[PATCH] Do not display passwords specified in URL

Manuel Holtgrewe purestorm at ggnore.net
Mon Nov 5 13:43:38 CST 2007 

Hi,

I had a similar problem as Brad Schick had in [1]: If I specify a  
password in the repository URL, then this password is printed on  
pulling and pushing. In my opinion, this should not be the case.

I have thought of a (IMO) simple but elegant and effective solution  
to the, Brad had when trying to create a workaround for the problem:  
Why don't we simply keep entering the password in the URL but hide it  
when displaying it?

This would get rid of the problem while keeping the required changes  
to a minimum. I appended the necessary patch, you can also pull it  
from [2].

Kind Regards,

Manuel


[1] http://www.selenic.com/pipermail/mercurial-devel/2007-August/ 
thread.html#2618
[2] https://hg.ggnore.net/source/hg-hide-pw

# HG changeset patch
# User Manuel Holtgrewe <purestorm at ggnore.net>
# Date 1194290972 -3600
# Node ID bcf5049c5a97673b7eec413d9a34b65ffc634f7a
# Parent  3aa5c45874c60560d75df74adbc964e107c8538a
Passwords specified in the repository URL are now displayed as '***'  
when accessing the remote repository

diff -r 3aa5c45874c6 -r bcf5049c5a97 mercurial/commands.py
--- a/mercurial/commands.py	Sat Oct 20 03:04:34 2007 +0200
+++ b/mercurial/commands.py	Mon Nov 05 20:29:32 2007 +0100
@@ -1961,7 +1961,8 @@ def outgoing(ui, repo, dest=None, **opts
          revs = [repo.lookup(rev) for rev in revs]
      other = hg.repository(ui, dest)
-    ui.status(_('comparing with %s\n') % dest)
+    cleaned_dest = util.hide_password_in_url(dest)
+    ui.status(_('comparing with %s\n') % cleaned_dest)
      o = repo.findoutgoing(other, force=opts['force'])
      if not o:
          ui.status(_("no changes found\n"))
@@ -2094,7 +2095,8 @@ def pull(ui, repo, source="default", **o
      cmdutil.setremoteconfig(ui, opts)
      other = hg.repository(ui, source)
-    ui.status(_('pulling from %s\n') % (source))
+    cleaned_source = util.hide_password_in_url(source)
+    ui.status(_('pulling from %s\n') % (cleaned_source))
      if revs:
          try:
              revs = [other.lookup(rev) for rev in revs]
@@ -2141,7 +2143,8 @@ def push(ui, repo, dest=None, **opts):
      cmdutil.setremoteconfig(ui, opts)
      other = hg.repository(ui, dest)
-    ui.status('pushing to %s\n' % (dest))
+    cleaned_dest = util.hide_password_in_url(dest)
+    ui.status('pushing to %s\n' % (cleaned_dest))
      if revs:
          revs = [repo.lookup(rev) for rev in revs]
      r = repo.push(other, opts['force'], revs=revs)
diff -r 3aa5c45874c6 -r bcf5049c5a97 mercurial/util.py
--- a/mercurial/util.py	Sat Oct 20 03:04:34 2007 +0200
+++ b/mercurial/util.py	Mon Nov 05 20:29:32 2007 +0100
@@ -15,6 +15,7 @@ from i18n import _
from i18n import _
import cStringIO, errno, getpass, popen2, re, shutil, sys, tempfile,  
strutil
import os, stat, threading, time, calendar, ConfigParser, locale,  
glob, osutil
+import re, urlparse
try:
      set = set
@@ -1688,3 +1689,23 @@ def uirepr(s):
def uirepr(s):
      # Avoid double backslash in Windows path repr()
      return repr(s).replace('\\\\', '\\')
+
+def hide_password_in_url(url_str):
+    '''replaces the password in the url string by three asterisks (***)
+
+    >>> hide_password_in_url('http://www.example.com/some/ 
path#fragment')
+    'http://www.example.com/some/path#fragment'
+    >>> hide_password_in_url('http://me@www.example.com/some/ 
path#fragment')
+    'http://me@www.example.com/some/path#fragment'
+    >>> hide_password_in_url('http://me:simplepw@www.example.com/ 
path#frag')
+    'http://me:***@www.example.com/path#frag'
+    >>> hide_password_in_url('http://me:complex:pw@www.example.com/ 
path#frag')
+    'http://me:***@www.example.com/path#frag'
+    '''
+    url_parts = list(urlparse.urlparse(url_str))
+    host_with_pw_pattern = re.compile('^([^:]*):([^@]*)@(.*)$')
+    if host_with_pw_pattern.match(url_parts[1]):
+        url_parts[1] = re.sub(host_with_pw_pattern, r'\1:***@\3',
+            url_parts[1])
+    return urlparse.urlunparse(url_parts)
+
diff -r 3aa5c45874c6 -r bcf5049c5a97 tests/test-doctest.py
--- a/tests/test-doctest.py	Sat Oct 20 03:04:34 2007 +0200
+++ b/tests/test-doctest.py	Mon Nov 05 20:29:32 2007 +0100
@@ -7,3 +7,6 @@ doctest.testmod(mercurial.changelog)
import mercurial.httprepo
doctest.testmod(mercurial.httprepo)
+
+import mercurial.util
+doctest.testmod(mercurial.util)
\ No newline at end of file

More information about the Mercurial-devel mailing list