[PATCH] url: avoid re-issuing incorrect password (issue3210)

[Yuya Nishihara]

On Fri, 29 Jul 2016 10:32:10 -0500, Matt Mackall wrote:
> On Fri, 2016-07-29 at 14:46 +0000, Kim Randell wrote:
> > # HG changeset patch
> > # User Kim Randell
> > # Date 1469792767 -3600
> > #      Fri Jul 29 12:46:07 2016 +0100
> > # Branch stable
> > # Node ID 9ae7fc90e0bac36de9b725587eb093f98b34619f
> > # Parent  8421cbebc783e7f3cb17cfb62b4095113f8d666b
> > url: avoid re-issuing incorrect password (issue3210)
> > 
> > Some draconian IT setups lock accounts after a small number of incorrect
> > password attempts. Mercurial's implementation of the urllib2 authentication
> > was
> > causing 5 retry attempts with the same credentials, without prompting the
> > user.
> > The code was attempting to check whether the authorization token had changed,
> > but unfortunately was reading the misleading 'headers' member of the request
> > instead of using the 'get_header' accessor.
> > 
> > Modelled on fix for Python issue 8797:
> > https://bugs.python.org/issue8797
> > https://hg.python.org/cpython/rev/30e8a8f22a2a
> 
> Wow, this looks too simple to be true!
> 
> The salient difference between headers.get and get_headers is:
> 
>     def get_header(self, header_name, default=None):
>         return self.headers.get(
>             header_name,
>             self.unredirected_hdrs.get(header_name, default))
> 
> ..this unredirected_hdrs field, which is where we're actually stashing the auth
> header:
> 
>             req.add_unredirected_header(self.auth_header, auth)
> 
> Looks like our copy of this code went in in Dec 2013, while the fix went into
> CPython (buried in a much larger patch, ugh) in Aug 2014.

Yeah, this patch looks good per comparing our initial copy, a939eeb94833, and
CPython history.

check-commit complains. Kim, can we copy your email address?

+  Revision 87b01d3c2222 does not comply with rules
+  ------------------------------------------------------
+  1: username is not an email address
+   # User Kim Randell