Merge branch 'jk/http-redact-fix'
Sensitive data in the HTTP trace were supposed to be redacted, but we failed to do so in HTTP/2 requests. * jk/http-redact-fix: http: match headers case-insensitively when redacting
This commit is contained in:
Junio C Hamano
commit
58e2bc452b
6
http.c
6
http.c
@ -551,8 +551,8 @@ static void redact_sensitive_header(struct strbuf *header)
|
|||||||
const char *sensitive_header;
|
const char *sensitive_header;
|
||||||
|
|
||||||
if (trace_curl_redact &&
|
if (trace_curl_redact &&
|
||||||
(skip_prefix(header->buf, "Authorization:", &sensitive_header) ||
|
(skip_iprefix(header->buf, "Authorization:", &sensitive_header) ||
|
||||||
skip_prefix(header->buf, "Proxy-Authorization:", &sensitive_header))) {
|
skip_iprefix(header->buf, "Proxy-Authorization:", &sensitive_header))) {
|
||||||
/* The first token is the type, which is OK to log */
|
/* The first token is the type, which is OK to log */
|
||||||
while (isspace(*sensitive_header))
|
while (isspace(*sensitive_header))
|
||||||
sensitive_header++;
|
sensitive_header++;
|
||||||
@ -562,7 +562,7 @@ static void redact_sensitive_header(struct strbuf *header)
|
|||||||
strbuf_setlen(header, sensitive_header - header->buf);
|
strbuf_setlen(header, sensitive_header - header->buf);
|
||||||
strbuf_addstr(header, " <redacted>");
|
strbuf_addstr(header, " <redacted>");
|
||||||
} else if (trace_curl_redact &&
|
} else if (trace_curl_redact &&
|
||||||
skip_prefix(header->buf, "Cookie:", &sensitive_header)) {
|
skip_iprefix(header->buf, "Cookie:", &sensitive_header)) {
|
||||||
struct strbuf redacted_header = STRBUF_INIT;
|
struct strbuf redacted_header = STRBUF_INIT;
|
||||||
const char *cookie;
|
const char *cookie;
|
||||||
|
|
||||||
|
|||||||
@ -196,8 +196,8 @@ test_expect_success 'GIT_TRACE_CURL redacts auth details' '
|
|||||||
|
|
||||||
# Ensure that there is no "Basic" followed by a base64 string, but that
|
# Ensure that there is no "Basic" followed by a base64 string, but that
|
||||||
# the auth details are redacted
|
# the auth details are redacted
|
||||||
! grep "Authorization: Basic [0-9a-zA-Z+/]" trace &&
|
! grep -i "Authorization: Basic [0-9a-zA-Z+/]" trace &&
|
||||||
grep "Authorization: Basic <redacted>" trace
|
grep -i "Authorization: Basic <redacted>" trace
|
||||||
'
|
'
|
||||||
|
|
||||||
test_expect_success 'GIT_CURL_VERBOSE redacts auth details' '
|
test_expect_success 'GIT_CURL_VERBOSE redacts auth details' '
|
||||||
@ -208,8 +208,8 @@ test_expect_success 'GIT_CURL_VERBOSE redacts auth details' '
|
|||||||
|
|
||||||
# Ensure that there is no "Basic" followed by a base64 string, but that
|
# Ensure that there is no "Basic" followed by a base64 string, but that
|
||||||
# the auth details are redacted
|
# the auth details are redacted
|
||||||
! grep "Authorization: Basic [0-9a-zA-Z+/]" trace &&
|
! grep -i "Authorization: Basic [0-9a-zA-Z+/]" trace &&
|
||||||
grep "Authorization: Basic <redacted>" trace
|
grep -i "Authorization: Basic <redacted>" trace
|
||||||
