[PATCH] Hide username and password on console when included in http: URLs

Brad Ediger brad at bradediger.com
Tue Sep 11 16:25:07 CDT 2007


When usernames and passwords are specified in a pull / push URL (hg  
pull http://user:pass@host:port/), this patch changes the console  
output to exclude the username / password for security ("pulling from  
http://host:port/").

There's a lot of cruft here so that the old tests pass. I'm not a  
Python guy, so any comments on the code itself would be appreciated.

# HG changeset patch
# User Brad Ediger <brad.ediger at madriska.com>
# Date 1189544832 18000
# Node ID e2b88600d89577b0b2abb5afb194dfa675228e6b
# Parent  bbdcdc7f170ed71911496f64e52554c030fe8a34
Hide username and password on console when included in http: URLs

diff -r bbdcdc7f170e -r e2b88600d895 mercurial/bundlerepo.py
--- a/mercurial/bundlerepo.py   Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/bundlerepo.py   Tue Sep 11 16:07:12 2007 -0500
@@ -151,9 +151,10 @@ class bundlefilelog(bundlerevlog, filelo
                                linkmapper)
class bundlerepository(localrepo.localrepository):
-    def __init__(self, ui, path, bundlename):
+    def __init__(self, ui, path, bundlename, origpath=None):
          localrepo.localrepository.__init__(self, ui, path)
-
+
+        self.origpath = origpath
          self._url = 'bundle:' + bundlename
          if path: self._url += '+' + path
@@ -208,6 +209,9 @@ class bundlerepository(localrepo.localre
      def url(self):
          return self._url
+
+    def printable_path(self):
+        return self.origpath
      def dev(self):
          return -1
@@ -237,6 +241,7 @@ def instance(ui, path, create):
def instance(ui, path, create):
      if create:
          raise util.Abort(_('cannot create new bundle repository'))
+    origpath = path
      path = util.drop_scheme('file', path)
      if path.startswith('bundle:'):
          path = util.drop_scheme('bundle', path)
@@ -247,4 +252,4 @@ def instance(ui, path, create):
              repopath, bundlename = s
      else:
          repopath, bundlename = '', path
-    return bundlerepository(ui, repopath, bundlename)
+    return bundlerepository(ui, repopath, bundlename, origpath)
diff -r bbdcdc7f170e -r e2b88600d895 mercurial/commands.py
--- a/mercurial/commands.py     Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/commands.py     Tue Sep 11 16:07:12 2007 -0500
@@ -2073,7 +2073,7 @@ def pull(ui, repo, source="default", **o
      cmdutil.setremoteconfig(ui, opts)
      other = hg.repository(ui, source)
-    ui.status(_('pulling from %s\n') % (source))
+    ui.status(_('pulling from %s\n') % (other.printable_path()))
      if revs:
          if 'lookup' in other.capabilities:
              revs = [other.lookup(rev) for rev in revs]
@@ -2119,7 +2119,7 @@ def push(ui, repo, dest=None, **opts):
      cmdutil.setremoteconfig(ui, opts)
      other = hg.repository(ui, dest)
-    ui.status('pushing to %s\n' % (dest))
+    ui.status('pushing to %s\n' % (other.printable_path()))
      if revs:
          revs = [repo.lookup(rev) for rev in revs]
      r = repo.push(other, opts['force'], revs=revs)
diff -r bbdcdc7f170e -r e2b88600d895 mercurial/httprepo.py
--- a/mercurial/httprepo.py     Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/httprepo.py     Tue Sep 11 16:07:12 2007 -0500
@@ -270,6 +270,9 @@ class httprepository(remoterepository):
      def url(self):
          return self.path
+
+    def printable_path(self):
+        return self._url
      # look up capabilities only when needed
diff -r bbdcdc7f170e -r e2b88600d895 mercurial/localrepo.py
--- a/mercurial/localrepo.py    Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/localrepo.py    Tue Sep 11 16:07:12 2007 -0500
@@ -102,6 +102,9 @@ class localrepository(repo.repository):
      def url(self):
          return 'file:' + self.root
+
+    def printable_path(self):
+        return self.origroot
      def hook(self, name, throw=False, **args):
          return hook.hook(self.ui, self, name, throw, **args)
diff -r bbdcdc7f170e -r e2b88600d895 mercurial/repo.py
--- a/mercurial/repo.py Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/repo.py Tue Sep 11 16:07:12 2007 -0500
@@ -22,3 +22,6 @@ class repository(object):
              if cap.startswith(name_eq):
                  return cap[len(name_eq):]
          return False
+
+    def printable_path(self):
+        return self.path
\ No newline at end of file
diff -r bbdcdc7f170e -r e2b88600d895 mercurial/sshrepo.py
--- a/mercurial/sshrepo.py      Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/sshrepo.py      Tue Sep 11 16:07:12 2007 -0500
@@ -42,6 +42,9 @@ class sshrepository(remoterepository):
          self.validate_repo(ui, sshcmd, args, remotecmd)
      def url(self):
+        return self._url
+
+    def printable_path(self):
          return self._url
      def validate_repo(self, ui, sshcmd, args, remotecmd):
diff -r bbdcdc7f170e -r e2b88600d895 mercurial/statichttprepo.py
--- a/mercurial/statichttprepo.py       Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/statichttprepo.py       Tue Sep 11 16:07:12 2007 -0500
@@ -32,6 +32,7 @@ class statichttprepository(localrepo.loc
      def __init__(self, ui, path):
          self._url = path
          self.ui = ui
+        self.origroot = 'static-' + path
          self.path = (path + "/.hg")
          self.opener = opener(self.path)
diff -r bbdcdc7f170e -r e2b88600d895 tests/test-http-hide-username- 
password
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/test-http-hide-username-password    Tue Sep 11 16:07:12  
2007 -0500
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+hg init test
+hg clone test test2
+
+cd test
+echo '[web]'>>.hg/hgrc
+echo 'allow_push = *'>>.hg/hgrc
+echo 'push_ssl = False'>>.hg/hgrc
+echo foo>foo
+hg add foo
+hg ci -m "added foo"
+hg serve -p 20059 -d --pid-file=../hg.pid
+cd ..
+cat hg.pid >> $DAEMON_PIDS
+
+echo % pull with password
+cd test2
+hg pull -u http://user:pass@localhost:20059/
+cd ..
+hg verify -R test2
+
+echo % push with password
+cd test2
+echo foo>foo2
+hg add foo2
+hg ci -m "added foo2"
+hg push http://user:pass@localhost:20059/
+cd ..
+hg verify -R test
\ No newline at end of file
diff -r bbdcdc7f170e -r e2b88600d895 tests/test-http-hide-username- 
password.out
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/test-http-hide-username-password.out        Tue Sep 11  
16:07:12 2007 -0500
@@ -0,0 +1,26 @@
+0 files updated, 0 files merged, 0 files removed, 0 files unresolved
+% pull with password
+pulling from http://localhost:20059/
+requesting all changes
+adding changesets
+adding manifests
+adding file changes
+added 1 changesets with 1 changes to 1 files
+1 files updated, 0 files merged, 0 files removed, 0 files unresolved
+checking changesets
+checking manifests
+crosschecking files in changesets and manifests
+checking files
+1 files, 1 changesets, 1 total revisions
+% push with password
+pushing to http://localhost:20059/
+searching for changes
+adding changesets
+adding manifests
+adding file changes
+added 1 changesets with 1 changes to 1 files
+checking changesets
+checking manifests
+crosschecking files in changesets and manifests
+checking files
+2 files, 2 changesets, 2 total revisions



More information about the Mercurial-devel mailing list