Page MenuHomePhabricator
Create Task
Maniphest T10797

Git HTTP operations fail with username in URL
Closed, ResolvedPublic
Actions

Description

I originally asked this over at Q361 but I'm fairly sure it's a bug at this point so I'm filing it here.

Description

So for example, cloning a git repo hosted on Diffusion with the URL like so:
http://<username>@<our-phabricator-installation-ip>/diffusion/<repo>.git/
It doesn't prompt for password and fails with 403 (I assume because no password was given). However, if the username is omitted from the URL, it prompts for both username and password as normal.

I've noticed this happening for a while but it's never been a blocker. However now that I'm setting up automated builds for my company I need to find out the root cause of this, since the system (Teamcity and Phabricator plugin) formats URLs like that. Not sure if this is a Phabricator or a Git problem, but seeing as I can't replicate this with Github I thought I'd post here first.

Is this a known issue, or is it perhaps a misconfiguration on my part?

Trace

Ran a clone with GIT_CURL_VERBOSE and GIT_TRACE on:

brandon@akcserver:~$ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone http://brandon@10.21.7.10/diffusion/23/tct.git/
14:34:11.644314 git.c:351               trace: built-in: git 'clone' 'http://brandon@10.21.7.10/diffusion/23/tct.git/'
Cloning into 'tct'...
14:34:12.712086 run-command.c:336       trace: run_command: 'git-remote-http' 'origin' 'http://brandon@10.21.7.10/diffusion/23/tct.git/'
* Couldn't find host 10.21.7.10 in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 10.21.7.10...
* Connected to 10.21.7.10 (10.21.7.10) port 80 (#0)
> GET /diffusion/23/tct.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.8.1
Host: 10.21.7.10
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-CA, en;q=0.9, *;q=0.8
Pragma: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 401 You must log in to access repositories.
< Date: Tue, 12 Apr 2016 21:34:12 GMT
< Server: Apache/2.4.10 (Debian)
< WWW-Authenticate: Basic realm="Phabricator Repositories"
< Content-Length: 43
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 0
* Issue another request to this URL: 'http://brandon@10.21.7.10/diffusion/23/tct.git/info/refs?service=git-upload-pack'
* Couldn't find host 10.21.7.10 in the .netrc file; using defaults
* NTLM-proxy picked AND auth done set, clear picked!
* Hostname was found in DNS cache
*   Trying 10.21.7.10...
* Connected to 10.21.7.10 (10.21.7.10) port 80 (#1)
* Server auth using Basic with user 'brandon'
> GET /diffusion/23/tct.git/info/refs?service=git-upload-pack HTTP/1.0
Authorization: Basic YnJhbmRvbjo=
User-Agent: git/2.8.1
Host: 10.21.7.10
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-CA, en;q=0.9, *;q=0.8
Pragma: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 403 Invalid credentials.
< Date: Tue, 12 Apr 2016 21:34:13 GMT
< Server: Apache/2.4.10 (Debian)
< Content-Length: 24
< Connection: close
< Content-Type: text/html; charset=UTF-8
<
* Closing connection 1
fatal: unable to access 'http://brandon@10.21.7.10/diffusion/23/tct.git/': The requested URL returned error: 403

Configuration

We have an internal server running Debian 8 with Apache for our webserver. Everything's been updated through aptitude on a regular basis (at least once a month). Updated Phabricator (including libphutil and arcanist) on Monday.
I manually built and installed the latest version of Git (2.8.1) seeing as the latest available via Debian stable is significantly older. No noticeable difference.

Reproducing

  1. Create a new Git repository (or use an existing one I guess) on your Phabricator installation
  2. Make sure your local Git installation isn't configured to use any credential helpers
  3. Try to clone it with username in URL (eg. http://<username>@<your-phabricator-installation>/diffusion/<your-repo-name-or-number>.git/)
  4. Clone should fail without prompting for password
  5. Try without the username (eg. http://<your-phabricator-installation>/diffusion/<your-repo-name-or-number>.git/)
  6. Git should prompt for username and password
  7. Clone should succeed, assuming the username and password is correct and you have access to the repository in question

Even if it is a misconfiguration on my part, I'd love if someone could confirm that.

