Re: [PATCH] drop unnecessary copying in credential_ask_one
On Thu, Jan 02, 2014 at 11:08:51AM -0800, Junio C Hamano wrote: Jeff King p...@peff.net writes: ... But the test suite, of course, always uses askpass because it cannot rely on accessing a terminal (we'd have to do some magic with lib-terminal, I think). So it doesn't detect the problem in your patch, but I wonder if it is worth applying the patch below anyway, as it makes the test suite slightly more robust. Sounds like a good first step in the right direction. Thanks. I took a brief look at adding real terminal tests for the credential code using our test-terminal/lib-terminal.sh setup. Unfortunately, it falls short of what we need. test-terminal only handles stdout and stderr streams as fake terminals. We could pretty easily add stdin for input, as it uses fork() to work asynchronously. But the credential code does not actually read from stdin. It opens and reads from /dev/tty explicitly. So I think we'd have to actually fake setting up a controlling terminal. And that means magic with setsid() and ioctl(TIOCSCTTY), which in turn sounds like a portability headache. So it's definitely possible under Linux, and probably under most Unixes. But I'm not sure it's worth the effort, given that review already caught the potential bug here. Another option would be to instrument git_terminal_prompt with a mock-terminal interface (say, reading from a file specified in an environment variable). But I really hate polluting the code with test cruft, and it would not actually be testing an interesting segment of the code, anyway. -Peff -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] drop unnecessary copying in credential_ask_one
Jeff King p...@peff.net writes: On Thu, Jan 02, 2014 at 11:08:51AM -0800, Junio C Hamano wrote: Jeff King p...@peff.net writes: ... But the test suite, of course, always uses askpass because it cannot rely on accessing a terminal (we'd have to do some magic with lib-terminal, I think). So it doesn't detect the problem in your patch, but I wonder if it is worth applying the patch below anyway, as it makes the test suite slightly more robust. Sounds like a good first step in the right direction. Thanks. I took a brief look at adding real terminal tests for the credential code using our test-terminal/lib-terminal.sh setup. Unfortunately, it falls short of what we need. test-terminal only handles stdout and stderr streams as fake terminals. We could pretty easily add stdin for input, as it uses fork() to work asynchronously. But the credential code does not actually read from stdin. It opens and reads from /dev/tty explicitly. So I think we'd have to actually fake setting up a controlling terminal. And that means magic with setsid() and ioctl(TIOCSCTTY), which in turn sounds like a portability headache. I wonder if expect has already solved that for us. So it's definitely possible under Linux, and probably under most Unixes. But I'm not sure it's worth the effort, given that review already caught the potential bug here. Another option would be to instrument git_terminal_prompt with a mock-terminal interface (say, reading from a file specified in an environment variable). But I really hate polluting the code with test cruft, and it would not actually be testing an interesting segment of the code, anyway. Agreed. -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] drop unnecessary copying in credential_ask_one
On Tue, Jan 07, 2014 at 11:44:00AM -0800, Junio C Hamano wrote: test-terminal only handles stdout and stderr streams as fake terminals. We could pretty easily add stdin for input, as it uses fork() to work asynchronously. But the credential code does not actually read from stdin. It opens and reads from /dev/tty explicitly. So I think we'd have to actually fake setting up a controlling terminal. And that means magic with setsid() and ioctl(TIOCSCTTY), which in turn sounds like a portability headache. I wonder if expect has already solved that for us. I would not be surprised if it did. Though it introduces its own portability issues, since we cannot depend on having it. But it is probably enough to just test_lazy_prereq EXPECT 'expect --version' or something. I dunno. I have never used expect, do not have it installed, and am not excited about introducing a new tool dependency. But if you want to explore it, be my guest. -Peff -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] drop unnecessary copying in credential_ask_one
