From patchwork Fri Nov 11 22:35:05 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff King X-Patchwork-Id: 13040902 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C844EC433FE for ; Fri, 11 Nov 2022 22:35:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234439AbiKKWfO (ORCPT ); Fri, 11 Nov 2022 17:35:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234125AbiKKWfL (ORCPT ); Fri, 11 Nov 2022 17:35:11 -0500 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5542321826 for ; Fri, 11 Nov 2022 14:35:10 -0800 (PST) Received: by mail-wr1-x431.google.com with SMTP id a14so8124221wru.5 for ; Fri, 11 Nov 2022 14:35:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=Vm7sgHPkPrsEbODF43NykX5a74zh2qi8cxTW4+5l3og=; b=dYqEMhlogKQ+RO6jpcET144xyz7Rir/puML7cMcfA8iGTaL7VWqdh+SEt0tBqUzhol Yttzx7NxgQtSSjIPQSB4EjOq/WfrMPcFgqRcZ/gHwkZaz+CFwFnhehaPh0UcAIkgkNrc ndxaghzjMIDa8lLJSJXyKcwqZBeb6jGWGCjNBdB4X0H3AIi4sjPOiJx9U9SzFx+c0ES/ Zp/+4fE4pdjBd7pVrUaCFzHRlHupgFvOvSakbLdBNhgroRdyPcT0Nt2/PUvwi1xWMWYs JEWLRxC6vWS1MhqqvHBNFJfB0Kbm1nnff5CGEtU/H8JmL/KR/GVelLwuGSQJLSs/wg4E V+2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Vm7sgHPkPrsEbODF43NykX5a74zh2qi8cxTW4+5l3og=; b=3MhTcFFsrTLltf8OoyMf//3ihg4R9SspJyMKdZ4EE4kN5lw41MNSEH7p78elvlG6vJ QKOq5dbH4cGWsGse9bVMTlaS02pyKB5Romw64N797w1T3qREEh0I5d84M16BF4gkDCV9 jk3VGHK8gFbmK96AgIxHz7ulQQOqVkWaz4C64QVv4UV//YauG0dkhLuUY1+71Ggplgpn Xy7336VdgfBTnevTk/w7FNTtKkLjL4VWzNzvoDRq4z4hFasAWOZ7kB+5xohZVGHPreqf zddFulZ4wdkMia93uTRk7agtGOYnOSuvhXS9vz88KS6ANdU11tVVYU36kj9a2yKOtnZI 9rDA== X-Gm-Message-State: ANoB5pkq9XrqptgjdO2Mig1hPYJO1ana+Pk0m8SQUTpP64M2BomnCSky HvaygnHhoLSVbkvROQw5JjI13TToxrg= X-Google-Smtp-Source: AA0mqf7HBDTtFfxkGffrNCTMzcuW7Ef+g+H9h/LN2PHH8fWnajn9rffIo4SU4BWV7twJdS1rXRt5rw== X-Received: by 2002:a5d:674a:0:b0:22e:35e3:4427 with SMTP id l10-20020a5d674a000000b0022e35e34427mr2271595wrw.44.1668206108665; Fri, 11 Nov 2022 14:35:08 -0800 (PST) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id m66-20020a1c2645000000b003cfd58409desm327826wmm.13.2022.11.11.14.35.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Nov 2022 14:35:08 -0800 (PST) Message-Id: <09194dba8cd3fac72c5a21ad29d3c7cde3efd049.1668206106.git.gitgitgadget@gmail.com> In-Reply-To: References: Date: Fri, 11 Nov 2022 22:35:05 +0000 Subject: [PATCH v3 1/2] t: run t5551 tests with both HTTP and HTTP/2 Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , Jeff King , Emily Shaffer , =?utf-8?b?w4Z2YXIgQXJuZmrDtnLDsA==?= Bjarmason , Glen Choo , Jeff King Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Jeff King From: Jeff King We have occasionally seen bugs that affect Git running only against an HTTP/2 web server, not an HTTP one. For instance, b66c77a64e (http: match headers case-insensitively when redacting, 2021-09-22). But since we have no test coverage using HTTP/2, we only uncover these bugs in the wild. That commit gives a recipe for converting our Apache setup to support HTTP/2, but: - it's not necessarily portable - we don't want to just test HTTP/2; we really want to do a variety of basic tests for _both_ protocols This patch handles both problems by running a duplicate of t5551 (labeled as t5559 here) with an alternate-universe setup that enables HTTP/2. So we'll continue to run t5551 as before, but run the same battery of tests again with HTTP/2. If HTTP/2 isn't supported on a given platform, then t5559 should bail during the webserver setup, and gracefully skip all tests (unless GIT_TEST_HTTPD has been changed from "auto" to "yes", where the point is to complain when