diff options
| author | Junio C Hamano <gitster@pobox.com> | 2016-12-19 14:45:31 -0800 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2016-12-19 14:45:32 -0800 |
| commit | 8a2882f23ecce3a8742743555a408e508d4db806 (patch) | |
| tree | 3e543652bc74d5401d6c3858410ad434ae02451a /remote-curl.c | |
| parent | 73e494f86239b7edcf44f4c185c997b05c0e763b (diff) | |
| parent | cb4d2d35c4622ec2513c1c352d30ff8f9f9cdb9e (diff) | |
| download | git-8a2882f23ecce3a8742743555a408e508d4db806.tar.gz git-8a2882f23ecce3a8742743555a408e508d4db806.tar.xz | |
Merge branch 'jk/http-walker-limit-redirect-2.9'
Transport with dumb http can be fooled into following foreign URLs
that the end user does not intend to, especially with the server
side redirects and http-alternates mechanism, which can lead to
security issues. Tighten the redirection and make it more obvious
to the end user when it happens.
* jk/http-walker-limit-redirect-2.9:
http: treat http-alternates like redirects
http: make redirects more obvious
remote-curl: rename shadowed options variable
http: always update the base URL for redirects
http: simplify update_url_from_redirect
Diffstat (limited to 'remote-curl.c')
| -rw-r--r-- | remote-curl.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/remote-curl.c b/remote-curl.c index f14c41f4c..28d9d1063 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -274,7 +274,7 @@ static struct discovery *discover_refs(const char *service, int for_push) struct strbuf effective_url = STRBUF_INIT; struct discovery *last = last_discovery; int http_ret, maybe_smart = 0; - struct http_get_options options; + struct http_get_options http_options; if (last && !strcmp(service, last->service)) return last; @@ -291,15 +291,16 @@ static struct discovery *discover_refs(const char *service, int for_push) strbuf_addf(&refs_url, "service=%s", service); } - memset(&options, 0, sizeof(options)); - options.content_type = &type; - options.charset = &charset; - options.effective_url = &effective_url; - options.base_url = &url; - options.no_cache = 1; - options.keep_error = 1; + memset(&http_options, 0, sizeof(http_options)); + http_options.content_type = &type; + http_options.charset = &charset; + http_options.effective_url = &effective_url; + http_options.base_url = &url; + http_options.initial_request = 1; + http_options.no_cache = 1; + http_options.keep_error = 1; - http_ret = http_get_strbuf(refs_url.buf, &buffer, &options); + http_ret = http_get_strbuf(refs_url.buf, &buffer, &http_options); switch (http_ret) { case HTTP_OK: break; @@ -314,6 +315,9 @@ static struct discovery *discover_refs(const char *service, int for_push) die("unable to access '%s': %s", url.buf, curl_errorstr); } + if (options.verbosity && !starts_with(refs_url.buf, url.buf)) + warning(_("redirecting to %s"), url.buf); + last= xcalloc(1, sizeof(*last_discovery)); last->service = service; last->buf_alloc = strbuf_detach(&buffer, &last->len); |