From patchwork Wed Jul 31 16:01:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ryan Hendrickson X-Patchwork-Id: 13748948 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ECDE212E7E for ; Wed, 31 Jul 2024 16:01:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722441682; cv=none; b=gNQ3K3jhpAZAJRZ5C2Uz97+jV6ooyQmqWNAZW4h3xTC0Bfr/0MROfSTwW7ezfnif4y6SgoyiVFN8jwVreM/5+8NTtJjIlKH2WdGK+uw5UIi5sNhFcXXmIg+DCAaErT9c7iOoYnBSBRNe8TePkzFUjLZKtft1U2p+RASVtO/ETYs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1722441682; c=relaxed/simple; bh=nAAhGk2eJu67rFRMBvZ64LQ4doIFz8Zw/qkItqQprWk=; h=Message-Id:In-Reply-To:References:From:Date:Subject:Content-Type: MIME-Version:To:Cc; b=WOGsiz8dzaAiMDcerDiKkmo+iYUR6e/ZoWCpBTumkSnrWumpzVXkfE1CCZO5IxXIMNo7in6bzPN5+C8VZZ+2SdzRDL+QgHN1/Pz6kEiO1LmFp6jnox91cBWQGSTfP7Zq63GK4PBNKNnKg6BLNV8u7aB5sVLegp4cI/fMSk0eoy4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=O4ES8RQC; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="O4ES8RQC" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-428035c0bb2so6638045e9.1 for ; Wed, 31 Jul 2024 09:01:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722441678; x=1723046478; darn=vger.kernel.org; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:from:to:cc:subject:date :message-id:reply-to; bh=vpkxAV2E9M8UuXKD42S2KArpUFdEyr3bWTtTVZilnBs=; b=O4ES8RQCHtUgSHQRnybR7aCrZGGh2Lycv9x8J9w7MTIU4LQK6Dupogw4oOy2hUQLJx Qab1b5q9vihZ6Cmviq+MtkIOGm/43a2NtZuoXyqcLLmD0oAMld/TmQmKFZMfntJixnqp SlynP1HNz4KgGz9xAZnE5U5ZiCgoXhQMYQCY2QEng5tP1CYWpQVzkJtyiEtn/rPfXHUG 4q6KEXQs42GhKuxah5nE9KrIJ6+iTZrJAQnGlt8dSyPounfkArD9mIdmmiZf2VNxA4jh PD7xLCqmnddejJVVVnyOt1utHKKEXpGUgtxCziMQpLdUgl1oyfuZOqNd4GC41Oe+Tyvx V4mA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722441678; x=1723046478; h=cc:to:mime-version:content-transfer-encoding:fcc:subject:date:from :references:in-reply-to:message-id:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vpkxAV2E9M8UuXKD42S2KArpUFdEyr3bWTtTVZilnBs=; b=Vy4MLill2PulbQgeMXsJalx/8rRgZNdcXkwHNx6t8onn0/BZ3lwysUf7sFLAUm8aK0 j3/FV4S4UHqEVv3yAGqLNtWTzCUyTjKuypnZ1Y3pRqNq9eVnf13K7Fd2I67Pm8mAoiBZ wffr8v6TwqFApdwvkxxmDvg5ly+BsXG2goFi1iB8s7XhOzinno+KklSNfoXbK32uo5u2 aM+qTyUwlq1C5DPkuySXHjkASMFHG/mJucQ7z092mEKGWuTrkwKOKaYhxNC61PM52Z19 rXmyi6HiMC619+mmpQX3xPugCqRDdHOYpybVQ697QGZhTzruzWtOZhGWRwKzfx+p3lmO 4BYQ== X-Gm-Message-State: AOJu0Yy8C//as3Gz0MFXq9n46uggG6fWFuBp+uY3rYZR2z3QfV59EZ3Q ZZDieYYXWtnw66kkWu8fXy2RWDbl+XOxSsfmA0iWuA0qc79dOXMITY9Qxg== X-Google-Smtp-Source: AGHT+IFioB6+O9BqPFgq9Hkji8Tdq6S+LC0KeTZrkA3vZiE4T9JLwIGMb58qQlfeRst/qp+yB6e/9Q== X-Received: by 2002:a05:6000:18aa:b0:367:89ae:c204 with SMTP id ffacd0b85a97d-36b8c8e5d30mr5160500f8f.12.1722441677426; Wed, 31 Jul 2024 09:01:17 -0700 (PDT) Received: from [127.0.0.1] ([13.74.141.28]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4282bafc2dbsm25648735e9.40.2024.07.31.09.01.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 31 Jul 2024 09:01:17 -0700 (PDT) Message-Id: In-Reply-To: References: Date: Wed, 31 Jul 2024 16:01:15 +0000 Subject: [PATCH v3] http: do not ignore proxy path Fcc: Sent Precedence: bulk X-Mailing-List: git@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 To: git@vger.kernel.org Cc: Ryan Hendrickson , Jeff King , Ryan Hendrickson , Ryan Hendrickson From: Ryan Hendrickson From: Ryan Hendrickson The documentation for `http.proxy` describes that option, and the environment variables