)]}'
{
  "commit": "6628eb41db5189c0cdfdced6d8697e7c813c5f0f",
  "tree": "13687858956d652416c34309e39ac5f61f42b9e9",
  "parents": [
    "986d7f4d37124e1ab7dcc99587f0d6d1deeedd9c"
  ],
  "author": {
    "name": "Jeff King",
    "email": "peff@peff.net",
    "time": "Tue Dec 06 13:24:35 2016 -0500"
  },
  "committer": {
    "name": "Junio C Hamano",
    "email": "gitster@pobox.com",
    "time": "Tue Dec 06 12:32:48 2016 -0800"
  },
  "message": "http: always update the base URL for redirects\n\nIf a malicious server redirects the initial ref\nadvertisement, it may be able to leak sha1s from other,\nunrelated servers that the client has access to. For\nexample, imagine that Alice is a git user, she has access to\na private repository on a server hosted by Bob, and Mallory\nruns a malicious server and wants to find out about Bob\u0027s\nprivate repository.\n\nMallory asks Alice to clone an unrelated repository from her\nover HTTP. When Alice\u0027s client contacts Mallory\u0027s server for\nthe initial ref advertisement, the server issues an HTTP\nredirect for Bob\u0027s server. Alice contacts Bob\u0027s server and\ngets the ref advertisement for the private repository. If\nthere is anything to fetch, she then follows up by asking\nthe server for one or more sha1 objects. But who is the\nserver?\n\nIf it is still Mallory\u0027s server, then Alice will leak the\nexistence of those sha1s to her.\n\nSince commit c93c92f30 (http: update base URLs when we see\nredirects, 2013-09-28), the client usually rewrites the base\nURL such that all further requests will go to Bob\u0027s server.\nBut this is done by textually matching the URL. If we were\noriginally looking for \"http://mallory/repo.git/info/refs\",\nand we got pointed at \"http://bob/other.git/info/refs\", then\nwe know that the right root is \"http://bob/other.git\".\n\nIf the redirect appears to change more than just the root,\nwe punt and continue to use the original server. E.g.,\nimagine the redirect adds a URL component that Bob\u0027s server\nwill ignore, like \"http://bob/other.git/info/refs?dummy\u003d1\".\n\nWe can solve this by aborting in this case rather than\nsilently continuing to use Mallory\u0027s server. In addition to\nprotecting from sha1 leakage, it\u0027s arguably safer and more\nsane to refuse a confusing redirect like that in general.\nFor example, part of the motivation in c93c92f30 is\navoiding accidentally sending credentials over clear http,\njust to get a response that says \"try again over https\". So\neven in a non-malicious case, we\u0027d prefer to err on the side\nof caution.\n\nThe downside is that it\u0027s possible this will break a\nlegitimate but complicated server-side redirection scheme.\nThe setup given in the newly added test does work, but it\u0027s\nconvoluted enough that we don\u0027t need to care about it. A\nmore plausible case would be a server which redirects a\nrequest for \"info/refs?service\u003dgit-upload-pack\" to just\n\"info/refs\" (because it does not do smart HTTP, and for some\nreason really dislikes query parameters).  Right now we\nwould transparently downgrade to dumb-http, but with this\npatch, we\u0027d complain (and the user would have to set\nGIT_SMART_HTTP\u003d0 to fetch).\n\nReported-by: Jann Horn \u003cjannh@google.com\u003e\nSigned-off-by: Jeff King \u003cpeff@peff.net\u003e\nSigned-off-by: Junio C Hamano \u003cgitster@pobox.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "d4034a14ba004c221ad95f3b8e9a225e850d62ea",
      "old_mode": 33188,
      "old_path": "http.c",
      "new_id": "718d2109bcd1d6f2a887b180aea094e8b4d8e4d1",
      "new_mode": 33188,
      "new_path": "http.c"
    },
    {
      "type": "modify",
      "old_id": "018a83a5a18431f120672b7cd8874bfb72e8d8fb",
      "old_mode": 33188,
      "old_path": "t/lib-httpd/apache.conf",
      "new_id": "9a355fb1c0f028e20b0ee6ee6016ecb9b15c28da",
      "new_mode": 33188,
      "new_path": "t/lib-httpd/apache.conf"
    },
    {
      "type": "modify",
      "old_id": "2f375eb94d528baefad038ff5b07baf0fe08d1fc",
      "old_mode": 33261,
      "old_path": "t/t5551-http-fetch-smart.sh",
      "new_id": "d8826acde69337a2ffab35aedc12a07d75d508e4",
      "new_mode": 33261,
      "new_path": "t/t5551-http-fetch-smart.sh"
    },
    {
      "type": "modify",
      "old_id": "0d105d54174e061b20707de808b284314f730667",
      "old_mode": 33261,
      "old_path": "t/t5812-proto-disable-http.sh",
      "new_id": "044cc152f83b05e090a65268c8818d56adb4422b",
      "new_mode": 33261,
      "new_path": "t/t5812-proto-disable-http.sh"
    }
  ]
}