зеркало из https://github.com/microsoft/git.git
Merge branch 'ps/http-gssapi-cred-delegation'
In recent versions of cURL, GSSAPI credential delegation is disabled by default due to CVE-2011-2192; introduce a configuration to selectively allow enabling this. * ps/http-gssapi-cred-delegation: http: control GSSAPI credential delegation
This commit is contained in:
Коммит
fbfe878f97
|
@ -1736,6 +1736,20 @@ http.emptyAuth::
|
||||||
a username in the URL, as libcurl normally requires a username for
|
a username in the URL, as libcurl normally requires a username for
|
||||||
authentication.
|
authentication.
|
||||||
|
|
||||||
|
http.delegation::
|
||||||
|
Control GSSAPI credential delegation. The delegation is disabled
|
||||||
|
by default in libcurl since version 7.21.7. Set parameter to tell
|
||||||
|
the server what it is allowed to delegate when it comes to user
|
||||||
|
credentials. Used with GSS/kerberos. Possible values are:
|
||||||
|
+
|
||||||
|
--
|
||||||
|
* `none` - Don't allow any delegation.
|
||||||
|
* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the
|
||||||
|
Kerberos service ticket, which is a matter of realm policy.
|
||||||
|
* `always` - Unconditionally allow the server to delegate.
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
http.extraHeader::
|
http.extraHeader::
|
||||||
Pass an additional HTTP header when communicating with a server. If
|
Pass an additional HTTP header when communicating with a server. If
|
||||||
more than one such entry exists, all of them are added as extra
|
more than one such entry exists, all of them are added as extra
|
||||||
|
|
37
http.c
37
http.c
|
@ -90,6 +90,18 @@ static struct {
|
||||||
* here, too
|
* here, too
|
||||||
*/
|
*/
|
||||||
};
|
};
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x071600
|
||||||
|
static const char *curl_deleg;
|
||||||
|
static struct {
|
||||||
|
const char *name;
|
||||||
|
long curl_deleg_param;
|
||||||
|
} curl_deleg_levels[] = {
|
||||||
|
{ "none", CURLGSSAPI_DELEGATION_NONE },
|
||||||
|
{ "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG },
|
||||||
|
{ "always", CURLGSSAPI_DELEGATION_FLAG },
|
||||||
|
};
|
||||||
|
#endif
|
||||||
|
|
||||||
static struct credential proxy_auth = CREDENTIAL_INIT;
|
static struct credential proxy_auth = CREDENTIAL_INIT;
|
||||||
static const char *curl_proxyuserpwd;
|
static const char *curl_proxyuserpwd;
|
||||||
static const char *curl_cookie_file;
|
static const char *curl_cookie_file;
|
||||||
|
@ -323,6 +335,15 @@ static int http_options(const char *var, const char *value, void *cb)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!strcmp("http.delegation", var)) {
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x071600
|
||||||
|
return git_config_string(&curl_deleg, var, value);
|
||||||
|
#else
|
||||||
|
warning(_("Delegation control is not supported with cURL < 7.22.0"));
|
||||||
|
return 0;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
if (!strcmp("http.pinnedpubkey", var)) {
|
if (!strcmp("http.pinnedpubkey", var)) {
|
||||||
#if LIBCURL_VERSION_NUM >= 0x072c00
|
#if LIBCURL_VERSION_NUM >= 0x072c00
|
||||||
return git_config_pathname(&ssl_pinnedkey, var, value);
|
return git_config_pathname(&ssl_pinnedkey, var, value);
|
||||||
|
@ -629,6 +650,22 @@ static CURL *get_curl_handle(void)
|
||||||
curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
|
curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if LIBCURL_VERSION_NUM >= 0x071600
|
||||||
|
if (curl_deleg) {
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) {
|
||||||
|
if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) {
|
||||||
|
curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION,
|
||||||
|
curl_deleg_levels[i].curl_deleg_param);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (i == ARRAY_SIZE(curl_deleg_levels))
|
||||||
|
warning("Unknown delegation method '%s': using default",
|
||||||
|
curl_deleg);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if (http_proactive_auth)
|
if (http_proactive_auth)
|
||||||
init_curl_http_auth(result);
|
init_curl_http_auth(result);
|
||||||
|
|
||||||
|
|
Загрузка…
Ссылка в новой задаче