1. 09 Aug, 2021 1 commit
  2. 07 Jan, 2021 1 commit
  3. 31 Jan, 2020 1 commit
    • fetchhead: strip credentials from remote URL · 93a9044f
      If fetching from an anonymous remote via its URL, then the URL gets
      written into the FETCH_HEAD reference. This is mainly done to give
      valuable context to some commands, like for example git-merge(1), which
      will put the URL into the generated MERGE_MSG. As a result, what gets
      written into FETCH_HEAD may become public in some cases. This is
      especially important considering that URLs may contain credentials, e.g.
      when cloning 'https://foo:bar@example.com/repo' we persist the complete
      URL into FETCH_HEAD and put it without any kind of sanitization into the
      MERGE_MSG. This is obviously bad, as your login data has now just leaked
      as soon as you do git-push(1).
      
      When writing the URL into FETCH_HEAD, upstream git does strip
      credentials first. Let's do the same by trying to parse the remote URL
      as a "real" URL, removing any credentials and then re-formatting the
      URL. In case this fails, e.g. when it's a file path or not a valid URL,
      we just fall back to using the URL as-is without any sanitization. Add
      tests to verify our behaviour.
      Patrick Steinhardt committed
  4. 20 Jul, 2019 1 commit
  5. 22 Jan, 2019 1 commit
  6. 10 Jun, 2018 1 commit
  7. 06 Apr, 2018 1 commit
    • transports: local: fix assert when fetching into repo with symrefs · 6c55fbf3
      When fetching into a repository which has symbolic references via the
      "local" transport we run into an assert. The assert is being triggered
      while we negotiate the packfile between the two repositories. When
      hiding known revisions from the packbuilder revwalk, we unconditionally
      hide all references of the local refdb. In case one of these references
      is a symbolic reference, though, this means we're trying to hide a
      `NULL` OID, which triggers the assert.
      
      Fix the issue by only hiding OID references from the revwalk. Add a test
      to catch this issue in the future.
      Patrick Steinhardt committed
  8. 26 Dec, 2017 2 commits
  9. 19 Nov, 2017 1 commit
  10. 29 Dec, 2016 1 commit
  11. 26 Jun, 2015 1 commit
  12. 25 Jun, 2015 1 commit
  13. 13 May, 2015 2 commits
    • remote: remove url and pushurl from the save logic · 22261344
      As a first step in removing the repository-saving logic, don't allow
      chaning the url or push url from a remote object, but change the
      configuration on the configuration immediately.
      Carlos Martín Nieto committed
    • Remove the callbacks struct from the remote · 8f0104ec
      Having the setting be different from calling its actions was not a great
      idea and made for the sake of the wrong convenience.
      
      Instead of that, accept either fetch options, push options or the
      callbacks when dealing with the remote. The fetch options are currently
      only the callbacks, but more options will be moved from setters and
      getters on the remote to the options.
      
      This does mean passing the same struct along the different functions but
      the typical use-case will only call git_remote_fetch() or
      git_remote_push() and so won't notice much difference.
      Carlos Martín Nieto committed
  14. 03 Mar, 2015 1 commit
    • Remove the signature from ref-modifying functions · 659cf202
      The signature for the reflog is not something which changes
      dynamically. Almost all uses will be NULL, since we want for the
      repository's default identity to be used, making it noise.
      
      In order to allow for changing the identity, we instead provide
      git_repository_set_ident() and git_repository_ident() which allow a user
      to override the choice of signature.
      Carlos Martín Nieto committed
  15. 08 Nov, 2014 1 commit
  16. 30 Sep, 2014 1 commit
  17. 05 Sep, 2014 1 commit
  18. 01 Jul, 2014 1 commit
  19. 24 Apr, 2014 1 commit
    • fetchhead: deal with quotes in branch names · bdc82e1c
      The current FETCH_HEAD parsing code assumes that a quote must end the
      branch name. Git however allows for quotes as part of a branch name,
      which causes us to consider the FETCH_HEAD file as invalid.
      
      Instead of searching for a single quote char, search for a quote char
      followed by SP, which is not a valid part of a ref name.
      Carlos Martín Nieto committed
  20. 02 Apr, 2014 1 commit
  21. 14 Nov, 2013 1 commit