Jeff King p...@peff.net writes: ... But the test suite, of course, always uses askpass because it cannot rely on accessing a terminal (we'd have to do some magic with lib-terminal, I think). So it doesn't detect the problem in your patch, but I wonder if it is worth applying the patch below anyway, as it makes the test suite slightly more robust. Sounds like a good first step in the right direction. Thanks. -- 8 -- Subject: use distinct username/password for http auth tests The httpd server we set up to test git's http client code knows about a single account, in which both the username and password are user@host (the unusual use of the @ here is to verify that we handle the character correctly when URL escaped). This means that we may miss a certain class of errors in which the username and password are mixed up internally by git. We can make our tests more robust by having distinct values for the username and password. In addition to tweaking the server passwd file and the client URL, we must teach the askpass harness to accept multiple values. As a bonus, this makes the setup of some tests more obvious; when we are expecting git to ask only about the password, we can seed the username askpass response with a bogus value. Signed-off-by: Jeff King p...@peff.net --- t/lib-httpd.sh| 15 --- t/lib-httpd/passwd| 2 +- t/t5540-http-push.sh | 4 ++-- t/t5541-http-push.sh | 6 +++--- t/t5550-http-fetch.sh | 10 +- t/t5551-http-fetch.sh | 6 +++--- 6 files changed, 26 insertions(+), 17 deletions(-) diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh index c470784..bfdff2a 100644 --- a/t/lib-httpd.sh +++ b/t/lib-httpd.sh @@ -129,7 +129,7 @@ prepare_httpd() { HTTPD_DEST=127.0.0.1:$LIB_HTTPD_PORT HTTPD_URL=$HTTPD_PROTO://$HTTPD_DEST HTTPD_URL_USER=$HTTPD_PROTO://user%40host@$HTTPD_DEST - HTTPD_URL_USER_PASS=$HTTPD_PROTO://user%40host:user%40host@$HTTPD_DEST + HTTPD_URL_USER_PASS=$HTTPD_PROTO://user%40host:pass%40host@$HTTPD_DEST if test -n $LIB_HTTPD_DAV -o -n $LIB_HTTPD_SVN then @@ -217,7 +217,15 @@ setup_askpass_helper() { test_expect_success 'setup askpass helper' ' write_script $TRASH_DIRECTORY/askpass -\EOF echo $TRASH_DIRECTORY/askpass-query askpass: $* - cat $TRASH_DIRECTORY/askpass-response + case $* in + *Username*) + what=user + ;; + *Password*) + what=pass + ;; + esac + cat $TRASH_DIRECTORY/askpass-$what EOF GIT_ASKPASS=$TRASH_DIRECTORY/askpass export GIT_ASKPASS @@ -227,7 +235,8 @@ setup_askpass_helper() { set_askpass() { $TRASH_DIRECTORY/askpass-query - echo $* $TRASH_DIRECTORY/askpass-response + echo $1 $TRASH_DIRECTORY/askpass-user + echo $2 $TRASH_DIRECTORY/askpass-pass } expect_askpass() { diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd index f2fbcad..99a34d6 100644 --- a/t/lib-httpd/passwd +++ b/t/lib-httpd/passwd @@ -1 +1 @@ -user@host:nKpa8pZUHx/ic +user@host:xb4E8pqD81KQs diff --git a/t/t5540-http-push.sh b/t/t5540-http-push.sh index 01d0d95..5b0198c 100755 --- a/t/t5540-http-push.sh +++ b/t/t5540-http-push.sh @@ -154,7 +154,7 @@ test_http_push_nonff $HTTPD_DOCUMENT_ROOT_PATH/test_repo.git \ test_expect_success 'push to password-protected repository (user in URL)' ' test_commit pw-user - set_askpass user@host + set_askpass user@host pass@host git push $HTTPD_URL_USER/auth/dumb/test_repo.git HEAD git rev-parse --verify HEAD expect git --git-dir=$HTTPD_DOCUMENT_ROOT_PATH/auth/dumb/test_repo.git \ @@ -168,7 +168,7 @@ test_expect_failure 'user was prompted only once for password' ' test_expect_failure 'push to password-protected repository (no user in URL)' ' test_commit pw-nouser - set_askpass user@host + set_askpass user@host pass@host git push $HTTPD_URL/auth/dumb/test_repo.git HEAD expect_askpass both user@host git rev-parse --verify HEAD expect diff --git a/t/t5541-http-push.sh b/t/t5541-http-push.sh index 470ac54..bfd241e 100755 --- a/t/t5541-http-push.sh +++ b/t/t5541-http-push.sh @@ -274,7 +274,7 @@ test_expect_success 'push over smart http with auth' ' cd $ROOT_PATH/test_repo_clone echo push-auth-test expect test_commit push-auth-test - set_askpass user@host + set_askpass user@host pass@host git push $HTTPD_URL/auth/smart/test_repo.git git --git-dir=$HTTPD_DOCUMENT_ROOT_PATH/test_repo.git \ log -1 --format=%s actual @@ -286,7 +286,7 @@ test_expect_success 'push to auth-only-for-push repo' ' cd $ROOT_PATH/test_repo_clone echo push-half-auth expect test_commit