it overrides, as supporting "the syntax understood by curl". curl allows SOCKS proxies to use a path to a Unix domain socket, like `socks5h://localhost/path/to/socket.sock`. Git should therefore include, if present, the path part of the proxy URL in what it passes to libcurl. Co-authored-by: Jeff King Signed-off-by: Ryan Hendrickson --- http: do not ignore proxy path Re earlier discussion about regressions, it turns out that curl has only supported this syntax since 2022 [https://curl.se/ch/7.84.0.html]. Earlier versions of curl, if provided an http_proxy that contained a path, would also ignore it. curl didn't seem to consider this a breaking change when the feature was introduced [https://github.com/curl/curl/pull/8668], though; is that a valid argument for Git not to lose sleep over it either? A test has been added, but unfortunately it is not being run on any of GitHub's CI workflows, because the runner images in use all have versions of libcurl that are too old. It works on my machine, but unknown troubles may await someone else. Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1767%2Frhendric%2Frhendric%2Fhttp-proxy-path-v3 Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1767/rhendric/rhendric/http-proxy-path-v3 Pull-Request: https://github.com/gitgitgadget/git/pull/1767 Range-diff vs v2: 1: b4715eba5b1 ! 1: 7a58da7102e http: do not ignore proxy path @@ Commit message therefore include, if present, the path part of the proxy URL in what it passes to libcurl. + Co-authored-by: Jeff King Signed-off-by: Ryan Hendrickson ## Documentation/config/http.txt ## @@ http.c: static CURL *get_curl_handle(void) - curl_easy_setopt(result, CURLOPT_PROXY, proxy_auth.host); + strbuf_addstr(&proxy, proxy_auth.host); + if (proxy_auth.path) { -+ int path_is_supported = 0; -+ /* curl_version_info was added in curl 7.10 */ -+#if LIBCURL_VERSION_NUM >= 0x070a00 + curl_version_info_data *ver = curl_version_info(CURLVERSION_NOW); -+ path_is_supported = ver->version_num >= 0x075400; -+#endif -+ if (path_is_supported) { -+ strbuf_addch(&proxy, '/'); -+ strbuf_add_percentencode(&proxy, proxy_auth.path, 0); -+ } else { ++ if (ver->version_num < 0x075400) + die("libcurl 7.84 or later is required to support paths in proxy URLs"); -+ } ++ ++ if (!starts_with(proxy_auth.protocol, "socks")) ++ die("Invalid proxy URL '%s': only SOCKS proxies support paths", ++ curl_http_proxy); ++ ++ if (strcasecmp(proxy_auth.host, "localhost")) ++ die("Invalid proxy URL '%s': host must be localhost if a path is present", ++ curl_http_proxy); ++ ++ strbuf_addch(&proxy, '/'); ++ strbuf_add_percentencode(&proxy, proxy_auth.path, 0); + } + curl_easy_setopt(result, CURLOPT_PROXY, proxy.buf); + strbuf_release(&proxy); @@ http.c: static CURL *get_curl_handle(void) var_override(&curl_no_proxy, getenv("no_proxy")); curl_easy_setopt(result, CURLOPT_NOPROXY, curl_no_proxy); - ## t/socks5-proxy-server/LICENSE (new) ## -@@ -+MIT License -+ -+Copyright (c) 2014 kaimi.io -+ -+Permission is hereby granted, free of charge, to any person obtaining a copy -+of this software and associated documentation files (the "Software"), to deal -+in the Software without restriction, including without limitation the rights -+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+copies of the Software, and to permit persons to whom the Software is -+furnished to do so, subject to the following conditions: -+ -+The