From 882d49ca5cb6a584a37ab0266b8720b5b0bf2101 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Wed, 13 Jul 2016 19:36:53 -0400 Subject: push: anonymize URL in status output Commit 47abd85 (fetch: Strip usernames from url's before storing them, 2009-04-17) taught fetch to anonymize URLs. The primary purpose there was to avoid sticking passwords in merge-commit messages, but as a side effect, we also avoid printing them to stderr. The push side does not have the merge-commit problem, but it probably should avoid printing them to stderr. We can reuse the same anonymizing function. Note that for this to come up, the credentials would have to appear either on the command line or in a git config file, neither of which is particularly secure. So people _should_ be switching to using credential helpers instead, which makes this problem go away. But that's no excuse not to improve the situation for people who for whatever reason end up using credentials embedded in the URL. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh index fd7d06b..8d08e06 100755 --- a/t/t5541-http-push-smart.sh +++ b/t/t5541-http-push-smart.sh @@ -368,5 +368,12 @@ test_expect_success GPG 'push with post-receive to inspect certificate' ' test_cmp expect "$HTTPD_DOCUMENT_ROOT_PATH/push-cert-status" ' +test_expect_success 'push status output scrubs password' ' + test_commit scrub && + git push --porcelain "$HTTPD_URL_USER_PASS/smart/test_repo.git" >status && + # should have been scrubbed down to vanilla URL + grep "^To $HTTPD_URL/smart/test_repo.git" status +' + stop_httpd test_done diff --git a/transport.c b/transport.c index 198502d..ff1b516 100644 --- a/transport.c +++ b/transport.c @@ -681,8 +681,11 @@ static void print_ok_ref_status(struct ref *ref, int porcelain) static int print_one_push_status(struct ref *ref, const char *dest, int count, int porcelain) { - if (!count) - fprintf(porcelain ? stdout : stderr, "To %s\n", dest); + if (!count) { + char *url = transport_anonymize_url(dest); + fprintf(porcelain ? stdout : stderr, "To %s\n", url); + free(url); + } switch(ref->status) { case REF_STATUS_NONE: -- cgit v0.10.2-6-g49f6 From 68f3c079fe87caab2e116fd9a48bbdedc54be026 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Wed, 20 Jul 2016 05:32:26 -0600 Subject: t5541: fix url scrubbing test when GPG is not set When the GPG prereq is not set, we do not run test 34. That test changes the directory of the test script as a side effect (something we usually frown on, but which matches the style of the rest of this script). When test 35 (the url-scrubbing test) runs, it expects to be in the directory from test 34. If it's not, the test fails; we are in a different sub-repo, our test-commit is built on a different history, and the push becomes a non-fast-forward. We can fix this by unconditionally moving to the directory we expect (again, against our usual style but matching how the rest of the script operates). As an additional protection, let's also switch from "make a new commit and push to master" to just "push to a new branch". We don't care about the branch name; we just want _some_ ref update to trigger the status output. Pushing to a new branch is less likely to run into problems with force-updates, changing the checked-out branch, etc. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano diff --git a/t/t5541-http-push-smart.sh b/t/t5541-http-push-smart.sh index 8d08e06..9593fc1 100755 --- a/t/t5541-http-push-smart.sh +++ b/t/t5541-http-push-smart.sh @@ -369,8 +369,10 @@ test_expect_success GPG 'push with post-receive to inspect certificate' ' ' test_expect_success 'push status output scrubs password' ' - test_commit scrub && - git push --porcelain "$HTTPD_URL_USER_PASS/smart/test_repo.git" >status && + cd "$ROOT_PATH/test_repo_clone" && + git push --porcelain \ + "$HTTPD_URL_USER_PASS/smart/test_repo.git" \ + +HEAD:scrub >status && # should have been scrubbed down to vanilla URL grep "^To $HTTPD_URL/smart/test_repo.git" status ' -- cgit v0.10.2-6-g49f6