webserver setup fails). In theory other http-related test scripts could benefit from the same duplication, but doing t5551 should give us a reasonable check of basic functionality, and would have caught both bugs we've seen in the wild with HTTP/2. A few notes on the implementation: - a script enables the server side config by calling enable_http2 before starting the webserver. This avoids even trying to load any HTTP/2 config for t5551 (which is what lets it keep working with regular HTTP even on systems that don't support it). This also sets a prereq which can be used by individual tests. - As discussed in b66c77a64e, the http2 module isn't compatible with the "prefork" mpm, so we need to pick something else. I chose "event" here, which works on my Debian system, but it's possible there are platforms which would prefer something else. We can adjust that later if somebody finds such a platform. - The test "large fetch-pack requests can be sent using chunked encoding" makes sure we use a chunked transfer-encoding by looking for that header in the trace. But since HTTP/2 has its own streaming mechanisms, we won't find such a header. We could skip the test entirely by marking it with !HTTP2. But there's some value in making sure that the fetch itself succeeded. So instead, we'll confirm that either we're using HTTP2 _or_ we saw the expected chunked header. - the redaction tests fail under HTTP/2 with recent versions of curl. This is a bug! I've marked them with !HTTP2 here to skip them under t5559 for the moment. Using test_expect_failure would be more appropriate, but would require a bunch of boilerplate. Since we'll be fixing them momentarily, let's just skip them for now to keep the test suite bisectable, and we can re-enable them in the commit that fixes the bug. - one alternative layout would be to push most of t5551 into a lib-t5551.sh script, then source it from both t5551 and t5559. Keeping t5551 intact seemed a little simpler, as its one less level of indirection for people fixing bugs/regressions in the non-HTTP/2 tests. Signed-off-by: Jeff King --- t/lib-httpd.sh | 5 +++++ t/lib-httpd/apache.conf | 19 ++++++++++++++++--- t/t5551-http-fetch-smart.sh | 19 ++++++++++++++----- t/t5559-http-fetch-smart-http2.sh | 4 ++++ 4 files changed, 39 insertions(+), 8 deletions(-) create mode 100755 t/t5559-http-fetch-smart-http2.sh diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh index 1f6b9b08d1d..ba9fe36772a 100644 --- a/t/lib-httpd.sh +++ b/t/lib-httpd.sh @@ -174,6 +174,11 @@ prepare_httpd() { fi } +enable_http2 () { + HTTPD_PARA="$HTTPD_PARA -DHTTP2" + test_set_prereq HTTP2 +} + start_httpd() { prepare_httpd >&3 2>&4 diff --git a/t/lib-httpd/apache.conf b/t/lib-httpd/apache.conf index 706799391bd..0294739a77a 100644 --- a/t/lib-httpd/apache.conf +++ b/t/lib-httpd/apache.conf @@ -29,6 +29,11 @@ ErrorLog error.log LoadModule setenvif_module modules/mod_setenvif.so + +LoadModule http2_module modules/mod_http2.so +Protocols h2c + + LockFile accept.lock @@ -64,12 +69,20 @@ LockFile accept.lock LoadModule access_compat_module modules/mod_access_compat.so - - LoadModule mpm_prefork_module modules/mod_mpm_prefork.so - LoadModule unixd_module modules/mod_unixd.so + + + + LoadModule mpm_event_module modules/mod_mpm_event.so + + + + + LoadModule mpm_prefork_module modules/mod_mpm_prefork.so + + PassEnv GIT_VALGRIND diff --git a/t/t5551-http-fetch-smart.sh b/t/t5551-http-fetch-smart.sh index 6a38294a476..ad0a0639e6b 100755 --- a/t/t5551-http-fetch-smart.sh +++ b/t/t5551-http-fetch-smart.sh @@ -1,13 +1,19 @@ #!