
> There are some micronits, but the above made a lot easier to
> understand (I think you could even add "quit\r" bit to make it even
> easier to understand) than the original description.
Okay, I incorporated a comment talking about `quit\r` and will submit
a new iteration right now.
Thanks,
Dscho
|
This patch series was integrated into seen via e8b5302. |
|
This patch series was integrated into seen via d15974a. |
|
This patch series was integrated into seen via ea84644. |
|
This patch series was integrated into seen via 52a10f4. |
|
User |
dscho
force-pushed
the
crlf-aware-git-credential
branch
2 times, most recently
from
47c0767 to
2dda8dc
Compare
|
This patch series was integrated into seen via edb227a. |
This fix makes using Git credentials more friendly to Windows users: it
allows a credential helper to communicate using CR/LF line endings ("DOS
line endings" commonly found on Windows) instead of LF-only line endings
("Unix line endings").
Note that this changes the behavior a bit: if a credential helper
produces, say, a password with a trailing Carriage Return character,
that will now be culled even when the rest of the lines end only in Line
Feed characters, indicating that the Carriage Return was not meant to be
part of the line ending.
In practice, it seems _very_ unlikely that something like this happens.
Passwords usually need to consist of non-control characters, URLs need
to have special characters URL-encoded, and user names, well, are names.
However, it _does_ help on Windows, where CR/LF line endings are common:
as unrecognized commands are simply ignored by the credential machinery,
even a command like `quit\r` (which is clearly intended to abort) would
simply be ignored (silently) by Git.
So let's change the credential machinery to accept both CR/LF and LF
line endings.
While we do this for the credential helper protocol, we do _not_ adjust
`git credential-cache--daemon` (which won't work on Windows, anyway,
because it requires Unix sockets) nor `git credential-store` (which
writes the file `~/.git-credentials` which we consider an implementation
detail that should be opaque to the user, read: we do expect users _not_
to edit this file manually).
Signed-off-by: Nikita Leonov <[email protected]>
Signed-off-by: Johannes Schindelin <[email protected]>
dscho
force-pushed
the
crlf-aware-git-credential
branch
from
2dda8dc to
f6eeb18
Compare
Member
Author
|
/submit |
|
Submitted as [email protected] To fetch this version into To fetch this version to local tag |
|
This patch series was integrated into seen via 1a95ceb. |
|
This patch series was integrated into seen via d38830d. |
|
This patch series was integrated into seen via 53f6046. |
|
This patch series was integrated into next via 213256c. |
|
This patch series was integrated into seen via 542b3c2. |
|
This patch series was integrated into next via 542b3c2. |
|
This patch series was integrated into master via 542b3c2. |
|
Closed via 542b3c2. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This contribution came in via Git for Windows.
Sadly, I did not find the time to go through all the changes of 8f309ae ("strbuf: introduce strbuf_getline_{lf,nul}()", 2016-01-13) (as Junio asked). Rather than delaying this patch indefinitely, I admit defeat on that angle.
Changes since v2:
credential-cache--daemonandcredential-storechanges again.Changes since v1:
credential-daemonandcredential-storein the same manner.cc: Carlo Arenas [email protected]
cc: Jeff King [email protected]
cc: Johannes Schindelin [email protected]