mirror of
https://github.com/git/git.git
synced 2026-01-09 17:46:37 +00:00
b01b9b81d3
While Git has documented that the credential protocol is line-based, with newlines as terminators, the exact shape of a newline has not been documented. From Git's perspective, which is firmly rooted in the Linux ecosystem, it is clear that "a newline" means a Line Feed character. However, even Git's credential protocol respects Windows line endings (a Carriage Return character followed by a Line Feed character, "CR/LF") by virtue of using `strbuf_getline()`. There is a third category of line endings that has been used originally by MacOS, and that is respected by the default line readers of .NET and node.js: bare Carriage Returns. Git cannot handle those, and what is worse: Git's remedy against CVE-2020-5260 does not catch when credential helpers are used that interpret bare Carriage Returns as newlines. Git Credential Manager addressed this as CVE-2024-50338, but other credential helpers may still be vulnerable. So let's not only disallow Line Feed characters as part of the values in the credential protocol, but also disallow Carriage Return characters. In the unlikely event that a credential helper relies on Carriage Returns in the protocol, introduce an escape hatch via the `credential.protectProtocol` config setting. This addresses CVE-2024-52006. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
48 lines
1.9 KiB
Plaintext
48 lines
1.9 KiB
Plaintext
credential.helper::
|
|
Specify an external helper to be called when a username or
|
|
password credential is needed; the helper may consult external
|
|
storage to avoid prompting the user for the credentials. This is
|
|
normally the name of a credential helper with possible
|
|
arguments, but may also be an absolute path with arguments or, if
|
|
preceded by `!`, shell commands.
|
|
+
|
|
Note that multiple helpers may be defined. See linkgit:gitcredentials[7]
|
|
for details and examples.
|
|
|
|
credential.useHttpPath::
|
|
When acquiring credentials, consider the "path" component of an http
|
|
or https URL to be important. Defaults to false. See
|
|
linkgit:gitcredentials[7] for more information.
|
|
|
|
credential.sanitizePrompt::
|
|
By default, user names and hosts that are shown as part of the
|
|
password prompt are not allowed to contain control characters (they
|
|
will be URL-encoded by default). Configure this setting to `false` to
|
|
override that behavior.
|
|
|
|
credential.protectProtocol::
|
|
By default, Carriage Return characters are not allowed in the protocol
|
|
that is used when Git talks to a credential helper. This setting allows
|
|
users to override this default.
|
|
|
|
credential.username::
|
|
If no username is set for a network authentication, use this username
|
|
by default. See credential.<context>.* below, and
|
|
linkgit:gitcredentials[7].
|
|
|
|
credential.<url>.*::
|
|
Any of the credential.* options above can be applied selectively to
|
|
some credentials. For example "credential.https://example.com.username"
|
|
would set the default username only for https connections to
|
|
example.com. See linkgit:gitcredentials[7] for details on how URLs are
|
|
matched.
|
|
|
|
credentialCache.ignoreSIGHUP::
|
|
Tell git-credential-cache--daemon to ignore SIGHUP, instead of quitting.
|
|
|
|
credentialStore.lockTimeoutMS::
|
|
The length of time, in milliseconds, for git-credential-store to retry
|
|
when trying to lock the credentials file. Value 0 means not to retry at
|
|
all; -1 means to try indefinitely. Default is 1000 (i.e., retry for
|
|
1s).
|