Mirror of https://git.kernel.org/pub/scm/git/git.git/ https://www.git.shady.money/git/atom?h=v2.5.4 2015-09-28T22:33:56Z 2015-09-28T22:33:56Z Junio C Hamano gitster@pobox.com 2015-09-28T22:33:56Z urn:sha1:11a458befcd7662fbe6d2d53c76d49ae2b0fe219 2015-09-28T22:28:31Z Junio C Hamano gitster@pobox.com 2015-09-28T22:28:26Z urn:sha1:6343e2f6f271cf344ea8e7384342502faecaf37c 2015-09-25T22:32:28Z Blake Burkhart bburky@bburky.com 2015-09-22T22:06:20Z urn:sha1:b258116462399b318c86165c61a5c7123043cfd4 By default, libcurl will follow circular http redirects forever. Let's put a cap on this so that somebody who can trigger an automated fetch of an arbitrary repository (e.g., for CI) cannot convince git to loop infinitely. The value chosen is 20, which is the same default that Firefox uses. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2015-09-25T22:30:39Z Blake Burkhart bburky@bburky.com 2015-09-22T22:06:04Z urn:sha1:f4113cac0c88b4f36ee6f3abf3218034440a68e3 Previously, libcurl would follow redirection to any protocol it was compiled for support with. This is desirable to allow redirection from HTTP to HTTPS. However, it would even successfully allow redirection from HTTP to SFTP, a protocol that git does not otherwise support at all. Furthermore git's new protocol-whitelisting could be bypassed by following a redirect within the remote helper, as it was only enforced at transport selection time. This patch limits redirects within libcurl to HTTP, HTTPS, FTP and FTPS. If there is a protocol-whitelist present, this list is limited to those also allowed by the whitelist. As redirection happens from within libcurl, it is impossible for an HTTP redirect to a protocol implemented within another remote helper. When the curl version git was compiled with is too old to support restrictions on protocol redirection, we warn the user if GIT_ALLOW_PROTOCOL restrictions were requested. This is a little inaccurate, as even without that variable in the environment, we would still restrict SFTP, etc, and we do not warn in that case. But anything else means we would literally warn every time git accesses an http remote. This commit includes a test, but it is not as robust as we would hope. It redirects an http request to ftp, and checks that curl complained about the protocol, which means that we are relying on curl's specific error message to know what happened. Ideally we would redirect to a working ftp server and confirm that we can clone without protocol restrictions, and not with them. But we do not have a portable way of providing an ftp server, nor any other protocol that curl supports (https is the closest, but we would have to deal with certificates). [jk: added test and version warning] Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2015-07-13T21:00:24Z Junio C Hamano gitster@pobox.com 2015-07-13T21:00:24Z urn:sha1:0e521a41b526f6dbde76030ca7e7c1107115c120 We used to ask libCURL to use the most secure authentication method available when talking to an HTTP proxy only when we were told to talk to one via configuration variables. We now ask libCURL to always use the most secure authentication method, because the user can tell libCURL to use an HTTP proxy via an environment variable without using configuration variables. * et/http-proxyauth: http: always use any proxy auth method available 2015-06-29T16:57:43Z Enrique Tobis Enrique.Tobis@twosigma.com 2015-06-26T18:19:04Z urn:sha1:5841520b034ab08f132f7d066a19163a9e3d4c07 We set CURLOPT_PROXYAUTH to use the most secure authentication method available only when the user has set configuration variables to specify a proxy. However, libcurl also supports specifying a proxy through environment variables. In that case libcurl defaults to only using the Basic proxy authentication method, because we do not use CURLOPT_PROXYAUTH. Set CURLOPT_PROXYAUTH to always use the most secure authentication method available, even when there is no git configuration telling us to use a proxy. This allows the user to use environment variables to configure a proxy that requires an authentication method different from Basic. Signed-off-by: Enrique A. Tobis <etobis@twosigma.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2015-05-22T19:41:45Z Junio C Hamano gitster@pobox.com 2015-05-22T19:41:45Z urn:sha1:39fa79178feb1ce72050ebd21b9e34f158e8befa Introduce http.<url>.SSLCipherList configuration variable to tweak the list of cipher suite to be used with libcURL when talking with https:// sites. * ls/http-ssl-cipher-list: http: add support for specifying an SSL cipher list 2015-05-08T17:56:26Z Lars Kellogg-Stedman lars@redhat.com 2015-05-08T13:22:15Z urn:sha1:f6f2a9e42d14e61429af418d8038aa67049b3821 Teach git about a new option, "http.sslCipherList", which permits one to specify a list of ciphers to use when negotiating SSL connections. The setting can be overwridden by the GIT_SSL_CIPHER_LIST environment variable. Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2015-03-24T19:36:10Z Stefan Beller sbeller@google.com 2015-03-21T00:28:06Z urn:sha1:826aed50cbb072d8f159e4c8ba0f9bd3df21a234 The cleanup function is used in 4 places now and it's always safe to free up the memory as well. Signed-off-by: Stefan Beller <sbeller@google.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2015-03-06T23:02:25Z Junio C Hamano gitster@pobox.com 2015-03-06T23:02:24Z urn:sha1:74c91d1f7a1e7848a3614c1c5031755bfa5e80e1 Compilation fix for a recent topic in 'master'. * ye/http-accept-language: gettext.c: move get_preferred_languages() from http.c