credential: treat URL with empty scheme as invalid

Until "credential: refuse to operate when missing host or protocol", Git's credential handling code interpreted URLs with empty scheme to mean "give me credentials matching this host for any protocol". Luckily libcurl does not recognize such URLs (it tries to look for a protocol named "" and fails). Just in case that changes, let's reject them within Git as well. This way, credential_from_url is guaranteed to always produce a "struct credential" with protocol and host set. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
2020-04-18 20:54:57 -07:00
parent c44088ecc4
commit e7fab62b73
3 changed files with 43 additions and 3 deletions
--- a/credential.c
+++ b/credential.c
@ -357,7 +357,7 @@ int credential_from_url_gently(struct credential *c, const char *url,
 	 *   (3) proto://<user>:<pass>@<host>/...
 	 */
 	proto_end = strstr(url, "://");
-	if (!proto_end) {
+	if (!proto_end || proto_end == url) {
 		if (!quiet)
 			warning(_("url has no scheme: %s"), url);
 		return -1;
@ -382,8 +382,7 @@ int credential_from_url_gently(struct credential *c, const char *url,
 		host = at + 1;
 	}

-	if (proto_end - url > 0)
-		c->protocol = xmemdupz(url, proto_end - url);
+	c->protocol = xmemdupz(url, proto_end - url);
 	c->host = url_decode_mem(host, slash - host);
 	/* Trim leading and trailing slashes from path */
 	while (*slash == '/')