http: control GSSAPI credential delegation
Delegation of credentials is disabled by default in libcurl since version 7.21.7 due to security vulnerability CVE-2011-2192. Which makes troubles with GSS/kerberos authentication when delegation of credentials is required. This can be changed with option CURLOPT_GSSAPI_DELEGATION in libcurl with set expected parameter since libcurl version 7.22.0. This patch provides new configuration variable http.delegation which corresponds to curl parameter "--delegation" (see man 1 curl). The following values are supported: * none (default). * policy * always Signed-off-by: Petr Stodulka <pstodulk@redhat.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Petr Stodulka
committed by
Junio C Hamano
Junio C Hamano
parent
7c0304af62
commit
26a7b23429
37
http.c
37
http.c
@ -90,6 +90,18 @@ static struct {
|
||||
* here, too
|
||||
*/
|
||||
};
|
||||
#if LIBCURL_VERSION_NUM >= 0x071600
|
||||
static const char *curl_deleg;
|
||||
static struct {
|
||||
const char *name;
|
||||
long curl_deleg_param;
|
||||
} curl_deleg_levels[] = {
|
||||
{ "none", CURLGSSAPI_DELEGATION_NONE },
|
||||
{ "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
|
||||
{ "always", CURLGSSAPI_DELEGATION_FLAG },
|
||||
};
|
||||
#endif
|
||||
|
||||
static struct credential proxy_auth = CREDENTIAL_INIT;
|
||||
static const char *curl_proxyuserpwd;
|
||||
static const char *curl_cookie_file;
|
||||
@ -316,6 +328,15 @@ static int http_options(const char *var, const char *value, void *cb)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!strcmp("http.delegation", var)) {
|
||||
#if LIBCURL_VERSION_NUM >= 0x071600
|
||||
return git_config_string(&curl_deleg, var, value);
|
||||
#else
|
||||
warning(_("Delegation control is not supported with cURL < 7.22.0"));
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
if (!strcmp("http.pinnedpubkey", var)) {
|
||||
#if LIBCURL_VERSION_NUM >= 0x072c00
|
||||
return git_config_pathname(&ssl_pinnedkey, var, value);
|
||||
@ -622,6 +643,22 @@ static CURL *get_curl_handle(void)
|
||||
curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
|
||||
#endif
|
||||
|
||||
#if LIBCURL_VERSION_NUM >= 0x071600
|
||||
if (curl_deleg) {
|
||||
int i;
|
||||
for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
|
||||
if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
|
||||
curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,
|
||||
curl_deleg_levels[i].curl_deleg_param);
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i == ARRAY_SIZE(curl_deleg_levels))
|
||||
warning("Unknown delegation method '%s': using default",
|
||||
curl_deleg);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (http_proactive_auth)
|
||||
init_curl_http_auth(result);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user