Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Plaintext credential is exposed in CommandError if Authorization is passed in http.extraHeader #1626

Open
gabloe opened this issue Aug 3, 2023 · 1 comment

Comments

@gabloe
Copy link

gabloe commented Aug 3, 2023

If credentials are passed in the URI, e.g. https://user:[email protected]/bar.git then the credential is properly removed from the cmdline in the exception, but if an authorization header is set via http.extraHeader then the credential is not stripped from the exception.

@Byron
Copy link
Member

Byron commented Aug 4, 2023

I acknowledge this issue tentatively as the issue is related to security, but wish there would be steps that help to reproduce it as well.

A potential fix could use that to setup a test for reproduction, along with the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants