Authorization and Github

Discussion:

Gisle Vanem

2018-10-08 06:18:56 UTC

In my '%APPDATA%/_netrc' file, I have entries for
Github.com and githubusercontent.com:
machine github.com login xx password yy
machine raw.githubusercontent.com login xx password yy

Then when getting any URL from these sites, I always get a
"404 Not Found".

Adding a '--user ":"' does not help, but adding a
'--header Authorization:' (or '--netrc-file NUL'), I do get
the correct content.

Very annoying and clumsy. Since with Wget it always works since it
doesn't send this "Authorization:" header when
'machine raw.githubusercontent.com ..' is present in
'%APPDATA%/.netrc'.

Is there anything else I could do?

--
--gv
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx

Daniel Stenberg

2018-10-08 08:29:33 UTC

Permalink

Very annoying and clumsy. Since with Wget it always works since it doesn't
send this "Authorization:" header when 'machine raw.githubusercontent.com
..' is present in '%APPDATA%/.netrc'.

I'm not following. Is the problem that it sends the wrong header or that it
finds the wrong credentials in the .netrc file or something else?

--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquett

Gisle Vanem

2018-10-08 09:22:18 UTC

Permalink

Very annoying and clumsy. Since with Wget it always works since it doesn't send this "Authorization:" header when
'machine raw.githubusercontent.com ..' is present in '%APPDATA%/.netrc'.

I'm not following. Is the problem that it sends the wrong header or that it finds the wrong credentials in the .netrc
file or something else?

It seems to send the "Authorization: Basic..." header with a Base64 (?) value.
Github doesn't like that and responds with a 404.

Comparing to Google Chrome, it doesn't seems to send this header.
My credentials in the .netrc are correct.

If I disable gist.githubusercontent.com from the _netrc, even then this
header is sent. This auth-data is then coming the 'default login anonymous' line.
So I get another 404.

E.g.

c:\>curl -v https://gist.githubusercontent.com/gvanem/9c2fa42519e790b3bd20479f0dd7b4c7/raw/9acc048f75bd7ef735980
30fad3bd640dfc712da/Makefile.Windows
...

GET /gvanem/9c2fa42519e790b3bd20479f0dd7b4c7/raw/9acc048f75bd7ef73598030fad3bd640dfc712da/Makefile.Windows HTTP/1.1
Host: gist.githubusercontent.com
Authorization: Basic YW5vbnltb3VzOnlvdXJAZW1haWwuYWRkcmVzcw==

...
< HTTP/1.1 404 Not Found

--
--gv
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users

Daniel Stenberg

2018-10-09 11:06:19 UTC

Permalink

Post by Gisle Vanem

Post by Daniel Stenberg

Very annoying and clumsy. Since with Wget it always works since it doesn't
send this "Authorization:" header when 'machine raw.githubusercontent.com
..' is present in '%APPDATA%/.netrc'.

I'm not following. Is the problem that it sends the wrong header or that it
finds the wrong credentials in the .netrc file or something else?

It seems to send the "Authorization: Basic..." header with a Base64 (?)
value. Github doesn't like that and responds with a 404.

Basic Auth is "user:password" base64-encoded in that header. curl uses that
because you're using the .netrc file and it found the host name with
credentials in there.

Post by Gisle Vanem
Comparing to Google Chrome, it doesn't seems to send this header.

Sure, but Chrome doesn't care about .netrc. Also, Chrome doesn't send
authentication without "probing" first, which curl does in this case. You can
make curl probe too by adding --anyauth.

Post by Gisle Vanem
If I disable gist.githubusercontent.com from the _netrc, even then this
header is sent. This auth-data is then coming the 'default login anonymous' line.

curl doesn't read the .netrc by default so you've asked it to use this file
somehow?

--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: h

Gisle Vanem

2018-10-09 16:17:40 UTC

Permalink

Post by Gisle Vanem
If I disable gist.githubusercontent.com from the _netrc, even then this
header is sent. This auth-data is then coming the 'default login anonymous' line.

curl doesn't read the .netrc by default so you've asked it to use this file somehow?

Obviously. In my %APPDATA%/_curlrc, I have a:
netrc

which is what I want and that works in all cases. Esp. with FTP,
but not with the gist.githubusercontent.com host.

I'm not sure what the definitive RFC says about sending "Authorization: "
when not asked for. Or if simply Github's server is too strict.

--
--gv
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.