Commit 28841241745bdc30be0ef78235f3c4ba38345590

Edward Thomson 2021-08-05T08:12:28

http: don't require a password Attempt authentication when a username is presented but a password is not; this can happen in particular when users are doing token authentication and specifying the token in the URL itself. For example, `https://token@host/` is a valid URI and should be treated as a username of `token` with an empty password.

diff --git a/src/transports/http.c b/src/transports/http.c
index 4538dd1..9871be5 100644
--- a/src/transports/http.c
+++ b/src/transports/http.c
@@ -104,6 +104,11 @@ static int apply_url_credentials(
 	const char *username,
 	const char *password)
 {
+	GIT_ASSERT_ARG(username);
+
+	if (!password)
+		password = "";
+
 	if (allowed_types & GIT_CREDENTIAL_USERPASS_PLAINTEXT)
 		return git_credential_userpass_plaintext_new(cred, username, password);
 
@@ -138,8 +143,7 @@ static int handle_auth(
 	/* Start with URL-specified credentials, if there were any. */
 	if ((allowed_credtypes & GIT_CREDENTIAL_USERPASS_PLAINTEXT) &&
 	    !server->url_cred_presented &&
-	    server->url.username &&
-	    server->url.password) {
+	    server->url.username) {
 		error = apply_url_credentials(&server->cred, allowed_credtypes, server->url.username, server->url.password);
 		server->url_cred_presented = 1;