c716fe4bd9
The credential protocol can't represent newlines in values, but URLs can embed percent-encoded newlines in various components. A previous commit taught the low-level writing routines to die() when encountering this, but we can be a little friendlier to the user by detecting them earlier and handling them gracefully. This patch teaches credential_from_url() to notice such components, issue a warning, and blank the credential (which will generally result in prompting the user for a username and password). We blank the whole credential in this case. Another option would be to blank only the invalid component. However, we're probably better off not feeding a partially-parsed URL result to a credential helper. We don't know how a given helper would handle it, so we're better off to err on the side of matching nothing rather than something unexpected. The die() call in credential_write() is _probably_ impossible to reach after this patch. Values should end up in credential structs only by URL parsing (which is covered here), or by reading credential protocol input (which by definition cannot read a newline into a value). But we should definitely keep the low-level check, as it's our final and most accurate line of defense against protocol injection attacks. Arguably it could become a BUG(), but it probably doesn't matter much either way. Note that the public interface of credential_from_url() grows a little more than we need here. We'll use the extra flexibility in a future patch to help fsck catch these cases.
52 lines
1.5 KiB
C
52 lines
1.5 KiB
C
#ifndef CREDENTIAL_H
|
|
#define CREDENTIAL_H
|
|
|
|
#include "string-list.h"
|
|
|
|
struct credential {
|
|
struct string_list helpers;
|
|
unsigned approved:1,
|
|
configured:1,
|
|
quit:1,
|
|
use_http_path:1;
|
|
|
|
char *username;
|
|
char *password;
|
|
char *protocol;
|
|
char *host;
|
|
char *path;
|
|
};
|
|
|
|
#define CREDENTIAL_INIT { STRING_LIST_INIT_DUP }
|
|
|
|
void credential_init(struct credential *);
|
|
void credential_clear(struct credential *);
|
|
|
|
void credential_fill(struct credential *);
|
|
void credential_approve(struct credential *);
|
|
void credential_reject(struct credential *);
|
|
|
|
int credential_read(struct credential *, FILE *);
|
|
void credential_write(const struct credential *, FILE *);
|
|
|
|
/*
|
|
* Parse a url into a credential struct, replacing any existing contents.
|
|
*
|
|
* Ifthe url can't be parsed (e.g., a missing "proto://" component), the
|
|
* resulting credential will be empty but we'll still return success from the
|
|
* "gently" form.
|
|
*
|
|
* If we encounter a component which cannot be represented as a credential
|
|
* value (e.g., because it contains a newline), the "gently" form will return
|
|
* an error but leave the broken state in the credential object for further
|
|
* examination. The non-gentle form will issue a warning to stderr and return
|
|
* an empty credential.
|
|
*/
|
|
void credential_from_url(struct credential *, const char *url);
|
|
int credential_from_url_gently(struct credential *, const char *url, int quiet);
|
|
|
|
int credential_match(const struct credential *have,
|
|
const struct credential *want);
|
|
|
|
#endif /* CREDENTIAL_H */
|