From 2c6fc31e04b32d5a8523cfe69e4495f188e86ec3 Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 18 Dec 2025 07:13:47 -0500 Subject: [PATCH 1/2] t5551: handle trailing slashes in expected cookies output We check in t5551 that curl updates the expected list of cookies after making a request. We do this by telling it to read and write cookies from a particular text file, and then checking that after curl runs, the file has the expected content. However, in the upcoming curl 8.18.0, the output file has changed slightly: curl will canonicalize the paths it writes, due to commit a093c93994 (cookie: only keep and use the canonical cleaned up path, 2025-12-07). In particular, it strips trailing slashes from the paths we see in the cookies.txt file. This doesn't matter to Git, as the cookie handling is all internal to curl. But our test is overly brittle and breaks as a result. We can fix it by matching either format. We'll expect the new format (without trailing slashes) and strip the slashes from curl's output before comparing. That lets us pass with both old and new versions (I tested against curl's 8_17_0 and rc-8_18_0-2 tags, which are respectively before and after the curl change). In theory it might be nice to try to future-proof this test more by looking only for the bits we care about, rather than a byte-wise comparison of the whole file. But after removing comments and blank lines (which we already do), we care about most of what's there. So it's not clear to me what a more liberal test would look like. Given that the format doesn't change all that often, it's probably OK to stop here and see if it ever breaks again. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- t/t5551-http-fetch-smart.sh | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/t/t5551-http-fetch-smart.sh b/t/t5551-http-fetch-smart.sh index b0d4ea7801..73cf531580 100755 --- a/t/t5551-http-fetch-smart.sh +++ b/t/t5551-http-fetch-smart.sh @@ -333,12 +333,12 @@ test_expect_success 'dumb clone via http-backend respects namespace' ' test_expect_success 'cookies stored in http.cookiefile when http.savecookies set' ' cat >cookies.txt <<-\EOF && - 127.0.0.1 FALSE /smart_cookies/ FALSE 0 othername othervalue + 127.0.0.1 FALSE /smart_cookies FALSE 0 othername othervalue EOF sort >expect_cookies.txt <<-\EOF && - 127.0.0.1 FALSE /smart_cookies/ FALSE 0 othername othervalue - 127.0.0.1 FALSE /smart_cookies/repo.git/ FALSE 0 name value - 127.0.0.1 FALSE /smart_cookies/repo.git/info/ FALSE 0 name value + 127.0.0.1 FALSE /smart_cookies FALSE 0 othername othervalue + 127.0.0.1 FALSE /smart_cookies/repo.git FALSE 0 name value + 127.0.0.1 FALSE /smart_cookies/repo.git/info FALSE 0 name value EOF git config http.cookiefile cookies.txt && git config http.savecookies true && @@ -351,8 +351,11 @@ test_expect_success 'cookies stored in http.cookiefile when http.savecookies set tag -m "foo" cookie-tag && git fetch $HTTPD_URL/smart_cookies/repo.git cookie-tag && - grep "^[^#]" cookies.txt | sort >cookies_stripped.txt && - test_cmp expect_cookies.txt cookies_stripped.txt + # Strip trailing slashes from cookie paths to handle output from both + # old curl ("/smart_cookies/") and new ("/smart_cookies"). + HT=" " && + grep "^[^#]" cookies.txt | sed "s,/$HT,$HT," | sort >cookies_clean.txt && + test_cmp expect_cookies.txt cookies_clean.txt ' test_expect_success 'transfer.hiderefs works over smart-http' ' From 17f4b01da7a4d67d6c22d37904bdbbbddd81b9ac Mon Sep 17 00:00:00 2001 From: Jeff King Date: Thu, 18 Dec 2025 07:18:19 -0500 Subject: [PATCH 2/2] t5563: add missing end-of-line in HTTP header In t5563, we test how various oddly-formatted WWW-Authenticate headers are passed through curl to git's credential subsystem (and ultimately out to credential helpers). One test, "access using basic auth with wwwauth header mixed line-endings" does something odd. It does not mix line endings at all (which must be CRLF according to the RFC anyway), but omits the line ending entirely for the final header! This means that the server produces an incomplete response. We send our final header, and then the newline which is meant to mark the end of headers (and the start of the body) becomes the line ending for that header. And there is no header/body separator in the output at all. Looking at strace, this is what the client reads: recvfrom(9, "WWW-Authenticate: FooBar param1=\"value1\"\r\n \r\n\tparam2=\"value2\"\r\nWWW-Authenticate: Basic realm=\"example.com\"", 16384, 0, NULL, NULL) = 106 recvfrom(9, "\n", 16384, 0, NULL, NULL) = 1 recvfrom(9, "", 16384, 0, NULL, NULL) = 0 The headers themselves are produced from the custom-auth.challenge file we write in the test (which is missing the final CRLF), and then the header/body separator comes from our lib-httpd/nph-custom-auth.sh CGI. (Ignore for a moment that it is producing a bare newline, which I think is a bug; it should be a CRLF but curl is happy with either). Older versions of curl seemed to be OK with the truncated output, but the upcoming 8.18.0 release seems to get confused. Specifically, since 67ae101666 (http: unfold response headers earlier, 2025-12-12) our request to the server fails with insufficient credentials. I traced far enough to see that curl does relay the header back to us, which we then pass to a credential helper, which gives us the correct username/password combination. But on our followup request, curl refuses to send the Authorization header (and so gets an HTTP 401 again). The change in curl's behavior is a bit unexpected, but since we are sending it garbage, it is hard to complain too much. Let's add the missing CRLF to the header. I _think_ this was just an oversight and not the intent of the test. And that the "mixed line-endings" really meant "mixed continuations", since we differ from the previous test in continuing with both space and tab. So I've likewise updated the test title to match that assumption. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- t/t5563-simple-http-auth.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/t5563-simple-http-auth.sh b/t/t5563-simple-http-auth.sh index 317f33af5a..c1febbae9d 100755 --- a/t/t5563-simple-http-auth.sh +++ b/t/t5563-simple-http-auth.sh @@ -469,7 +469,7 @@ test_expect_success 'access using basic auth with wwwauth header empty continuat EOF ' -test_expect_success 'access using basic auth with wwwauth header mixed line-endings' ' +test_expect_success 'access using basic auth with wwwauth header mixed continuations' ' test_when_finished "per_test_cleanup" && set_credential_reply get <<-EOF && @@ -490,7 +490,7 @@ test_expect_success 'access using basic auth with wwwauth header mixed line-endi printf "id=default response=WWW-Authenticate: FooBar param1=\"value1\"\r\n" >>"$CHALLENGE" && printf "id=default response= \r\n" >>"$CHALLENGE" && printf "id=default response=\tparam2=\"value2\"\r\n" >>"$CHALLENGE" && - printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"" >>"$CHALLENGE" && + printf "id=default response=WWW-Authenticate: Basic realm=\"example.com\"\r\n" >>"$CHALLENGE" && test_config_global credential.helper test-helper && git ls-remote "$HTTPD_URL/custom_auth/repo.git" &&