/bin/sh -test_description='test smart fetching over http via http-backend' +: ${HTTP_PROTO:=HTTP} +test_description="test smart fetching over http via http-backend ($HTTP_PROTO)" GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME=main export GIT_TEST_DEFAULT_INITIAL_BRANCH_NAME . ./test-lib.sh . "$TEST_DIRECTORY"/lib-httpd.sh +test "$HTTP_PROTO" = "HTTP/2" && enable_http2 start_httpd +test_expect_success HTTP2 'enable client-side http/2' ' + git config --global http.version HTTP/2 +' + test_expect_success 'setup repository' ' git config push.default matching && echo content >file && @@ -194,7 +200,7 @@ test_expect_success 'redirects send auth to new location' ' expect_askpass both user@host auth/smart/repo.git ' -test_expect_success 'GIT_TRACE_CURL redacts auth details' ' +test_expect_success !HTTP2 'GIT_TRACE_CURL redacts auth details' ' rm -rf redact-auth trace && set_askpass user@host pass@host && GIT_TRACE_CURL="$(pwd)/trace" git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth && @@ -206,7 +212,7 @@ test_expect_success 'GIT_TRACE_CURL redacts auth details' ' grep -i "Authorization: Basic " trace ' -test_expect_success 'GIT_CURL_VERBOSE redacts auth details' ' +test_expect_success !HTTP2 'GIT_CURL_VERBOSE redacts auth details' ' rm -rf redact-auth trace && set_askpass user@host pass@host && GIT_CURL_VERBOSE=1 git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth 2>trace && @@ -347,7 +353,10 @@ test_expect_success CMDLINE_LIMIT \ test_expect_success 'large fetch-pack requests can be sent using chunked encoding' ' GIT_TRACE_CURL=true git -c http.postbuffer=65536 \ clone --bare "$HTTPD_URL/smart/repo.git" split.git 2>err && - grep "^=> Send header: Transfer-Encoding: chunked" err + { + test_have_prereq HTTP2 || + grep "^=> Send header: Transfer-Encoding: chunked" err + } ' test_expect_success 'test allowreachablesha1inwant' ' @@ -473,7 +482,7 @@ test_expect_success 'fetch by SHA-1 without tag following' ' --no-tags origin $(cat bar_hash) ' -test_expect_success 'cookies are redacted by default' ' +test_expect_success !HTTP2 'cookies are redacted by default' ' rm -rf clone && echo "Set-Cookie: Foo=1" >cookies && echo "Set-Cookie: Bar=2" >>cookies && diff --git a/t/t5559-http-fetch-smart-http2.sh b/t/t5559-http-fetch-smart-http2.sh new file mode 100755 index 00000000000..9eece71c2c2 --- /dev/null +++ b/t/t5559-http-fetch-smart-http2.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +HTTP_PROTO=HTTP/2 +. ./t5551-http-fetch-smart.sh From patchwork Fri Nov 11 22:35:06 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Glen Choo X-Patchwork-Id: 13040903 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2CCBEC433FE for ; Fri, 11 Nov 2022 22:35:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234601AbiKKWfR (ORCPT ); Fri, 11 Nov 2022 17:35:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57216 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234528AbiKKWfM (ORCPT ); Fri, 11 Nov 2022 17:35:12 -0500 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FCB513F47 for ; Fri, 11 Nov 2022 14:35:11 -0800 (PST) Received: by mail-wm1-x331.google.com with SMTP id i10-20020a1c3b0a000000b003cfd36eff5fso1325502wma.3 for ; Fri, 11 Nov 2022 14:35:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=kHv9+mjWu/oe9o3RH8VgVHQBexla88GGqc8EhEAON8I=; b=kKd+oMyzDfZLI+XlC9A2ySBgniEtMB5SOTPYpda4eC/7mlyAO912v6lp51d7IlsFlj H0E4CgHgX92VVuMkRpBRvwjg1J7x50lcUxxMWwg2piMBVQpIMiT0oTSCl92tKEyEnPII 0qa/+5Gs5j2BZnqSvWcLNRvxTCXoVMn7LRCv2tMPMC31Gjbb3wiOfpaFN911xIYu50Fh 