[PATCH 1 of 1 STABLE] http digest auth: reset redirect counter on new requests (issue2255)

Mads Kiilerich mads at kiilerich.com
Mon Jun 28 08:23:32 CDT 2010


On 06/28/2010 05:03 AM, Matt Mackall wrote:
> On Mon, 2010-06-28 at 11:52 +0900, Nicolas Dumazet wrote:
>> 2010/6/28 Matt Mackall<mpm at selenic.com>:
>>> On Sat, 2010-06-26 at 21:25 -0300, Wagner Bruna wrote:
>>>> # HG changeset patch
>>>> # User Mads Kiilerich<mads at kiilerich.com>
>>>> # Date 1277586058 -7200
>>>> # Branch stable
>>>> # Node ID f19b6d8ae201d91396a4e32157c1c1698efb45ed
>>>> # Parent  b9a46acdfe1f8f5c5c0ff63bf759b590e6780c81
>>>> http digest auth: reset redirect counter on new requests (issue2255)
>>>
>>> Why is Mads' name attached to this?
>>
>> Because it's based on Mads' patch.

(Google broke my mail for 48 hours. GRRR. wbruna was helpful and posted 
the patch for me.)

>> see http://mercurial.selenic.com/bts/issue2255 for the reason
>
> I looked at that, and found it ambiguous. I'd rather hear Mads say "yes,
> please take this patch".

Yes, please take this patch - or back a1e575b48563 out and blame 
somebody else.

It _is_ a high risk patch, but I am not sure it is more risky than using 
urllib2 in general. The impact of issue2179 was however smaller than the 
potential impact of this patch combined with previous and future 
versions of urllib2.

The handling of redirects in urllib2 seems to be fundamentally broken. 
The redirect counter in digest auth is hardcoded to stop after 5 
redirects, but the counter is reset on (some) redirects (sic!) and will 
thus loop forever in some cases. The counter will however not be reset 
in any other cases, so when the digest auth is resued for several 
requests (for example when exploring remote changesets) the counter will 
reach the limit.

In python 2.6.6 (and apparently backported to debian 2.6.5) basic auth 
has the same feature.

/Mads


More information about the Mercurial-devel mailing list