[PATCH] http auth user & password lookup

Brendan Cully brendan at kublai.com
Thu Aug 23 19:29:53 CDT 2007

On Thursday, 23 August 2007 at 17:22, Brad Schick wrote:
> Matt Mackall wrote:
> >>>> We also want to store and check the URI (or at least the host name), no?
> >>>>    
> >>>>         
> >>> I considered that. It would disambiguate all cases, but I think for many
> >>> instances the realm is enough. Maybe an optional uri? Any suggestions
> >>> for how to add that. Could be something like:
> >>>
> >>> realm[@uri]  = user[:pass]
> >>>   
> >>>       
> >> Any feedback on this? I think it would help other users if I can get
> >> this patch to an acceptable state. Its currently a pretty big hassle
> >> doing remote work over http if auth is in place (or fairly insecure due
> >> to displaying of passwords) .
> >>     
> >
> > Isn't there a security risk of not having the URI in there? If you're
> > doing pushes to two servers with realm-a and realm-b, the second
> > server can claim to be in realm-a and get your realm-a password, no?
> >   
> That is a good point, particularly for basic http auth that sends the
> plain text password. I'm not sure how many repo managers are looking to
> steal the passwords of their users on other repos, but I definitely
> agree on principle.
> Using the full URI only would be a hassle when you have several repos on
> one host with a shared user:pass. How about:
> realm:(hostname|uri) = user[:pass]

I think you could just make the uri here prefix-match the target.

ie realm:http://foo/bar would match http://foo/bar/baz and

maybe realm: would match anything?

More information about the Mercurial-devel mailing list