[PATCH] Hide username and password on console when included in http: URLs

Brad Ediger brad at bradediger.com
Wed Sep 12 05:23:42 CDT 2007


On Sep 12, 2007, at 5:00 AM, Jonathan S. Shapiro wrote:

> Brad:
>
> Dropping the password may make sense. Dropping the username does not,
> and can have negative impact on (e.g.) logging.

Good call, that had crossed my mind but I forgot about it.

Updated version that drops only the password:

# HG changeset patch
# User Brad Ediger <brad.ediger at madriska.com>
# Date 1189592499 18000
# Node ID 82162ea19cbaf404bc95748de31ddb114fbf246f
# Parent  bbdcdc7f170ed71911496f64e52554c030fe8a34
Hide password on console when included in http: URLs

diff -r bbdcdc7f170e -r 82162ea19cba mercurial/bundlerepo.py
--- a/mercurial/bundlerepo.py   Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/bundlerepo.py   Wed Sep 12 05:21:39 2007 -0500
@@ -151,9 +151,10 @@ class bundlefilelog(bundlerevlog, filelo
                                linkmapper)
class bundlerepository(localrepo.localrepository):
-    def __init__(self, ui, path, bundlename):
+    def __init__(self, ui, path, bundlename, origpath=None):
          localrepo.localrepository.__init__(self, ui, path)
-
+
+        self.origpath = origpath
          self._url = 'bundle:' + bundlename
          if path: self._url += '+' + path
@@ -208,6 +209,9 @@ class bundlerepository(localrepo.localre
      def url(self):
          return self._url
+
+    def printable_path(self):
+        return self.origpath
      def dev(self):
          return -1
@@ -237,6 +241,7 @@ def instance(ui, path, create):
def instance(ui, path, create):
      if create:
          raise util.Abort(_('cannot create new bundle repository'))
+    origpath = path
      path = util.drop_scheme('file', path)
      if path.startswith('bundle:'):
          path = util.drop_scheme('bundle', path)
@@ -247,4 +252,4 @@ def instance(ui, path, create):
              repopath, bundlename = s
      else:
          repopath, bundlename = '', path
-    return bundlerepository(ui, repopath, bundlename)
+    return bundlerepository(ui, repopath, bundlename, origpath)
diff -r bbdcdc7f170e -r 82162ea19cba mercurial/commands.py
--- a/mercurial/commands.py     Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/commands.py     Wed Sep 12 05:21:39 2007 -0500
@@ -2073,7 +2073,7 @@ def pull(ui, repo, source="default", **o
      cmdutil.setremoteconfig(ui, opts)
      other = hg.repository(ui, source)
-    ui.status(_('pulling from %s\n') % (source))
+    ui.status(_('pulling from %s\n') % (other.printable_path()))
      if revs:
          if 'lookup' in other.capabilities:
              revs = [other.lookup(rev) for rev in revs]
@@ -2119,7 +2119,7 @@ def push(ui, repo, dest=None, **opts):
      cmdutil.setremoteconfig(ui, opts)
      other = hg.repository(ui, dest)
-    ui.status('pushing to %s\n' % (dest))
+    ui.status('pushing to %s\n' % (other.printable_path()))
      if revs:
          revs = [repo.lookup(rev) for rev in revs]
      r = repo.push(other, opts['force'], revs=revs)
diff -r bbdcdc7f170e -r 82162ea19cba mercurial/httprepo.py
--- a/mercurial/httprepo.py     Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/httprepo.py     Wed Sep 12 05:21:39 2007 -0500
@@ -198,6 +198,10 @@ class httprepository(remoterepository):
          # urllib cannot handle URLs with embedded user or passwd
          self._url = urlparse.urlunsplit((scheme, netlocunsplit 
(host, port),
                                           urlpath, '', ''))
+
+        # printable path includes username but not password
+        self._printable_path = urlparse.urlunsplit((scheme,  
netlocunsplit(host, port, user),
+                                                    urlpath, '', ''))
          self.ui = ui
          self.ui.debug(_('using %s\n') % self._url)
@@ -270,6 +274,9 @@ class httprepository(remoterepository):
