Page MenuHomePhabricator

Empty password not handled correctly for Git clone
Closed, ResolvedPublic

Description

Encountering this when attempting to clone without providing a password. This means the Git client gets back a 200 (causing invalid git repository) instead of a 403.

[05-Nov-2013 22:51:41 UTC] [2013-11-05 22:51:41] EXCEPTION: (Exception) Trying to digest empty password! at [/srv/phabricator/phabricator/src/infrastructure/util/PhabricatorHash.php:33]
[05-Nov-2013 22:51:41 UTC]   #0 PhabricatorHash::digestPassword(Object PhutilOpaqueEnvelope, PHID-USER-cqavrovfv3fqflsmgdas) called at [/srv/phabricator/phabricator/src/applications/repository/storage/PhabricatorRepositoryVCSPassword.php:31]
[05-Nov-2013 22:51:41 UTC]   #1 PhabricatorRepositoryVCSPassword::hashPassword(Object PhutilOpaqueEnvelope, Object PhabricatorUser) called at [/srv/phabricator/phabricator/src/applications/repository/storage/PhabricatorRepositoryVCSPassword.php:19]
[05-Nov-2013 22:51:41 UTC]   #2 PhabricatorRepositoryVCSPassword::comparePassword(Object PhutilOpaqueEnvelope, Object PhabricatorUser) called at [/srv/phabricator/phabricator/src/applications/diffusion/controller/DiffusionController.php:562]
[05-Nov-2013 22:51:41 UTC]   #3 DiffusionController::authenticateHTTPRepositoryUser(jamesr, Object PhutilOpaqueEnvelope) called at [/srv/phabricator/phabricator/src/applications/diffusion/controller/DiffusionController.php:75]
[05-Nov-2013 22:51:41 UTC]   #4 DiffusionController::processVCSRequest(P) called at [/srv/phabricator/phabricator/src/applications/diffusion/controller/DiffusionController.php:60]
[05-Nov-2013 22:51:41 UTC]   #5 DiffusionController::willBeginExecution() called at [/srv/phabricator/phabricator/webroot/index.php:72]

I have also observed my Git client just hitting /info/refs without any ?service= option. Adding:

} else if (strpos($_SERVER['HTTP_USER_AGENT'], "git/") === 0) {
  $vcs = PhabricatorRepositoryType::REPOSITORY_TYPE_GIT;

to the VCS detection (right after the $request->getExists('__vcs__')) ensured that the Git logic was hit regardless of what URL or query parameters were accessed.

Event Timeline

Unknown Object (User) created this task.Nov 5 2013, 10:57 PM
Unknown Object (User) assigned this task to epriestley.
Unknown Object (User) raised the priority of this task from to Needs Triage.
Unknown Object (User) updated the task description. (Show Details)
Unknown Object (User) added a project: Phabricator.
Unknown Object (User) added a subscriber: hach-que.
Unknown Object (User) added a subscriber: Unknown Object (User).

Yeah:

  • Exception page should probably be HTTP 500, not 200.
  • We shouldn't try to validate empty passwords.