Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-13386

Since Curl 7.83.0 http redirect on mirrors strips out authentication headers

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Low
    • None
    • 7.12.1, 7.18.4, 7.19.5, 7.20.2, 8.1.0, 8.2.0, 8.0.1, 7.6.16, 7.17.9
    • Smart Mirroring

    Description

      Issue Summary

      Since https://curl.se/docs/CVE-2022-27776.html was resolved in Curl 7.83.0 header information is not stripped out on redirect. This causes pushes to mirror nodes to lose their authentication header when using a token and the request to ask for basic auth details.

      Due to this being driven from the Curl version on the client side it impacts all versions of Bitbucket.

      This is reproducible on Data Center: yes

      Steps to Reproduce

      1. Create a token on a repo with write permissions
      2. Push to that repo using `git -c http.extraHeader='Authorization: Bearer <token>' push <miror base url>/mirror/scm/<project>/<repo>.git
        `

      Expected Results

      The request should be sent to the upstream with authentication

      Actual Results

      1. The request should be redirected to the upstream without authentication

      Workaround

      -Downgrade to curl 7.82.0 or

      -Use ssh authentication or

      Attachments

        Issue Links

          is resolved by

          BBSDEV-26806 Loading...

          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              7adba17237c7 James Adams
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: