[PATCH] hide passwords in httprepo error messages
Steve Borho
steve at borho.org
Sun Apr 12 11:50:54 CDT 2009
On Sun, Apr 12, 2009 at 9:06 AM, Patrick Mézard <pmezard at gmail.com> wrote:
> Steve Borho a écrit :
>> # HG changeset patch
>> # User Steve Borho <steve at borho.org>
>> # Date 1239492861 18000
>> # Node ID a9bc0242f1e3c607f06f78b94542917b39116404
>> # Parent db3a68fd9387d10308148bbf1a18c89bf50ce96d
>> hide passwords in httprepo error messages
>
> Nice catch.
I had just added password hiding to the tortoisehg synch dialog, and
was quite surprised to see my password showing up in an error message.
> Shouldn't we extend this to status()/debug() messages too?
> Looking at the code, I would hide passwords in the "cu" and "resp_url" variables too, and patch against -stable.
resp_url does not include a username or password, it's a raw http url.
Not sure about cu. It is a debug message, perhaps the user wants to
see his password in this case?
--
Steve Borho
More information about the Mercurial-devel
mailing list