above copyright notice and this permission notice shall be included in all -+copies or substantial portions of the Software. -+ -+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+SOFTWARE. - - ## t/socks5-proxy-server/README.md (new) ## -@@ -+socks5-proxy-server -+=================== -+ -+This Perl code implements a SOCKS5 proxy server that listens for incoming connections and processes them in separate threads. The server takes three input parameters: `path`, `login`, and `password`. -+ -+When a client attempts to connect to the server, the server checks if the client supports any of the available authentication methods (no authentication or login/password authentication). If a suitable method is found, the server establishes a connection with the target server and begins forwarding data between the client and the target server. -+ -+The code uses the `IO::Select` module for working with sockets and the `threads` module for creating and managing threads. It includes several functions, including: -+ -+- `main`: the main function that creates threads for processing incoming connections. -+- `replenish`: a function that creates additional threads if the number of free threads is less than the specified value. -+- `new_client`: a function that handles incoming client connections and checks if the available authentication methods are supported by the client. -+- `socks_auth`: a function that performs login and password authentication. -+- `handle_client`: a function that establishes a connection with the target server and forwards data between the client and the target server. -+ -+This code includes the use of the following Perl modules: `IO::Select`, `Socket`, `threads`, `threads::shared`. -+ -+To run this code, enter the following command: -+`perl socks5.pl path login password` -+ -+Note that this code is designed for educational purposes and should not be used in production environments without proper modifications and security measures. diff --git a/Documentation/config/http.txt b/Documentation/config/http.txt index 162b33fc52f..a14371b5c96 100644 --- a/Documentation/config/http.txt +++ b/Documentation/config/http.txt @@ -5,8 +5,8 @@ http.proxy:: proxy string with a user name but no password, in which case git will attempt to acquire one in the same way it does for other credentials. See linkgit:gitcredentials[7] for more information. The syntax thus is - '[protocol://][user[:password]@]proxyhost[:port]'. This can be overridden - on a per-remote basis; see remote..proxy + '[protocol://][user[:password]@]proxyhost[:port][/path]'. This can be + overridden on a per-remote basis; see remote..proxy + Any proxy, however configured, must be completely transparent and must not modify, transform, or buffer the request or response in any way. Proxies which diff --git a/http.c b/http.c index 623ed234891..a50ba095889 100644 --- a/http.c +++ b/http.c @@ -1227,6 +1227,7 @@ static CURL *get_curl_handle(void) */ curl_easy_setopt(result, CURLOPT_PROXY, ""); } else if (curl_http_proxy) { + struct strbuf proxy = STRBUF_INIT; if (starts_with(curl_http_proxy, "socks5h")) curl_easy_setopt(result, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5_HOSTNAME); @@ -1265,7 +1266,26 @@ static CURL *get_curl_handle(void) if (!proxy_auth.host) die("Invalid proxy URL '%s'", curl_http_proxy); - curl_easy_setopt(result, CURLOPT_PROXY, proxy_auth.host); + strbuf_addstr(&proxy, proxy_auth.host); + if (proxy_auth.path) { + curl_version_info_data *ver = curl_version_info(CURLVERSION_NOW); + if (ver->version_num < 0x075400) + die("libcurl 7.84 or later is required to support paths in proxy URLs"); + + if (!starts_with(proxy_auth.protocol, "socks")) + die("Invalid proxy URL '%s': only SOCKS proxies support paths", + curl_http_proxy); + + if (strcasecmp(proxy_auth.host, "localhost")) + die("Invalid proxy URL '%s': host must be localhost if a path is present", + curl_http_proxy); + + strbuf_addch(&proxy, '/'); + strbuf_add_percentencode(&proxy, proxy_auth.path, 0); + } + curl_easy_setopt(result, CURLOPT_PROXY, proxy.buf); + strbuf_release(&proxy); + var_override(&curl_no_proxy, getenv("NO_PROXY")); var_override(&curl_no_proxy, getenv("no_proxy")); curl_easy_setopt(result, CURLOPT_NOPROXY, curl_no_proxy); diff --git a/t/socks4-proxy.pl b/t/socks4-proxy.pl new file mode 100644 index 00000000000..4c3a35c0083 --- /dev/null +++ b/t/socks4-proxy.pl @@ -0,0 +1,48 @@ +use strict; +use IO::Select; +use IO::Socket::UNIX; +use IO::Socket::INET; + +my $path = shift; + +unlink($path); +my $server = IO::Socket::UNIX->new(Listen => 1, Local => $path) + or die "unable to listen on $path: $!"; + +$| = 1; +print "ready\n"; + +while (my $client = $server->accept()) { + sysread $client, my $buf, 8; + my ($version, $cmd, $port, $ip) = unpack 'CCnN', $buf; + next unless $version == 4; # socks4 + next unless $cmd == 1; # TCP stream connection + + # skip NUL-terminated id + while (sysread $client, my $char, 1) { + last unless ord($char); + } + + # version(0), reply(5a == granted), port (ignored), ip (ignored) + syswrite $client, "\x00\x5a\x00\x00\x00\x00\x00\x00"; + + my $remote = IO::Socket::INET->new(PeerHost => $ip, PeerPort => $port) + or die "unable to connect to $ip/$port: $!"; + + my $io = IO::Select->new($client, $remote); + while ($io->count) { + for my $fh ($io->can_read(0)) { + for my $pair ([$client, $remote], [$remote, $client]) { + my ($from, $to) = @$pair; + next unless $fh == $from; + + my $r = sysread $from, my $buf, 1024; + if (!defined $r || $r <= 0) { + $io->remove($from); + next; + } + syswrite $to, $buf; + } + } + } +} diff --git a/t/t5564-http-proxy.sh b/t/t5564-http-proxy.sh index bb35b87071d..7fcffba67a2 100755 --- a/t/t5564-http-proxy.sh +++ b/t/t5564-http-proxy.sh @@ -39,4 +39,50 @@ test_expect_success 'clone can prompt for proxy password' ' expect_askpass pass proxuser ' +start_socks() { + mkfifo socks_output && + { + "$PERL_PATH" "$TEST_DIRECTORY/socks4-proxy.pl" "$1" >socks_output & + socks_pid=$! + } && + read line err && + grep -i "SOCKS4 request granted." trace + } || + grep "^fatal: libcurl 7\.84 or later" err + } +' + +test_expect_success SOCKS_PROXY 'stop SOCKS proxy' 'kill "$socks_pid"' + +test_expect_success 'Unix socket requires socks*:' ' + ! git clone -c http.proxy=localhost/path https://example.com/repo.git 2>err && { + grep "^fatal: Invalid proxy URL '\''localhost/path'\'': only SOCKS proxies support paths" err || + grep "^fatal: libcurl 7\.84 or later" err + } +' + +test_expect_success 'Unix socket requires localhost' ' + ! git clone -c http.proxy=socks4://127.0.0.1/path https://example.com/repo.git 2>err && { + grep "^fatal: Invalid proxy URL '\''socks4://127\.0\.0\.1/path'\'': host must be localhost if a path is present" err || + grep "^fatal: libcurl 7\.84 or later" err + } +' + test_done