[issue909] [fetch] HTTPS password displayed in automated merge log message

Jesse Glick mercurial-bugs at selenic.com
Thu Jan 3 12:07:21 CST 2008


New submission from Jesse Glick <jesse.glick at sun.com>:

fetch.py has:

            message = (cmdutil.logmessage(opts) or
                       (_('Automated merge with %s') % other.url()))

If you are using HTTPS authentication and have put your username and password in
the URL in .hg/hgrc for convenience, hg fetch when doing a merge will produce a
commit with a message such as

  Automated merge with https://jhacker:supersecret@hg.nowhere.net/repo/

If you are not paying close attention and then push to the remote repository,
your password will then become a matter of permanent public record!

Probably should be using util.hidepassword here at least. Better would perhaps
be to remove the username as well, since it is not really relevant in this
context, and just use e.g.

  Automated merge with https://hg.nowhere.net/repo/

----------
messages: 4801
nosy: jglick
priority: critical
status: unread
title: [fetch] HTTPS password displayed in automated merge log message
topic: security

____________________________________________________
Mercurial issue tracker <mercurial-bugs at selenic.com>
<http://www.selenic.com/mercurial/bts/issue909>
____________________________________________________



More information about the Mercurial-devel mailing list