Re: [PATCH] drop unnecessary copying in credential_ask_one
On Thu, Jan 02, 2014 at 09:06:33AM +0800, Tay Ray Chuan wrote: We were leaking memory in there, as after obtaining a string from git_getpass, we returned a copy of it, yet no one else held the original string, apart from credential_ask_one. I don't think this change is correct by itself. credential_ask_one calls git_prompt. That function in turn calls git_terminal_prompt, which returns a pointer to a static buffer (because it may be backed by the system getpass() implementation). So there is no leak there, and dropping the strdup would be bad (the call to ask for the password would overwrite the value we got for the username). However, git_prompt may also call do_askpass if GIT_ASKPASS is set, and here there is a leak, as we duplicate the buffer. To stop the leak, we need to first harmonize the do_askpass and git_terminal_prompt code paths to either both allocate, or both return a static buffer (and then either strdup or not in the caller, depending on which way we go). It looks like what I originally wrote was correct, as both code paths matched. But then I stupidly broke it with 31b49d9, which failed to notice the static specifier on the strbuf in do_askpass, and started using strbuf_detach. I think this is the simplest fix: -- 8 -- Subject: Revert prompt: clean up strbuf usage This reverts commit 31b49d9b653803e7c7fd18b21c8bdd86e3421668. That commit taught do_askpass to hand ownership of our buffer back to the caller rather than simply return a pointer into our internal strbuf. What it failed to notice, though, was that our internal strbuf is static, because we are trying to emulate the getpass() interface. By handing off ownership, we created a memory leak that cannot be solved. Sometimes git_prompt returns a static buffer from getpass() (or our smarter git_terminal_prompt wrapper), and sometimes it returns an allocated string from do_askpass. Signed-off-by: Jeff King p...@peff.net --- prompt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/prompt.c b/prompt.c index d851807..d7bb17c 100644 --- a/prompt.c +++ b/prompt.c @@ -22,6 +22,7 @@ static char *do_askpass(const char *cmd, const char *prompt) if (start_command(pass)) return NULL; + strbuf_reset(buffer); if (strbuf_read(buffer, pass.out, 20) 0) err = 1; @@ -38,7 +39,7 @@ static char *do_askpass(const char *cmd, const char *prompt) strbuf_setlen(buffer, strcspn(buffer.buf, \r\n)); - return strbuf_detach(buffer, NULL); + return buffer.buf; } char *git_prompt(const char *prompt, int flags) -- 1.8.5.2.434.g63b1477 Signed-off-by: Tay Ray Chuan rcta...@gmail.com --- credential.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/credential.c b/credential.c index 86397f3..0d02ad8 100644 --- a/credential.c +++ b/credential.c @@ -54,7 +54,7 @@ static char *credential_ask_one(const char *what, struct credential *c) strbuf_release(desc); strbuf_release(prompt); - return xstrdup(r); + return r; } static void credential_getpass(struct credential *c) -- 1.8.5-rc2 -- To unsubscribe from this list: send the line unsubscribe git in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] drop unnecessary copying in credential_ask_one
