Bug: invalid headers for git over http

Valentin valentin at vrvis.at
Wed Oct 28 13:13:32 UTC 2020 

Hi,

I've noticed cases in which kallithea returns headers that seem 
incorrect on git requests over http.
This first occurred as some users had problems fetching repos from our 
kallithea instance with software that uses the JGit library on Windows 
(user agent string: JGit/5.4.2.201908231537-r).
The error message noted:
'git fetch' command failed (repository dir: <TeamCity data 
dir>/system/caches/git/git-233054F9.git).
stderr: https:<redacted>: expected Content-Type 
application/x-git-upload-pack-result; received Content-Type 
application/x-b'git-upload-pack'-result

I was able to reproduce this header by using git for windows, although 
it didn't produce an error:
valentin at CASHEW MINGW64 ~
$ GIT_CURL_VERBOSE=1 git clone https:<redacted>
Cloning into 'master'...

...
...
12:14:51.522612 http.c:721              <= Recv header, 0000000059 bytes 
(0x0000003b)
12:14:51.522612 http.c:733              <= Recv header: Content-Type: 
application/x-git-upload-pack-advertisement
...
...
12:15:32.147657 http.c:721              <= Recv header, 0000000055 bytes 
(0x00000037)
12:15:32.147657 http.c:733              <= Recv header: Content-Type: 
application/x-b'git-upload-pack'-result


The problem arises in pygrack.py [0] where encode('utf-8') is used on 
line 178:
resp.content_type = 'application/x-%s-result' % git_command.encode('utf-8')

in contrary, on line 128 str() is used:
resp.content_type = 'application/x-%s-advertisement' % str(git_command)

I patched my kallithea instance to use str() (see the attached diff) 
which resolves the problem.
I think this is safe to do, as git_command is checked against valid 
commands before and therefor must be convertible to a string.

Hope i got that right and you can integrate this into an upcoming release.

Cheers,
Valentin


[0] 
https://kallithea-scm.org/repos/kallithea/files/855b37d3bacdc6175566ca7d23c19e2352da1087/kallithea/lib/middleware/pygrack.py

-------------- next part --------------
A non-text attachment was scrubbed...
Name: git_command.diff
Type: text/x-patch
Size: 539 bytes
Desc: not available
URL: <http://lists.sfconservancy.org/pipermail/kallithea-general/attachments/20201028/c0ac140d/attachment.bin>

More information about the kallithea-general mailing list