Commit 7a5682f5936b60df71cc482cb32742d4aacacae4

Carlos Martín Nieto 2015-03-03T17:23:01

http: enforce the credential types The user may decide to return any type of credential, including ones we did not say we support. Add a check to make sure the user returned an object of the right type and error out if not.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
diff --git a/src/transports/http.c b/src/transports/http.c
index 807e080..0907afa 100644
--- a/src/transports/http.c
+++ b/src/transports/http.c
@@ -350,6 +350,11 @@ static int on_headers_complete(http_parser *parser)
 				} else {
 					assert(t->cred);
 
+					if (!(t->cred->credtype & allowed_auth_types)) {
+						giterr_set(GITERR_NET, "credentials callback returned an invalid cred type");
+						return t->parse_error = PARSE_ERROR_GENERIC;
+					}
+
 					/* Successfully acquired a credential. */
 					t->parse_error = PARSE_ERROR_REPLAY;
 					return 0;