[PATCH] http auth user & password lookup

Matt Mackall mpm at selenic.com
Thu Aug 23 19:36:42 CDT 2007


On Thu, Aug 23, 2007 at 05:29:53PM -0700, Brendan Cully wrote:
> On Thursday, 23 August 2007 at 17:22, Brad Schick wrote:
> > Matt Mackall wrote:
> > >>>> We also want to store and check the URI (or at least the host name), no?
> > >>>>    
> > >>>>         
> > >>> I considered that. It would disambiguate all cases, but I think for many
> > >>> instances the realm is enough. Maybe an optional uri? Any suggestions
> > >>> for how to add that. Could be something like:
> > >>>
> > >>> realm[@uri]  = user[:pass]
> > >>>   
> > >>>       
> > >> Any feedback on this? I think it would help other users if I can get
> > >> this patch to an acceptable state. Its currently a pretty big hassle
> > >> doing remote work over http if auth is in place (or fairly insecure due
> > >> to displaying of passwords) .
> > >>     
> > >
> > > Isn't there a security risk of not having the URI in there? If you're
> > > doing pushes to two servers with realm-a and realm-b, the second
> > > server can claim to be in realm-a and get your realm-a password, no?
> > >   
> > 
> > That is a good point, particularly for basic http auth that sends the
> > plain text password. I'm not sure how many repo managers are looking to
> > steal the passwords of their users on other repos, but I definitely
> > agree on principle.
> > 
> > Using the full URI only would be a hassle when you have several repos on
> > one host with a shared user:pass. How about:
> > 
> > realm:(hostname|uri) = user[:pass]
> 
> I think you could just make the uri here prefix-match the target.
> 
> ie realm:http://foo/bar would match http://foo/bar/baz and
> http://foo/bar/quux

That's seems reasonable, except:
 
> maybe realm: would match anything?

Thus exposing naive users to the danger..

And the danger is not hostile project admins so much as compromised
project servers. If I want to stick an exploit into high-profile
project X, I might start by attacking project Y which shares some
developers.

-- 
Mathematics is the supreme nostalgia of our time.


More information about the Mercurial-devel mailing list