diff options
| author | Jeff King <peff@peff.net> | 2012-10-31 11:29:16 (GMT) |
|---|---|---|
| committer | Jeff King <peff@peff.net> | 2012-10-31 11:45:13 (GMT) |
| commit | 2e736fd5e94c6fa44ba95d81a5b0ae407b968b78 (patch) | |
| tree | 8a3808b42b50592d9c3eccc05865d3d4c3ba6b48 /remote-curl.c | |
| parent | df126e108b899da133a980e900df39dfe57fcd59 (diff) | |
| download | git-2e736fd5e94c6fa44ba95d81a5b0ae407b968b78.zip git-2e736fd5e94c6fa44ba95d81a5b0ae407b968b78.tar.gz git-2e736fd5e94c6fa44ba95d81a5b0ae407b968b78.tar.bz2 | |
remote-curl: retry failed requests for auth even with gzip
Commit b81401c taught the post_rpc function to retry the
http request after prompting for credentials. However, it
did not handle two cases:
1. If we have a large request, we do not retry. That's OK,
since we would have sent a probe (with retry) already.
2. If we are gzipping the request, we do not retry. That
was considered OK, because the intended use was for
push (e.g., listing refs is OK, but actually pushing
objects is not), and we never gzip on push.
This patch teaches post_rpc to retry even a gzipped request.
This has two advantages:
1. It is possible to configure a "half-auth" state for
fetching, where the set of refs and their sha1s are
advertised, but one cannot actually fetch objects.
This is not a recommended configuration, as it leaks
some information about what is in the repository (e.g.,
an attacker can try brute-forcing possible content in
your repository and checking whether it matches your
branch sha1). However, it can be slightly more
convenient, since a no-op fetch will not require a
password at all.
2. It future-proofs us should we decide to ever gzip more
requests.
Signed-off-by: Jeff King <peff@peff.net>
Diffstat (limited to 'remote-curl.c')
| -rw-r--r-- | remote-curl.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/remote-curl.c b/remote-curl.c index 10cd47d..fac2bef 100644 --- a/remote-curl.c +++ b/remote-curl.c @@ -474,6 +474,15 @@ retry: fflush(stderr); } + } else if (gzip_body) { + /* + * If we are looping to retry authentication, then the previous + * run will have set up the headers and gzip buffer already, + * and we just need to send it. + */ + curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDS, gzip_body); + curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDSIZE, gzip_size); + } else if (use_gzip && 1024 < rpc->len) { /* The client backend isn't giving us compressed data so * we can try to deflate it ourselves, this may save on. @@ -530,7 +539,7 @@ retry: curl_easy_setopt(slot->curl, CURLOPT_FILE, rpc); err = run_slot(slot); - if (err == HTTP_REAUTH && !large_request && !use_gzip) + if (err == HTTP_REAUTH && !large_request) goto retry; if (err != HTTP_OK) err = -1; |