Re: Https password present in git output

2016-07-13 Thread Jeff King 
On Thu, Jul 14, 2016 at 01:36:52AM +0300, ervion wrote:

> It is in fact the case, that git fetch output is scrubbed, sorry I did not
> notice previously.
> But (on my device: git version 2.9.0 arch linux) git push is not.
> $ git push origin --all

Maybe this?

-- >8 --
Subject: [PATCH] push: anonymize URL in status output

Commit 47abd85 (fetch: Strip usernames from url's before
storing them, 2009-04-17) taught fetch to anonymize URLs.
The primary purpose there was to avoid sticking passwords in
merge-commit messages, but as a side effect, we also avoid
printing them to stderr.

The push side does not have the merge-commit problem, but it
probably should avoid printing them to stderr. We can reuse
the same anonymizing function.

Note that for this to come up, the credentials would have to
appear either on the command line or in a git config file,
neither of which is particularly secure. So people _should_
be switching to using credential helpers instead, which
makes this problem go away. But that's no excuse not to
improve the situation for people who for whatever reason end
up using credentials embedded in the URL.

Signed-off-by: Jeff King 
---
 t/t5541-http-push-smart.sh | 7 +++
 transport.c| 7 +--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh
index fd7d06b..8d08e06 100755
--- a/t/t5541-http-push-smart.sh
+++ b/t/t5541-http-push-smart.sh
@@ -368,5 +368,12 @@ test_expect_success GPG 'push with post-receive to inspect 
certificate' '
test_cmp expect "$HTTPD_DOCUMENT_ROOT_PATH/push-cert-status"
 '
 
+test_expect_success 'push status output scrubs password' '
+   test_commit scrub &&
+   git push --porcelain "$HTTPD_URL_USER_PASS/smart/test_repo.git" >status 
&&
+   # should have been scrubbed down to vanilla URL
+   grep "^To $HTTPD_URL/smart/test_repo.git" status
+'
+
 stop_httpd
 test_done
diff --git a/transport.c b/transport.c
index 095e61f..be4a63e 100644
--- a/transport.c
+++ b/transport.c
@@ -359,8 +359,11 @@ static void print_ok_ref_status(struct ref *ref, int 
porcelain)
 
 static int print_one_push_status(struct ref *ref, const char *dest, int count, 
int porcelain)
 {
-   if (!count)
-   fprintf(porcelain ? stdout : stderr, "To %s\n", dest);
+   if (!count) {
+   char *url = transport_anonymize_url(dest);
+   fprintf(porcelain ? stdout : stderr, "To %s\n", url);
+   free(url);
+   }
 
switch(ref->status) {
case REF_STATUS_NONE:
-- 
2.9.1.356.g3c37bc7

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Https password present in git output

2016-07-13 Thread ervion 


I completely agree that it is not a head-on-fire kind of problem, there 
are ways to avoid it.

Simply nice to have.

It is in fact the case, that git fetch output is scrubbed, sorry I did 
not notice previously.

But (on my device: git version 2.9.0 arch linux) git push is not.
$ git push origin --all

Results in:
/---/
To https://username:passw...@domeen.com/git/repo.git
   xxx..zzz  master -> master

On 13.07.2016 21:16, Junio C Hamano wrote:
On Wed, Jul 13, 2016 at 11:09 AM, Junio C Hamano  
wrote:

ervion  writes:

Sometimes using ssh is not possible and saving https password in 
plain

text to disk may be desireable
(in case of encrypted disk it would be equivalent security with
caching password in memory).

One possibility for this in git is to save remote in the
https://username:passw...@domain.com/repo.git format.


Wasn't netrc support added exactly because users do not want to do
this?


Interesting. Even with "auth in URL", I seem to get this:

$ git fetch -v -v https://gitster:p...@github.com/git/git  
refs/tags/v2.9.1

From https://github.com/git/git
 * tag   v2.9.1 -> FETCH_HEAD

Notice that "From $URL" has the userinfo (3.2.1 in RFC 3986) scrubbed.

If you are seeing somewhere we forgot to scrub userinfo in a similar 
way in

the output, we should. Where do you see "present in git OUTPUT" as you
said in the subject? What command with what options exactly and in what
part of the output?

Thanks.

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Https password present in git output

2016-07-13 Thread Dennis Kaarsemaker 
On wo, 2016-07-13 at 20:26 +0300, ervion wrote:
> One possibility for this in git is to save remote in theĀ 
> https://username:passw...@domain.com/repo.git format.

This is not recommended. Git has credential helpers to help you store
passwords outside the git configuration.

Which then makes your original problem go away :)

D.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Https password present in git output

2016-07-13 Thread Junio C Hamano 
On Wed, Jul 13, 2016 at 11:09 AM, Junio C Hamano  wrote:
> ervion  writes:
>
>> Sometimes using ssh is not possible and saving https password in plain
>> text to disk may be desireable
>> (in case of encrypted disk it would be equivalent security with
>> caching password in memory).
>>
>> One possibility for this in git is to save remote in the
>> https://username:passw...@domain.com/repo.git format.
>
> Wasn't netrc support added exactly because users do not want to do
> this?

Interesting. Even with "auth in URL", I seem to get this:

$ git fetch -v -v https://gitster:p...@github.com/git/git  refs/tags/v2.9.1
>From https://github.com/git/git
 * tag   v2.9.1 -> FETCH_HEAD

Notice that "From $URL" has the userinfo (3.2.1 in RFC 3986) scrubbed.

If you are seeing somewhere we forgot to scrub userinfo in a similar way in
the output, we should. Where do you see "present in git OUTPUT" as you
said in the subject? What command with what options exactly and in what
part of the output?

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Https password present in git output

2016-07-13 Thread Junio C Hamano 
ervion  writes:

> Sometimes using ssh is not possible and saving https password in plain
> text to disk may be desireable
> (in case of encrypted disk it would be equivalent security with
> caching password in memory).
>
> One possibility for this in git is to save remote in the
> https://username:passw...@domain.com/repo.git format.

Wasn't netrc support added exactly because users do not want to do
this?
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Https password present in git output

2016-07-13 Thread ervion 


Sometimes using ssh is not possible and saving https password in plain 
text to disk may be desireable
(in case of encrypted disk it would be equivalent security with caching 
password in memory).


One possibility for this in git is to save remote in the 
https://username:passw...@domain.com/repo.git format.
However, in this case every time you push or pull, the remote address, 
including the plain text password.

That would introduce additional security issiues and is unreasonable?

Wouldn't it make sense to scrabble the password part in remote's url 
before printing it to output?

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html