[PATCH] url: avoid re-issuing incorrect password (issue3210)
yuya at tcha.org
Sat Jul 30 06:59:28 EDT 2016
On Fri, 29 Jul 2016 10:32:10 -0500, Matt Mackall wrote:
> On Fri, 2016-07-29 at 14:46 +0000, Kim Randell wrote:
> > # HG changeset patch
> > # User Kim Randell
> > # Date 1469792767 -3600
> > # Fri Jul 29 12:46:07 2016 +0100
> > # Branch stable
> > # Node ID 9ae7fc90e0bac36de9b725587eb093f98b34619f
> > # Parent 8421cbebc783e7f3cb17cfb62b4095113f8d666b
> > url: avoid re-issuing incorrect password (issue3210)
> > Some draconian IT setups lock accounts after a small number of incorrect
> > password attempts. Mercurial's implementation of the urllib2 authentication
> > was
> > causing 5 retry attempts with the same credentials, without prompting the
> > user.
> > The code was attempting to check whether the authorization token had changed,
> > but unfortunately was reading the misleading 'headers' member of the request
> > instead of using the 'get_header' accessor.
> > Modelled on fix for Python issue 8797:
> > https://bugs.python.org/issue8797
> > https://hg.python.org/cpython/rev/30e8a8f22a2a
> Wow, this looks too simple to be true!
> The salient difference between headers.get and get_headers is:
> def get_header(self, header_name, default=None):
> return self.headers.get(
> self.unredirected_hdrs.get(header_name, default))
> ..this unredirected_hdrs field, which is where we're actually stashing the auth
> req.add_unredirected_header(self.auth_header, auth)
> Looks like our copy of this code went in in Dec 2013, while the fix went into
> CPython (buried in a much larger patch, ugh) in Aug 2014.
Yeah, this patch looks good per comparing our initial copy, a939eeb94833, and
check-commit complains. Kim, can we copy your email address?
+ Revision 87b01d3c2222 does not comply with rules
+ 1: username is not an email address
+ # User Kim Randell
More information about the Mercurial-devel