      def url(self):
          return self.path
+
+    def printable_path(self):
+        return self._printable_path
      # look up capabilities only when needed
diff -r bbdcdc7f170e -r 82162ea19cba mercurial/localrepo.py
--- a/mercurial/localrepo.py    Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/localrepo.py    Wed Sep 12 05:21:39 2007 -0500
@@ -102,6 +102,9 @@ class localrepository(repo.repository):
      def url(self):
          return 'file:' + self.root
+
+    def printable_path(self):
+        return self.origroot
      def hook(self, name, throw=False, **args):
          return hook.hook(self.ui, self, name, throw, **args)
diff -r bbdcdc7f170e -r 82162ea19cba mercurial/repo.py
--- a/mercurial/repo.py Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/repo.py Wed Sep 12 05:21:39 2007 -0500
@@ -22,3 +22,6 @@ class repository(object):
              if cap.startswith(name_eq):
                  return cap[len(name_eq):]
          return False
+
+    def printable_path(self):
+        return self.path
\ No newline at end of file
diff -r bbdcdc7f170e -r 82162ea19cba mercurial/sshrepo.py
--- a/mercurial/sshrepo.py      Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/sshrepo.py      Wed Sep 12 05:21:39 2007 -0500
@@ -42,6 +42,9 @@ class sshrepository(remoterepository):
          self.validate_repo(ui, sshcmd, args, remotecmd)
      def url(self):
+        return self._url
+
+    def printable_path(self):
          return self._url
      def validate_repo(self, ui, sshcmd, args, remotecmd):
diff -r bbdcdc7f170e -r 82162ea19cba mercurial/statichttprepo.py
--- a/mercurial/statichttprepo.py       Mon Aug 20 21:10:45 2007 -0500
+++ b/mercurial/statichttprepo.py       Wed Sep 12 05:21:39 2007 -0500
@@ -32,6 +32,7 @@ class statichttprepository(localrepo.loc
      def __init__(self, ui, path):
          self._url = path
          self.ui = ui
+        self.origroot = 'static-' + path
          self.path = (path + "/.hg")
          self.opener = opener(self.path)
diff -r bbdcdc7f170e -r 82162ea19cba tests/test-http-hide-password
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/test-http-hide-password     Wed Sep 12 05:21:39 2007 -0500
@@ -0,0 +1,30 @@
+#!/bin/sh
+
+hg init test
+hg clone test test2
+
+cd test
+echo '[web]'>>.hg/hgrc
+echo 'allow_push = *'>>.hg/hgrc
+echo 'push_ssl = False'>>.hg/hgrc
+echo foo>foo
+hg add foo
+hg ci -m "added foo"
+hg serve -p 20059 -d --pid-file=../hg.pid
+cd ..
+cat hg.pid >> $DAEMON_PIDS
+
+echo % pull with password
+cd test2
+hg pull -u http://user:pass@localhost:20059/
+cd ..
+hg verify -R test2
+
+echo % push with password
+cd test2
+echo foo>foo2
+hg add foo2
+hg ci -m "added foo2"
+hg push http://user:pass@localhost:20059/
+cd ..
+hg verify -R test
\ No newline at end of file
diff -r bbdcdc7f170e -r 82162ea19cba tests/test-http-hide-password.out
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/test-http-hide-password.out Wed Sep 12 05:21:39 2007 -0500
@@ -0,0 +1,26 @@
+0 files updated, 0 files merged, 0 files removed, 0 files unresolved
+% pull with password
+pulling from http://user@localhost:20059/
+requesting all changes
+adding changesets
+adding manifests
+adding file changes
+added 1 changesets with 1 changes to 1 files
+1 files updated, 0 files merged, 0 files removed, 0 files unresolved
+checking changesets
+checking manifests
+crosschecking files in changesets and manifests
+checking files
+1 files, 1 changesets, 1 total revisions
+% push with password
+pushing to http://user@localhost:20059/
+searching for changes
+adding changesets
+adding manifests
+adding file changes
+added 1 changesets with 1 changes to 1 files
+checking changesets
+checking manifests
+crosschecking files in changesets and manifests
+checking files
+2 files, 2 changesets, 2 total revisions



More information about the Mercurial-devel mailing list