2dXkNwfBLEaEEpv+mG58VsV0ObKeGOALuJaDXiQRmKk0BdkV8bCHGepYmxHcQ8anXd5z uGqLWQkUN/yrv7CLAqrXrpEv/y/kpMou/az5MIp5/3VxuZbp37LEkymX5naFn0G4ug19 KWCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kHv9+mjWu/oe9o3RH8VgVHQBexla88GGqc8EhEAON8I=; b=ha/oGC0scZMhocBCktAbN2srQWdVJY46Pu6voU6jiTGRcZUw8vBOvuUgQWaRlLElyG /ZRlVQSJzXI2qdBI1gIat4+13sfG1hnbz293U0Ta2ZrqVKH+vyi4UG/kki+I7/mlyGRl jahKRL+xUMhrhdSUqTwYIVW9PBaCx5IQVbGo5l22Uw5n4aGkKQXuyEtiOGaLZUTf+eDx J7chAs2NEFNL3jmtMHULfABPmP4c+ZfV3G33afnE0qRO6fGib2B8CwquEC2ud0+2JJPl oTbImDPIhyxENNw4wE8rFc2vya+qvwGSQULWTWNOSh3mgSnqplICEjXLQ2skIx2yr1mg uKmQ== X-Gm-Message-State: ANoB5pm1bcIID3garMRlTieGIrTk7phOZjzTnbidleAZ9/6eWq506iy7 PFg9VtI0+m9D1nl58btx74uS3sU4ZeM= X-Google-Smtp-Source: AA0mqf7/fnjakw6lg2YOTW8o2v+SjWG0PmHexMj9yl1AZ6AzJHdjHXMH95GxQ8wp+2XdRykFM/iAMQ== X-Received: by 2002:a05:600c:5108:b0:3cf:735c:9d5a with SMTP id o8-20020a05600c510800b003cf735c9d5amr2523722wms.113.1668206109604; Fri, 11 Nov 2022 14:35:09 -0800 (PST) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id a11-20020a5d570b000000b0022ca921dc67sm2845740wrv.88.2022.11.11.14.35.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Nov 2022 14:35:09 -0800 (PST) Message-Id: In-Reply-To: References: Date: Fri, 11 Nov 2022 22:35:06 +0000 Subject: [PATCH v3 2/2] http: redact curl h2h3 headers in info Fcc: Sent MIME-Version: 1.0 To: git@vger.kernel.org Cc: Taylor Blau , Jeff King , Emily Shaffer , =?utf-8?b?w4Z2YXIgQXJuZmrDtnLDsA==?= Bjarmason , Glen Choo , Glen Choo Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org From: Glen Choo From: Glen Choo With GIT_TRACE_CURL=1 or GIT_CURL_VERBOSE=1, sensitive headers like "Authorization" and "Cookie" get redacted. However, since [1], curl's h2h3 module (invoked when using HTTP/2) also prints headers in its "info", which don't get redacted. For example, echo 'github.com TRUE / FALSE 1698960413304 o foo=bar' >cookiefile && GIT_TRACE_CURL=1 GIT_TRACE_CURL_NO_DATA=1 git \ -c 'http.cookiefile=cookiefile' \ -c 'http.version=' \ ls-remote https://github.com/git/git refs/heads/main 2>output && grep 'cookie' output produces output like: 23:04:16.920495 http.c:678 == Info: h2h3 [cookie: o=foo=bar] 23:04:16.920562 http.c:637 => Send header: cookie: o= Teach http.c to check for h2h3 headers in info and redact them using the existing header redaction logic. This fixes the broken redaction logic that we noted in the previous commit, so mark the redaction tests as passing under HTTP2. [1] https://github.com/curl/curl/commit/f8c3724aa90472c0e617ddbbc420aa199971eb77 Helped-by: Jeff King Signed-off-by: Glen Choo --- http.c | 47 ++++++++++++++++++++++++++++++++----- t/t5551-http-fetch-smart.sh | 6 ++--- 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/http.c b/http.c index 5d0502f51fd..8a5ba3f4776 100644 --- a/http.c +++ b/http.c @@ -560,13 +560,15 @@ static void set_curl_keepalive(CURL *c) } #endif -static void redact_sensitive_header(struct strbuf *header) +/* Return 1 if redactions have been made, 0 otherwise. */ +static int redact_sensitive_header(struct strbuf *header, size_t offset) { + int ret = 0; const char *sensitive_header; if (trace_curl_redact && - (skip_iprefix(header->buf, "Authorization:", &sensitive_header) || - skip_iprefix(header->buf, "Proxy-Authorization:", &sensitive_header))) { + (skip_iprefix(header->buf + offset, "Authorization:", &sensitive_header) || + skip_iprefix(header->buf + offset, "Proxy-Authorization:", &sensitive_header))) { /* The first token is the type, which is OK to log */ while (isspace(*sensitive_header)) sensitive_header++; @@ -575,8 +577,9 @@ static void redact_sensitive_header(struct strbuf *header) /* Everything else is opaque and possibly sensitive */ strbuf_setlen(header, sensitive_header - header->buf); strbuf_addstr(header, " "); + ret = 1; } else if (trace_curl_redact && - skip_iprefix(header->buf, "Cookie:", &sensitive_header)) { + skip_iprefix(header->buf + offset, "Cookie:", &sensitive_header)) { struct strbuf redacted_header = STRBUF_INIT; const char *cookie; @@ -612,6 +615,26 @@ static void redact_sensitive_header(struct strbuf *header) strbuf_setlen(header, sensitive_header - header->buf); strbuf_addbuf(header, &redacted_header); + ret = 1; + } + return ret; +} + +/* Redact headers in info */ +static void redact_sensitive_info_header(struct strbuf *header) +{ + const char *sensitive_header; + + /* + * curl's h2h3 prints headers in info, e.g.: + * h2h3 [: ] + */ + if (trace_curl_redact && + skip_iprefix(header->buf, "h2h3 [", &sensitive_header)) { + if (redact_sensitive_header(header, sensitive_header - header->buf)) { + /* redaction ate our closing bracket */ + strbuf_addch(header, ']'); + } } } @@ -629,7 +652,7 @@ static void curl_dump_header(const char *text, unsigned char *ptr, size_t size, for (header = headers; *header; header++) { if (hide_sensitive_header) - redact_sensitive_header(*header); + redact_sensitive_header(*header, 0); strbuf_insertstr((*header), 0, text); strbuf_insertstr((*header), strlen(text), ": "); strbuf_rtrim((*header)); @@ -668,6 +691,18 @@ static void curl_dump_data(const char *text, unsigned char *ptr, size_t size) strbuf_release(&out); } +static void curl_dump_info(char *data, size_t size) +{ + struct strbuf buf = STRBUF_INIT; + + strbuf_add(&buf, data, size); + + redact_sensitive_info_header(&buf); + trace_printf_key(&trace_curl, "== Info: %s", buf.buf); + + strbuf_release(&buf); +} + static int curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, void *userp) { const char *text; @@ -675,7 +710,7 @@ static int curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, switch (type) { case CURLINFO_TEXT: - trace_printf_key(&trace_curl, "== Info: %s", data); + curl_dump_info(data, size); break; case CURLINFO_HEADER_OUT: text = "=> Send header"; diff --git a/t/t5551-http-fetch-smart.sh b/t/t5551-http-fetch-smart.sh index ad0a0639e6b..a2ebce1787b 100755 --- a/t/t5551-http-fetch-smart.sh +++ b/t/t5551-http-fetch-smart.sh @@ -200,7 +200,7 @@ test_expect_success 'redirects send auth to new location' ' expect_askpass both user@host auth/smart/repo.git ' -test_expect_success !HTTP2 'GIT_TRACE_CURL redacts auth details' ' +test_expect_success 'GIT_TRACE_CURL redacts auth details' ' rm -rf redact-auth trace && set_askpass user@host pass@host && GIT_TRACE_CURL="$(pwd)/trace" git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth && @@ -212,7 +212,7 @@ test_expect_success !HTTP2 'GIT_TRACE_CURL redacts auth details' ' grep -i "Authorization: Basic " trace ' -test_expect_success !HTTP2 'GIT_CURL_VERBOSE redacts auth details' ' +test_expect_success 'GIT_CURL_VERBOSE redacts auth details' ' rm -rf redact-auth trace && set_askpass user@host pass@host && GIT_CURL_VERBOSE=1 git clone --bare "$HTTPD_URL/auth/smart/repo.git" redact-auth 2>trace && @@ -482,7 +482,7 @@ test_expect_success 'fetch by SHA-1 without tag following' ' --no-tags origin $(cat bar_hash) ' -test_expect_success !HTTP2 'cookies are redacted by default' ' +test_expect_success 'cookies are redacted by default' ' rm -rf clone && echo "Set-Cookie: Foo=1" >cookies && echo "Set-Cookie: Bar=2" >>cookies &&