mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

credential: avoid erasing distinct password

Browse Source 
Test that credential helpers do not erase a password distinct from the
input. Such calls can happen when multiple credential helpers are
configured.

Fixes for credential-cache and credential-store.

Signed-off-by: M Hickford <mirth.hickford@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
M Hickford
2023-06-15 19:19:32 +00:00
committed by Junio C Hamano
parent fe86abd751
commit aeb21ce22e
5 changed files with 90 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
builtin/credential-cache--daemon.c
View File

@ -33,22 +33,22 @@ static void cache_credential(struct credential *c, int timeout)
e->expiration = time(NULL) + timeout;
}
static struct credential_cache_entry *lookup_credential(const struct credential *c)
static struct credential_cache_entry *lookup_credential(const struct credential *c, int match_password)
{
int i;
for (i = 0; i < entries_nr; i++) {
struct credential *e = &entries[i].item;
if (credential_match(c, e))
if (credential_match(c, e, match_password))
return &entries[i];
}
return NULL;
}
static void remove_credential(const struct credential *c)
static void remove_credential(const struct credential *c, int match_password)
{
struct credential_cache_entry *e;
e = lookup_credential(c);
e = lookup_credential(c, match_password);
if (e)
e->expiration = 0;
}
@ -127,7 +127,7 @@ static void serve_one_client(FILE *in, FILE *out)
if (read_request(in, &c, &action, &timeout) < 0)
/* ignore error */ ;
else if (!strcmp(action.buf, "get")) {
struct credential_cache_entry *e = lookup_credential(&c);
struct credential_cache_entry *e = lookup_credential(&c, 0);
if (e) {
fprintf(out, "username=%s\n", e->item.username);
fprintf(out, "password=%s\n", e->item.password);
@ -151,14 +151,14 @@ static void serve_one_client(FILE *in, FILE *out)
exit(0);
}
else if (!strcmp(action.buf, "erase"))
remove_credential(&c);
remove_credential(&c, 1);
else if (!strcmp(action.buf, "store")) {
if (timeout < 0)
warning("cache client didn't specify a timeout");
else if (!c.username || !c.password)
warning("cache client gave us a partial credential");
else {
remove_credential(&c);
remove_credential(&c, 0);
cache_credential(&c, timeout);
}
}