diff options
| author | Jonathan Tan <jonathantanmy@google.com> | 2020-05-11 10:43:10 -0700 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2020-05-11 11:18:01 -0700 |
| commit | 7167a62b9e2f648adc11411446f876f2458722a5 (patch) | |
| tree | eb0b58dfdde6cd2ad37d1aff90f10ebb41c65f56 /http.c | |
| parent | 373e9bd66e2ba468f490e5e4ec1ccbe47853f8cd (diff) | |
| download | git-7167a62b9e2f648adc11411446f876f2458722a5.tar.gz | |
http, imap-send: stop using CURLOPT_VERBOSE
Whenever GIT_CURL_VERBOSE is set, teach Git to behave as if
GIT_TRACE_CURL=1 and GIT_TRACE_CURL_NO_DATA=1 is set, instead of setting
CURLOPT_VERBOSE.
This is to prevent inadvertent revelation of sensitive data. In
particular, GIT_CURL_VERBOSE redacts neither the "Authorization" header
nor any cookies specified by GIT_REDACT_COOKIES.
Unifying the tracing mechanism also has the future benefit that any
improvements to the tracing mechanism will benefit both users of
GIT_CURL_VERBOSE and GIT_TRACE_CURL, and we do not need to remember to
implement any improvement twice.
Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'http.c')
| -rw-r--r-- | http.c | 8 |
1 files changed, 7 insertions, 1 deletions
@@ -804,6 +804,12 @@ static int curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, return 0; } +void http_trace_curl_no_data(void) +{ + trace_override_envvar(&trace_curl, "1"); + trace_curl_data = 0; +} + void setup_curl_trace(CURL *handle) { if (!trace_want(&trace_curl)) @@ -993,7 +999,7 @@ static CURL *get_curl_handle(void) warning(_("Protocol restrictions not supported with cURL < 7.19.4")); #endif if (getenv("GIT_CURL_VERBOSE")) - curl_easy_setopt(result, CURLOPT_VERBOSE, 1L); + http_trace_curl_no_data(); setup_curl_trace(result); if (getenv("GIT_TRACE_CURL_NO_DATA")) trace_curl_data = 0; |