| Message ID | 6426f9c3954866b3fd9259d1a58d2c41dc42e17f.1663865974.git.gitgitgadget@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d69580498370236a93014e1b1b57685d1709b6c8 |
| Headers | show |
| Series | Correct credential helper discrepancies handling input | expand |
"Matthew John Cheetham via GitGitGadget" <gitgitgadget@gmail.com> writes: > From: Matthew John Cheetham <mjcheetham@outlook.com> > > It is the expectation that credential helpers be liberal in what they > accept and conservative in what they return, to allow for future growth > and evolution of the protocol/interaction. That is nice in principle, and the updated code below may work well with existing "other side of the connection" (codepaths in "git" that asks credential API to talk to the helpers), but I am not sure if this is always a safe thing to do. When we gain a new "command" in the protocol, if we just read it without understanding it, would we open ourselves to a risk of breaking the protocol communication, worst of which may be to deadlock? A new command, when received by a more recent helper that understands how to react to it, may _require_ it to write more than "username" and "password" back to "git" from get_credential(), for example, but the helper with this patch alone, while not complaining about seeing such a new and unknown command, would not know how to compute and write that third thing other than "username" and "password"---would the other side who issued that new command get stuck waiting for us to return the third thing? Worse yet, the new command may expect us to read further in get_credential() (e.g. maybe they will give us a challenge, which may need to be used when yielding the "username" and "password" things), but because we do not even know we need to read, their attempt to write to us may get them stuck, and that is when we are expecting to write to them, easily leading to a deadlock, no? > All of the other helpers (store, cache, osxkeychain, libsecret, > gnome-keyring) except `netrc` currently ignore any credential lines > that are not recognised, whereas the Windows helper (wincred) instead > dies. Is that different from saying "everybody other than netrc and win ignore unknown"? > Fix the discrepancy and ignore unknown lines in the wincred helper. OK. As long as everybody consistently ignores, and possibly opens themselves up consistently to a protocol mismatch issue, it is OK. We will know if that can be a real problem or does not happen in practice. > Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com> > --- > contrib/credential/wincred/git-credential-wincred.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/contrib/credential/wincred/git-credential-wincred.c b/contrib/credential/wincred/git-credential-wincred.c > index 5091048f9c6..ead6e267c78 100644 > --- a/contrib/credential/wincred/git-credential-wincred.c > +++ b/contrib/credential/wincred/git-credential-wincred.c > @@ -278,8 +278,11 @@ static void read_credential(void) > wusername = utf8_to_utf16_dup(v); > } else if (!strcmp(buf, "password")) > password = utf8_to_utf16_dup(v); > - else > - die("unrecognized input"); > + /* > + * Ignore other lines; we don't know what they mean, but > + * this future-proofs us when later versions of git do > + * learn new lines, and the helpers are updated to match. > + */ > } > }
On Thu, Sep 22, 2022 at 02:19:43PM -0700, Junio C Hamano wrote: > > It is the expectation that credential helpers be liberal in what they > > accept and conservative in what they return, to allow for future growth > > and evolution of the protocol/interaction. > > That is nice in principle, and the updated code below may work well > with existing "other side of the connection" (codepaths in "git" > that asks credential API to talk to the helpers), but I am not sure > if this is always a safe thing to do. > > When we gain a new "command" in the protocol, if we just read it > without understanding it, would we open ourselves to a risk of > breaking the protocol communication, worst of which may be to > deadlock? A new command, when received by a more recent helper that > understands how to react to it, may _require_ it to write more than > "username" and "password" back to "git" from get_credential(), for > example, but the helper with this patch alone, while not complaining > about seeing such a new and unknown command, would not know how to > compute and write that third thing other than "username" and > "password"---would the other side who issued that new command get > stuck waiting for us to return the third thing? Worse yet, the new > command may expect us to read further in get_credential() > (e.g. maybe they will give us a challenge, which may need to be used > when yielding the "username" and "password" things), but because we > do not even know we need to read, their attempt to write to us may > get them stuck, and that is when we are expecting to write to them, > easily leading to a deadlock, no? This open-endedness was an intentional part of the original credential-helper design. Helpers are always "best effort", and it is OK if they ignore a request, or return a partial result. If the sending side really wants to extend the protocol in a way that the other side doesn't act at all (say, they "username" to be used _only_ if the helper also understands a new "foobar" key), then they should be adding the new fields as an atomic unit. I.e., "foobar", "foobar-userame", and so on. And then existing helpers which don't understand the new feature will just ignore it totally. In practice, I think it's not that big a deal either way, because the setup of these helpers is under the control of the user. So if you really want to use "foobar" but a helper doesn't support it, then you'd just remove that helper from your config. -Peff
diff --git a/contrib/credential/wincred/git-credential-wincred.c b/contrib/credential/wincred/git-credential-wincred.c index 5091048f9c6..ead6e267c78 100644 --- a/contrib/credential/wincred/git-credential-wincred.c +++ b/contrib/credential/wincred/git-credential-wincred.c @@ -278,8 +278,11 @@ static void read_credential(void) wusername = utf8_to_utf16_dup(v); } else if (!strcmp(buf, "password")) password = utf8_to_utf16_dup(v); - else - die("unrecognized input"); + /* + * Ignore other lines; we don't know what they mean, but + * this future-proofs us when later versions of git do + * learn new lines, and the helpers are updated to match. + */ } }