Revisions and Commits

rP Phabricator
D15706rPc0428b4d6dd0 Make Git prompt for passwords when the user provides a username but not a…

Event Timeline

Grimeh created this task.Apr 13 2016, 11:39 PM
epriestley added a subscriber: epriestley.Apr 13 2016, 11:46 PM

What does GIT_CURL_VERBOSE=1 GIT_TRACE=1 look like for GitHub in your environment?

epriestley added a comment.Apr 13 2016, 11:46 PM

(You may need to censor Authorization header bodies.)

Grimeh added a comment.EditedApr 13 2016, 11:57 PM

Here it is (not sure if I caught everything that I might need to censor, please let me know if I missed anything):

GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://Grimeh@github.com/Grimeh/TaskEngine.git/
16:47:38.034520 git.c:351               trace: built-in: git 'clone' 'https://Grimeh@github.com/Grimeh/TaskEngine.git/'
Cloning into 'TaskEngine'...
16:47:38.043162 run-command.c:336       trace: run_command: 'git-remote-https' 'origin' 'https://Grimeh@github.com/Grimeh/TaskEngine.git/'
* Couldn't find host github.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
*   Trying 192.30.252.120...
* Connected to github.com (192.30.252.120) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=5157550; street=88 Colin P Kelly, Jr Street; postalCode=94107; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*        start date: 2016-03-10 00:00:00 GMT
*        expire date: 2018-05-17 12:00:00 GMT
*        subjectAltName: github.com matched
*        issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*        SSL certificate verify ok.
> GET /Grimeh/TaskEngine.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.8.1
Host: github.com
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-CA, en;q=0.9, *;q=0.8
Pragma: no-cache

< HTTP/1.1 401 Authorization Required
* Server GitHub Babel 2.0 is not blacklisted
< Server: GitHub Babel 2.0
< Content-Type: text/plain
< Content-Length: 21
< WWW-Authenticate: Basic realm="GitHub"
< X-GitHub-Request-Id: <redacted>
< X-Frame-Options: DENY
<
* Ignoring the response-body
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://Grimeh@github.com/Grimeh/TaskEngine.git/info/refs?service=git-upload-pack'
* Couldn't find host github.com in the .netrc file; using defaults
* Found bundle for host github.com: <redacted>
* Re-using existing connection! (#0) with host github.com
* Connected to github.com (192.30.252.120) port 443 (#0)
* Server auth using Basic with user 'Grimeh'
> GET /Grimeh/TaskEngine.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Basic <redacted>
User-Agent: git/2.8.1
Host: github.com
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-CA, en;q=0.9, *;q=0.8
Pragma: no-cache

< HTTP/1.1 401 Authorization Required
* Server GitHub Babel 2.0 is not blacklisted
< Server: GitHub Babel 2.0
< Content-Type: text/plain
< Content-Length: 29
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="GitHub"
< X-GitHub-Request-Id: <redacted>
< X-Frame-Options: DENY
<
* Connection #0 to host github.com left intact
Password for 'https://Grimeh@github.com':
* Couldn't find host github.com in the .netrc file; using defaults
* Found bundle for host github.com: <redacted>
* NTLM-proxy picked AND auth done set, clear picked!
* Hostname was found in DNS cache
*   Trying 192.30.252.120...
* Connected to github.com (192.30.252.120) port 443 (#1)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL re-using session ID
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*        subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=5157550; street=88 Colin P Kelly, Jr Street; postalCode=94107; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
*        start date: 2016-03-10 00:00:00 GMT
*        expire date: 2018-05-17 12:00:00 GMT
*        subjectAltName: github.com matched
*        issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
*        SSL certificate verify ok.
* Server auth using Basic with user 'Grimeh'
> GET /Grimeh/TaskEngine.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Basic <redacted>
User-Agent: git/2.8.1
Host: github.com
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-CA, en;q=0.9, *;q=0.8
Pragma: no-cache

