[英]Why does HTTP Basic Auth works using `git -c http.extraHeader="Authorization: Basic <base64>"`, but not when putting credentials directly in the URL?
I've the following "dummy" credentials (username and PAT) for accessing a repository:我有以下用于访问存储库的“虚拟”凭据(用户名和 PAT):
bd6164:o6g5xae5fmqeqdbjatdfjichdk55lweq4jxyt2jvwtjuzxdwwgxa
Now, according to MS documentation, I should supply these credentials to git
using git -c http.extraHeader="Authorization: Basic <base64>" ...
, which results in successful authentication.现在,根据 MS 文档,我应该使用
git -c http.extraHeader="Authorization: Basic <base64>" ...
这些凭据提供给git
,这会导致身份验证成功。
However, if I supply these credentials to git
directly in the URL:但是,如果我直接在 URL 中向
git
提供这些凭据:
https://bd6164:o6g5xae5fmqeqdbjatdfjichdk55lweq4jxyt2jvwtjuzxdwwgxa@azuredevops.example.net
then authentication fails.然后身份验证失败。
Normally, when I use git
, I can put my credentials directly in the URL for successful authentication, so why do I experience these inconsistencies?通常,当我使用
git
,我可以将我的凭据直接放在 URL 中以成功进行身份验证,那么为什么我会遇到这些不一致的情况呢? In general, aren't credentials in the URL converted to Base64 and sent in a "Authorization: Basic" HTTP header?通常,URL 中的凭据不是转换为 Base64 并在“授权:基本”HTTP 标头中发送的吗?
Here is the documentation from MS on how to use PAT with git
:以下是 MS 提供的有关如何在
git
使用 PAT 的文档:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page#use-a-pat https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page#use-a-pat
Works :作品:
# git -c http.extraHeader="Authorization: Basic YmQ2MTY0Om82ZzV4YWU1Zm1xZXFkYmphdGRmamljaGRrNTVsd2VxNGp4eXQyanZ3dGp1enhkd3dneGE=" clone https://azuredevops.example.net/Main/MyProj/_git/MyRepo
Fails :失败:
# git clone https://bd6164:o6g5xae5fmqeqdbjatdfjichdk55lweq4jxyt2jvwtjuzxdwwgxa@azuredevops.example.net/Main/MyProj/_git/MyRepo
Before Git 2.34 (Q4 2021), sensitive data in the HTTP trace were supposed to be redacted, but we failed to do so in HTTP/2 requests.在 Git 2.34(2021 年第四季度)之前,HTTP 跟踪中的敏感数据应该被编辑,但我们没有在 HTTP/2 请求中这样做。
See commit b66c77a (22 Sep 2021) by Jeff King ( peff
) .请参阅Jeff King (
peff
) 提交的 b66c77a (2021 年 9 月 22 日) 。
(Merged by Junio C Hamano -- gitster
-- in commit 58e2bc4 , 03 Oct 2021) (由Junio C
gitster
合并gitster
提交 58e2bc4,2021年 10 月 3 日)
http
: match headers case-insensitively when redactinghttp
: 编辑时不区分大小写匹配标头Signed-off-by: Jeff King
签字人:Jeff King
When HTTP/2 is in use, we fail to correctly redact "Authorization" (and other) headers in our
GIT_TRACE_CURL
output.使用 HTTP/2 时,我们无法正确编辑
GIT_TRACE_CURL
输出中的“授权”(和其他)标头。We get the headers in our
CURLOPT_DEBUGFUNCTION
callback,curl_trace()
.我们在
CURLOPT_DEBUGFUNCTION
回调curl_trace()
获取标头。
It passes them along tocurl_dump_header()
, which in turn checksredact_sensitive_header()
.它将它们传递给
curl_dump_header()
,后者依次检查redact_sensitive_header()
。
We see the headers as a text buffer like:我们将标题视为文本缓冲区,例如:
Host: ... Authorization: Basic ...
After breaking it into lines, we match each header using
skip_prefix()
.将其分成几行后,我们使用
skip_prefix()
匹配每个标题。
This is case-sensitive, even though HTTP headers are case-insensitive.这是区分大小写的,即使 HTTP 标头不区分大小写。
This has worked reliably in the past because these headers are generated by curl itself, which is predictable in what it sends.这在过去一直很可靠,因为这些标头是由 curl 本身生成的,它发送的内容是可以预测的。
But when HTTP/2 is in use, instead we get a lower-case "authorization:" header, and we fail to match it.
但是当使用 HTTP/2 时,我们会得到一个小写的“authorization:”标头,但我们无法匹配它。
The fix is simple: we should match withskip_iprefix()
.修复很简单:我们应该匹配
skip_iprefix()
。There's one other way to demonstrate the issue (and how I actually found it originally).
还有另一种方法可以证明这个问题(以及我最初是如何发现它的)。
Looking atGIT_TRACE_CURL
output againstgithub.com
, you'll see the unredacted output, even if you didn't sethttp.version
.纵观
GIT_TRACE_CURL
对输出github.com
,你会看到未编辑输出,即使您没有设置http.version
。
That's because setting it is only necessary for curl to send the extra headers in its HTTP/1.1 request that say "Hey, I speak HTTP/2; upgrade if you do, too".这是因为设置它只需要 curl 在其 HTTP/1.1 请求中发送额外的标头,这些标头说“嘿,我说 HTTP/2;如果你也这样做,请升级”。
But for a production site speaking https, the server advertises via ALPN, a TLS extension, that it supports HTTP/2, and the client can immediately start using it.但是对于使用 https 的生产站点,服务器通过 ALPN(一种 TLS 扩展)进行广告,表明它支持 HTTP/2,并且客户端可以立即开始使用它。
It looks like an issue with the interaction of git
, git credential manager, and a server announcing it supports NTLM.它看起来像是
git
、git 凭证管理器和宣布它支持 NTLM 的服务器之间的交互问题。
Found in this issue on github : 在github上的这个问题中找到:
git config credential.authority basic
in git configgit config credential.authority basic
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.