-
Notifications
You must be signed in to change notification settings - Fork 993
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable authentication against a disabled remote #12913
Enable authentication against a disabled remote #12913
Conversation
Test code please :) 🙏 |
Yes! Sorry @prince-chrismc I didn't leave a message in the PR. Got into a rabbit-hole while writing tests for this PR which turned into #12915 and it delayed them a bit, but I've got them now, thanks for noticing :) |
Usage makes sense 👍 |
Just a quick note, this doesn't fully close #12909 (but it will be automatically closed when this is merged, because of the comment above). The missing bit is the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good! For me, it's only missing a new test to check that we're really listing both remotes now. Good job! 👍
that looks suspicious. if remote is disabled, then no traffic should be sent to/from it. why does conan need to authenticate against explicitly disabled remote in the first place? seems to be a security issue IMO. |
This works only for the explicit |
that might be exploited via similarly looking remote names, like similar characters or just minor typos in words. |
All of that can already happen with enabled remotes, if you add some remote to your existing remotes and that remote is malicious, then good luck, I don't think not allowing the authenticate for the reason it is disabled will save you from anything. |
Changelog: Fix: Enable authentication against disabled remotes.
Docs: Omit
There's no need to force a remote to be enabled for it to be able to be authenticated against, as disabling a remote should only affect if they are used for dependency resolving
Part 1 of 2 for #12909