< HTTP/1.1 200 OK
* Server GitHub Babel 2.0 is not blacklisted
< Server: GitHub Babel 2.0
< Content-Type: application/x-git-upload-pack-advertisement
< Transfer-Encoding: chunked
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Vary: Accept-Encoding
< X-GitHub-Request-Id: <redacted>
< X-Frame-Options: DENY
<
* Connection #1 to host github.com left intact
16:47:45.642206 run-command.c:336       trace: run_command: 'fetch-pack' '--stateless-rpc' '--stdin' '--lock-pack' '--thin' '--check-self-contained-and-connected' '--cloning' 'https://Grimeh@github.com/Grimeh/TaskEngine.git/'
16:47:45.649840 exec_cmd.c:120          trace: exec: 'git' 'fetch-pack' '--stateless-rpc' '--stdin' '--lock-pack' '--thin' '--check-self-contained-and-connected' '--cloning' 'https://Grimeh@github.com/Grimeh/TaskEngine.git/'
16:47:45.651132 git.c:351               trace: built-in: git 'fetch-pack' '--stateless-rpc' '--stdin' '--lock-pack' '--thin' '--check-self-contained-and-connected' '--cloning' 'https://Grimeh@github.com/Grimeh/TaskEngine.git/'
* Couldn't find host github.com in the .netrc file; using defaults
* Found bundle for host github.com: 0xde7cf0
* Re-using existing connection! (#1) with host github.com
* Connected to github.com (192.30.252.120) port 443 (#1)
* Server auth using Basic with user 'Grimeh'
> POST /Grimeh/TaskEngine.git/git-upload-pack HTTP/1.1
Authorization: Basic <redacted>
User-Agent: git/2.8.1
Host: github.com
Accept-Encoding: gzip
Content-Type: application/x-git-upload-pack-request
Accept: application/x-git-upload-pack-result
Content-Length: 390

* upload completely sent off: 390 out of 390 bytes
< HTTP/1.1 200 OK
* Server GitHub Babel 2.0 is not blacklisted
< Server: GitHub Babel 2.0
< Content-Type: application/x-git-upload-pack-result
< Transfer-Encoding: chunked
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Vary: Accept-Encoding
< X-GitHub-Request-Id: <redacted>
< X-Frame-Options: DENY
<
remote: Counting objects: 229, done.
16:47:45.892243 run-command.c:336       trace: run_command: 'index-pack' '--stdin' '-v' '--fix-thin' '--keep=fetch-pack 26056 on akcserver' '--check-self-contained-and-connected' '--pack_header=2,229'
16:47:45.898524 exec_cmd.c:120          trace: exec: 'git' 'index-pack' '--stdin' '-v' '--fix-thin' '--keep=fetch-pack 26056 on akcserver' '--check-self-contained-and-connected' '--pack_header=2,229'
16:47:45.899724 git.c:351               trace: built-in: git 'index-pack' '--stdin' '-v' '--fix-thin' '--keep=fetch-pack 26056 on akcserver' '--check-self-contained-and-connected' '--pack_header=2,229'
* Connection #1 to host github.com left intact 102.00 KiB/s
remote: Total 229 (delta 0), reused 0 (delta 0), pack-reused 229
Receiving objects: 100% (229/229), 126.40 KiB | 102.00 KiB/s, done.
Resolving deltas: 100% (134/134), done.
Checking connectivity... 16:47:46.963522 run-command.c:336       trace: run_command: 'rev-list' '--objects' '--stdin' '--not' '--all'
16:47:46.969831 exec_cmd.c:120          trace: exec: 'git' 'rev-list' '--objects' '--stdin' '--not' '--all'
16:47:46.974635 git.c:351               trace: built-in: git 'rev-list' '--objects' '--stdin' '--not' '--all'
done.

By the way, does Phabricator's remarkup have a <spoiler> tag or something to make dumps like that minimised by default? Would be handy to use internally to make task discussion more manageable.

epriestley added a comment.Apr 14 2016, 12:00 AM

You can put lines=30 or similar after the triple backticks in the header:

A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Grimeh added a comment.Apr 14 2016, 12:02 AM

Awesome, thanks 👍

epriestley added a revision: D15706: Make Git prompt for passwords when the user provides a username but not a password.Apr 14 2016, 12:10 AM
epriestley added a comment.Apr 14 2016, 12:11 AM

Not 100% sure that's a fix, but I was able to reproduce something that looked similar and that appeared to fix it locally.

Grimeh added a comment.Apr 14 2016, 12:23 AM

Fantastic, applied locally and it works as intended. Thank you! 👍

epriestley closed this task as Resolved by committing rPc0428b4d6dd0: Make Git prompt for passwords when the user provides a username but not a….Apr 14 2016, 1:59 AM
epriestley added a commit: rPc0428b4d6dd0: Make Git prompt for passwords when the user provides a username but not a….
epriestley added a comment.Apr 14 2016, 2:00 AM

This should be fixed in HEAD of master. Thanks for the report, let us know if you run into anything else.

Phabricator · Built by Phacility