[PATCH] hgweb: do not ignore [auth] if url has a username (issue2822)

Patrick Mézard pmezard at gmail.com
Mon Aug 1 04:36:28 CDT 2011


Le 31/07/11 23:51, Mads Kiilerich a écrit :
> Patrick Mezard wrote, On 07/31/2011 06:46 PM:
>> # HG changeset patch
>> # User Patrick Mezard<pmezard at gmail.com>
>> # Date 1312024327 -7200
>> # Branch stable
>> # Node ID 552f90214f6f0f8bda5ba0b6e949c119faf4ab32
>> # Parent  56848e2bb0c5a43b580dd2ca7ce1e781d4e75b2b
>> hgweb: do not ignore [auth] if url has a username (issue2822)
>>
>> The [auth] section was ignored when handling URLs like:
>>
>>    http://user@example.com/foo
>>
>> Instead, we look in [auth] for an entry matching the URL and supplied user
>> name.
> 
> I noticed that it seems like it really fixes to issues:
> 
> First: [auth] wasn't used if the username was specified. This is a 1.9 regression and thus a 'serious' bug.
> 
> Second: [auth] was matched on prefix only, ignoring the specified username. I guess it has been like that forever and works as designed and is correct according to the "specification". It might be surprising, but it is existing behaviour and so harmless that it in worst case could be "fixed" by updating the documentation.

Yes, and AFAIK, it can only happen in HTTPS case. See below for more details.

> I agree the second issue should be fixed too, but I wonder:
> * should it really be fixed in stable?
> * should the documentation be updated too?
> 
>> diff --git a/mercurial/httpconnection.py b/mercurial/httpconnection.py
>> --- a/mercurial/httpconnection.py
>> +++ b/mercurial/httpconnection.py
>> @@ -58,7 +58,7 @@
>>           return self._len
>>
>>   # moved here from url.py to avoid a cycle
>> -def readauthforuri(ui, uri):
>> +def readauthforuri(ui, uri, user=None):
> 
> Why is user optional? If we want to be able to select auth entry based on username then we must make sure that we always supply the username. (The url username might not be so immediately available the other places we use readauthforuri ...)

I sent this patch Saturday when I saw Matt notice about cutting 1.9.1 on Monday. After rereading my patch, it appeared that parsing the URL again in readauthforuri() to extract the username (as well as filtering it out) would be a better option since it would also fix the HTTPS case. I could not find the time to write the updated version and I do not currently understand the HTTPS code branch. I may take another look at it tonight or later this week, in the meantime feel free to suggest your own version.

--
Patrick Mézard


More information about the Mercurial-devel mailing list