My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 3567: Do not generate HTTP passwords with slash
2 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by cezarius...@gmail.com, Sep 17, 2015
*****************************************************************
*****                                                       *****
***** !!!! THIS BUG TRACKER IS FOR GERRIT CODE REVIEW !!!!  *****
*****                                                       *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, CYANOGENMOD,  *****
***** INTERNAL ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.*****
*****                                                       *****
*****   THOSE ISSUES BELONG IN DIFFERENT ISSUE TRACKERS     *****
*****                                                       *****
*****************************************************************

Affected Version: 2.11.3

What steps will reproduce the problem?
1. Goto Settings -> HTTP Password
2. Generate Password until you get a password that contains a slash ("/")
3. Setup a remote with that password:
git remote set-url origin http://username:password/withslash@gerrit/project
4. Try to push:
git push origin

What is the expected output? What do you see instead?
You will get the following error:
fatal: unable to access 'http://username:password/withslash@gerrit/project' Could not resolve host: username

Please provide any additional information below.
When the password doesn't contain a slash, the command works correctly, so you shouldn't allow slashes.
Sep 28, 2015
Project Member #1 dougk....@gmail.com
An alternative to specifying the password on the command line is to use .netrc (or _netrc on Windows).  This has some benefits to simply encoding the password directly in the URI, specifically, .netrc enforces some more strict permissions (.netrc should be read-only to the user, unlike the git configuration files, which normally don't contain any sensitive information and may be readable by multiple people).

More recently, Google has started changing the way they issue passwords to use the Git "http.cookiefile" instead of using .netrc, as the randomly-generated password length became longer -- long enough to cause some problems with libcurl, apparently, as discussed in https://groups.google.com/a/chromium.org/d/msg/chromium-os-dev/uQIZ-ltbwLM/Nx8HCoG52iwJ

There's other tools like git-credential-store or git-credential-cache that do similar things (and even platform-specific versions, such as git-credential-osxkeychain).
Sign in to add a comment

Powered by Google Project Hosting