[PATCH STABLE v2] clone: don't save user's password in .hg/hgrc (Issue3122)

Augie Fackler durin42 at gmail.com
Tue Nov 22 12:30:30 CST 2011 

# HG changeset patch
# User Augie Fackler <durin42 at gmail.com>
# Date 1321985202 21600
# Branch stable
# Node ID b90f57453041191bd7e47a5dea5639fa93073936
# Parent  f76584098c88fadcb74a8aa5c9c7efb2fb25b682
clone: don't save user's password in .hg/hgrc (Issue3122)

diff --git a/mercurial/hg.py b/mercurial/hg.py
--- a/mercurial/hg.py
+++ b/mercurial/hg.py
@@ -356,10 +356,13 @@
         if destrepo.local():
             fp = destrepo.opener("hgrc", "w", text=True)
             fp.write("[paths]\n")
-            fp.write("default = %s\n" % abspath)
+            u = util.url(abspath)
+            u.passwd = None
+            defaulturl = str(u)
+            fp.write("default = %s\n" % defaulturl)
             fp.close()
 
-            destrepo.ui.setconfig('paths', 'default', abspath)
+            destrepo.ui.setconfig('paths', 'default', defaulturl)
 
             if update:
                 if update is not True:
diff --git a/tests/test-pull-http.t b/tests/test-pull-http.t
--- a/tests/test-pull-http.t
+++ b/tests/test-pull-http.t
@@ -12,13 +12,30 @@
   $ echo a >> a
   $ hg ci -mb
 
+Cloning with a password in the URL should not save the password in .hg/hgrc:
+
+  $ hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log
+  $ cat hg.pid >> $DAEMON_PIDS
+  $ hg clone http://foo:xyzzy@localhost:$HGPORT/ test3
+  requesting all changes
+  adding changesets
+  adding manifests
+  adding file changes
+  added 2 changesets with 2 changes to 1 files
+  updating to branch default
+  1 files updated, 0 files merged, 0 files removed, 0 files unresolved
+  $ cat test3/.hg/hgrc
+  [paths]
+  default = http://foo@localhost:$HGPORT/
+  $ "$TESTDIR/killdaemons.py"
+
 expect error, cloning not allowed
 
   $ echo '[web]' > .hg/hgrc
   $ echo 'allowpull = false' >> .hg/hgrc
   $ hg serve -p $HGPORT -d --pid-file=hg.pid -E errors.log
   $ cat hg.pid >> $DAEMON_PIDS
-  $ hg clone http://localhost:$HGPORT/ test3
+  $ hg clone http://localhost:$HGPORT/ test4
   requesting all changes
   abort: authorization failed
   [255]
diff --git a/tests/test-pull.t b/tests/test-pull.t
--- a/tests/test-pull.t
+++ b/tests/test-pull.t
@@ -43,7 +43,7 @@
   2ed2a3912a0b24502043eae84ee4b279c18b90dd 644   foo
 
   $ hg pull
-  pulling from http://foo:***@localhost:$HGPORT/
+  pulling from http://foo@localhost:$HGPORT/
   searching for changes
   no changes found

More information about the Mercurial-devel mailing list