'
|
'
|
||||||
|
|
||||||
test_expect_success 'GIT_TRACE_CURL does not redact auth details if GIT_TRACE_REDACT=0' '
|
test_expect_success 'GIT_TRACE_CURL does not redact auth details if GIT_TRACE_REDACT=0' '
|
||||||
@ -219,7 +219,7 @@ test_expect_success 'GIT_TRACE_CURL does not redact auth details if GIT_TRACE_RE
|
|||||||
git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth &&
|
git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth &&
|
||||||
expect_askpass both user@host &&
|
expect_askpass both user@host &&
|
||||||
|
|
||||||
grep "Authorization: Basic [0-9a-zA-Z+/]" trace
|
grep -i "Authorization: Basic [0-9a-zA-Z+/]" trace
|
||||||
'
|
'
|
||||||
|
|
||||||
test_expect_success 'disable dumb http on server' '
|
test_expect_success 'disable dumb http on server' '
|
||||||
@ -474,10 +474,10 @@ test_expect_success 'cookies are redacted by default' '
|
|||||||
GIT_TRACE_CURL=true \
|
GIT_TRACE_CURL=true \
|
||||||
git -c "http.cookieFile=$(pwd)/cookies" clone \
|
git -c "http.cookieFile=$(pwd)/cookies" clone \
|
||||||
$HTTPD_URL/smart/repo.git clone 2>err &&
|
$HTTPD_URL/smart/repo.git clone 2>err &&
|
||||||
grep "Cookie:.*Foo=<redacted>" err &&
|
grep -i "Cookie:.*Foo=<redacted>" err &&
|
||||||
grep "Cookie:.*Bar=<redacted>" err &&
|
grep -i "Cookie:.*Bar=<redacted>" err &&
|
||||||
! grep "Cookie:.*Foo=1" err &&
|
! grep -i "Cookie:.*Foo=1" err &&
|
||||||
! grep "Cookie:.*Bar=2" err
|
! grep -i "Cookie:.*Bar=2" err
|
||||||
'
|
'
|
||||||
|
|
||||||
test_expect_success 'empty values of cookies are also redacted' '
|
test_expect_success 'empty values of cookies are also redacted' '
|
||||||
@ -486,7 +486,7 @@ test_expect_success 'empty values of cookies are also redacted' '
|
|||||||
GIT_TRACE_CURL=true \
|
GIT_TRACE_CURL=true \
|
||||||
git -c "http.cookieFile=$(pwd)/cookies" clone \
|
git -c "http.cookieFile=$(pwd)/cookies" clone \
|
||||||
$HTTPD_URL/smart/repo.git clone 2>err &&
|
$HTTPD_URL/smart/repo.git clone 2>err &&
|
||||||
grep "Cookie:.*Foo=<redacted>" err
|
grep -i "Cookie:.*Foo=<redacted>" err
|
||||||
'
|
'
|
||||||
|
|
||||||
test_expect_success 'GIT_TRACE_REDACT=0 disables cookie redaction' '
|
test_expect_success 'GIT_TRACE_REDACT=0 disables cookie redaction' '
|
||||||
@ -496,8 +496,8 @@ test_expect_success 'GIT_TRACE_REDACT=0 disables cookie redaction' '
|
|||||||
GIT_TRACE_REDACT=0 GIT_TRACE_CURL=true \
|
GIT_TRACE_REDACT=0 GIT_TRACE_CURL=true \
|
||||||
git -c "http.cookieFile=$(pwd)/cookies" clone \
|
git -c "http.cookieFile=$(pwd)/cookies" clone \
|
||||||
$HTTPD_URL/smart/repo.git clone 2>err &&
|
$HTTPD_URL/smart/repo.git clone 2>err &&
|
||||||
grep "Cookie:.*Foo=1" err &&
|
grep -i "Cookie:.*Foo=1" err &&
|
||||||
grep "Cookie:.*Bar=2" err
|
grep -i "Cookie:.*Bar=2" err
|
||||||
'
|
'
|
||||||
|
|
||||||
test_expect_success 'GIT_TRACE_CURL_NO_DATA prevents data from being traced' '
|
test_expect_success 'GIT_TRACE_CURL_NO_DATA prevents data from being traced' '
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user