Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.12.1, 7.18.4, 7.19.5, 7.20.2, 8.1.0, 8.2.0, 8.0.1, 7.6.16, 7.17.9
-
Severity 3 - Minor
-
2
-
Description
Issue Summary
Since https://curl.se/docs/CVE-2022-27776.html was resolved in Curl 7.83.0 header information is not stripped out on redirect. This causes pushes to mirror nodes to lose their authentication header when using a token and the request to ask for basic auth details.
Due to this being driven from the Curl version on the client side it impacts all versions of Bitbucket.
This is reproducible on Data Center: yes
Steps to Reproduce
- Create a token on a repo with write permissions
- Push to that repo using `git -c http.extraHeader='Authorization: Bearer <token>' push <miror base url>/mirror/scm/<project>/<repo>.git
`
Expected Results
The request should be sent to the upstream with authentication
Actual Results
- The request should be redirected to the upstream without authentication
Workaround
-Downgrade to curl 7.82.0 or
-Use ssh authentication or
Attachments
Issue Links
- is resolved by
-
BBSDEV-26806 Loading...
- mentioned in
-
Page Loading...