On Wed, Jan 01, 2014 at 10:03:30PM -0500, Jeff King wrote: On Thu, Jan 02, 2014 at 09:06:33AM +0800, Tay Ray Chuan wrote: We were leaking memory in there, as after obtaining a string from git_getpass, we returned a copy of it, yet no one else held the original string, apart from credential_ask_one. I don't think this change is correct by itself. credential_ask_one calls git_prompt. That function in turn calls git_terminal_prompt, which returns a pointer to a static buffer (because it may be backed by the system getpass() implementation). So there is no leak there, and dropping the strdup would be bad (the call to ask for the password would overwrite the value we got for the username). By the way, you can see the breakage from your patch pretty easily by testing the terminal input. Disable any credential helper config you have, and then run: GIT_CURL_VERBOSE=1 \ git ls-remote https://github.com/peff/ask-for-auth 21 | perl -lne '/Authorization: Basic (.*)/ and print $1' | openssl base64 -d enter myuser and mypass respectively on the terminal. The result is that we send mypass:mypass to the server. And then double-free the result, which cases glibc to barf. I wondered why we did not see this breakage in test suite. My assumption was that it was simply because our test user has the same username and password. So I fixed that, but to my surprise we still did not detect the problem. The issue is that your patch does the right thing when GIT_ASKPASS is in use, and breaks only when the user types into the terminal. But the test suite, of course, always uses askpass because it cannot rely on accessing a terminal (we'd have to do some magic with lib-terminal, I think). So it doesn't detect the problem in your patch, but I wonder if it is worth applying the patch below anyway, as it makes the test suite slightly more robust. -- 8 -- Subject: use distinct username/password for http auth tests The httpd server we set up to test git's http client code knows about a single account, in which both the username and password are user@host (the unusual use of the @ here is to verify that we handle the character correctly when URL escaped). This means that we may miss a certain class of errors in which the username and password are mixed up internally by git. We can make our tests more robust by having distinct values for the username and password. In addition to tweaking the server passwd file and the client URL, we must teach the askpass harness to accept multiple values. As a bonus, this makes the setup of some tests more obvious; when we are expecting git to ask only about the password, we can seed the username askpass response with a bogus value. Signed-off-by: Jeff King p...@peff.net --- t/lib-httpd.sh| 15 --- t/lib-httpd/passwd| 2 +- t/t5540-http-push.sh | 4 ++-- t/t5541-http-push.sh | 6 +++--- t/t5550-http-fetch.sh | 10 +- t/t5551-http-fetch.sh | 6 +++--- 6 files changed, 26 insertions(+), 17 deletions(-) diff --git a/t/lib-httpd.sh b/t/lib-httpd.sh index c470784..bfdff2a 100644 --- a/t/lib-httpd.sh +++ b/t/lib-httpd.sh @@ -129,7 +129,7 @@ prepare_httpd() { HTTPD_DEST=127.0.0.1:$LIB_HTTPD_PORT HTTPD_URL=$HTTPD_PROTO://$HTTPD_DEST HTTPD_URL_USER=$HTTPD_PROTO://user%40host@$HTTPD_DEST - HTTPD_URL_USER_PASS=$HTTPD_PROTO://user%40host:user%40host@$HTTPD_DEST + HTTPD_URL_USER_PASS=$HTTPD_PROTO://user%40host:pass%40host@$HTTPD_DEST if test -n $LIB_HTTPD_DAV -o -n $LIB_HTTPD_SVN then @@ -217,7 +217,15 @@ setup_askpass_helper() { test_expect_success 'setup askpass helper' ' write_script $TRASH_DIRECTORY/askpass -\EOF echo $TRASH_DIRECTORY/askpass-query askpass: $* - cat $TRASH_DIRECTORY/askpass-response + case $* in + *Username*) + what=user + ;; + *Password*) + what=pass + ;; + esac + cat $TRASH_DIRECTORY/askpass-$what EOF GIT_ASKPASS=$TRASH_DIRECTORY/askpass export GIT_ASKPASS @@ -227,7 +235,8 @@ setup_askpass_helper() { set_askpass() { $TRASH_DIRECTORY/askpass-query - echo $* $TRASH_DIRECTORY/askpass-response + echo $1 $TRASH_DIRECTORY/askpass-user + echo $2 $TRASH_DIRECTORY/askpass-pass } expect_askpass() { diff --git a/t/lib-httpd/passwd b/t/lib-httpd/passwd index f2fbcad..99a34d6 100644 --- a/t/lib-httpd/passwd +++ b/t/lib-httpd/passwd @@ -1 +1 @@ -user@host:nKpa8pZUHx/ic +user@host:xb4E8pqD81KQs diff --git a/t/t5540-http-push.sh b/t/t5540-http-push.sh index 01d0d95..5b0198c 100755 --- a/t/t5540-http-push.sh +++ b/t/t5540-http-push.sh @@ -154,7 +154,7 @@ test_http_push_nonff $HTTPD_DOCUMENT_ROOT_PATH/test_repo.git \ test_expect_success 'push to password-protected repository (user in