diff options
author | Junio C Hamano <gitster@pobox.com> | 2016-10-06 14:53:11 -0700 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2016-10-06 14:53:11 -0700 |
commit | fbfe878f9777d4d52e1eaef1fca5170b9efee99a (patch) | |
tree | 089c638e4d1f5ef1130838007cf8cf39929a3269 | |
parent | cb52426d9af9129c052529c5207fc014c38bd46f (diff) | |
parent | 26a7b2342980f2eb46b47122d1d6dfbf13ed4ccb (diff) | |
download | git-fbfe878f9777d4d52e1eaef1fca5170b9efee99a.tar.gz |
Merge branch 'ps/http-gssapi-cred-delegation'
In recent versions of cURL, GSSAPI credential delegation is
disabled by default due to CVE-2011-2192; introduce a configuration
to selectively allow enabling this.
* ps/http-gssapi-cred-delegation:
http: control GSSAPI credential delegation
-rw-r--r-- | Documentation/config.txt | 14 | ||||
-rw-r--r-- | http.c | 37 |
2 files changed, 51 insertions, 0 deletions
diff --git a/Documentation/config.txt b/Documentation/config.txt index e78293b6db..a17947462a 100644 --- a/Documentation/config.txt +++ b/Documentation/config.txt @@ -1736,6 +1736,20 @@ http.emptyAuth:: a username in the URL, as libcurl normally requires a username for authentication. +http.delegation:: + Control GSSAPI credential delegation. The delegation is disabled + by default in libcurl since version 7.21.7. Set parameter to tell + the server what it is allowed to delegate when it comes to user + credentials. Used with GSS/kerberos. Possible values are: ++ +-- +* `none` - Don't allow any delegation. +* `policy` - Delegates if and only if the OK-AS-DELEGATE flag is set in the + Kerberos service ticket, which is a matter of realm policy. +* `always` - Unconditionally allow the server to delegate. +-- + + http.extraHeader:: Pass an additional HTTP header when communicating with a server. If more than one such entry exists, all of them are added as extra @@ -90,6 +90,18 @@ static struct { * here, too */ }; +#if LIBCURL_VERSION_NUM >= 0x071600 +static const char *curl_deleg; +static struct { + const char *name; + long curl_deleg_param; +} curl_deleg_levels[] = { + { "none", CURLGSSAPI_DELEGATION_NONE }, + { "policy", CURLGSSAPI_DELEGATION_POLICY_FLAG }, + { "always", CURLGSSAPI_DELEGATION_FLAG }, +}; +#endif + static struct credential proxy_auth = CREDENTIAL_INIT; static const char *curl_proxyuserpwd; static const char *curl_cookie_file; @@ -323,6 +335,15 @@ static int http_options(const char *var, const char *value, void *cb) return 0; } + if (!strcmp("http.delegation", var)) { +#if LIBCURL_VERSION_NUM >= 0x071600 + return git_config_string(&curl_deleg, var, value); +#else + warning(_("Delegation control is not supported with cURL < 7.22.0")); + return 0; +#endif + } + if (!strcmp("http.pinnedpubkey", var)) { #if LIBCURL_VERSION_NUM >= 0x072c00 return git_config_pathname(&ssl_pinnedkey, var, value); @@ -629,6 +650,22 @@ static CURL *get_curl_handle(void) curl_easy_setopt(result, CURLOPT_HTTPAUTH, CURLAUTH_ANY); #endif +#if LIBCURL_VERSION_NUM >= 0x071600 + if (curl_deleg) { + int i; + for (i = 0; i < ARRAY_SIZE(curl_deleg_levels); i++) { + if (!strcmp(curl_deleg, curl_deleg_levels[i].name)) { + curl_easy_setopt(result, CURLOPT_GSSAPI_DELEGATION, + curl_deleg_levels[i].curl_deleg_param); + break; + } + } + if (i == ARRAY_SIZE(curl_deleg_levels)) + warning("Unknown delegation method '%s': using default", + curl_deleg); + } +#endif + if (http_proactive_auth) init_curl_http_auth(result); |