Andrew's git / gitweb.git / diff
?
http.c: don't rewrite the user:passwd string multiple times
authorBrandon Casey <drafnel@gmail.com>
Wed, 19 Jun 2013 02:43:49 +0000 (19:43 -0700)
committerJunio C Hamano <gitster@pobox.com>
Wed, 19 Jun 2013 17:00:26 +0000 (10:00 -0700)
Curl older than 7.17 (RHEL 4.X provides 7.12 and RHEL 5.X provides
7.15) requires that we manage any strings that we pass to it as
pointers. So, we really shouldn't be modifying this strbuf after we
have passed it to curl.

Our interaction with curl is currently safe (before or after this
patch) since the pointer that is passed to curl is never invalidated;
it is repeatedly rewritten with the same sequence of characters but
the strbuf functions never need to allocate a larger string, so the
same memory buffer is reused.

This "guarantee" of safety is somewhat subtle and could be overlooked
by someone who may want to add a more complex handling of the username
and password. So, let's stop modifying this strbuf after we have
passed it to curl, but also leave a note to describe the assumptions
that have been made about username/password lifetime and to draw
attention to the code.

Signed-off-by: Brandon Casey <drafnel@gmail.com>
Acked-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
http.c patch | blob | history
diff --git a/http.c b/http.c
index d9d1aad3be468394e39966c0b45e7e101b387b0c..c02246a78b954569e9c6d5757f7ffe7464e97424 100644 (file)
--- a/http.c
+++ b/http.c
@@ -222,9 +222,15 @@ static void init_curl_http_auth(CURL *result)
 #else
        {
                static struct strbuf up = STRBUF_INIT;
-               strbuf_reset(&up);
-               strbuf_addf(&up, "%s:%s",
-                           http_auth.username, http_auth.password);
+               /*
+                * Note that we assume we only ever have a single set of
+                * credentials in a given program run, so we do not have
+                * to worry about updating this buffer, only setting its
+                * initial value.
+                */
+               if (!up.len)
+                       strbuf_addf(&up, "%s:%s",
+                               http_auth.username, http_auth.password);
                curl_easy_setopt(result, CURLOPT_USERPWD, up.buf);
        }
 #endif