[PATCH] Do not display passwords specified in URL
Manuel Holtgrewe
purestorm at ggnore.net
Mon Nov 5 19:43:38 UTC 2007
Hi,
I had a similar problem as Brad Schick had in [1]: If I specify a
password in the repository URL, then this password is printed on
pulling and pushing. In my opinion, this should not be the case.
I have thought of a (IMO) simple but elegant and effective solution
to the, Brad had when trying to create a workaround for the problem:
Why don't we simply keep entering the password in the URL but hide it
when displaying it?
This would get rid of the problem while keeping the required changes
to a minimum. I appended the necessary patch, you can also pull it
from [2].
Kind Regards,
Manuel
[1] http://www.selenic.com/pipermail/mercurial-devel/2007-August/
thread.html#2618
[2] https://hg.ggnore.net/source/hg-hide-pw
# HG changeset patch
# User Manuel Holtgrewe <purestorm at ggnore.net>
# Date 1194290972 -3600
# Node ID bcf5049c5a97673b7eec413d9a34b65ffc634f7a
# Parent 3aa5c45874c60560d75df74adbc964e107c8538a
Passwords specified in the repository URL are now displayed as '***'
when accessing the remote repository
diff -r 3aa5c45874c6 -r bcf5049c5a97 mercurial/commands.py
--- a/mercurial/commands.py Sat Oct 20 03:04:34 2007 +0200
+++ b/mercurial/commands.py Mon Nov 05 20:29:32 2007 +0100
@@ -1961,7 +1961,8 @@ def outgoing(ui, repo, dest=None, **opts
revs = [repo.lookup(rev) for rev in revs]
other = hg.repository(ui, dest)
- ui.status(_('comparing with %s\n') % dest)
+ cleaned_dest = util.hide_password_in_url(dest)
+ ui.status(_('comparing with %s\n') % cleaned_dest)
o = repo.findoutgoing(other, force=opts['force'])
if not o:
ui.status(_("no changes found\n"))
@@ -2094,7 +2095,8 @@ def pull(ui, repo, source="default", **o
cmdutil.setremoteconfig(ui, opts)
other = hg.repository(ui, source)
- ui.status(_('pulling from %s\n') % (source))
+ cleaned_source = util.hide_password_in_url(source)
+ ui.status(_('pulling from %s\n') % (cleaned_source))
if revs:
try:
revs = [other.lookup(rev) for rev in revs]
@@ -2141,7 +2143,8 @@ def push(ui, repo, dest=None, **opts):
cmdutil.setremoteconfig(ui, opts)
other = hg.repository(ui, dest)
- ui.status('pushing to %s\n' % (dest))
+ cleaned_dest = util.hide_password_in_url(dest)
+ ui.status('pushing to %s\n' % (cleaned_dest))
if revs:
revs = [repo.lookup(rev) for rev in revs]
r = repo.push(other, opts['force'], revs=revs)
diff -r 3aa5c45874c6 -r bcf5049c5a97 mercurial/util.py
--- a/mercurial/util.py Sat Oct 20 03:04:34 2007 +0200
+++ b/mercurial/util.py Mon Nov 05 20:29:32 2007 +0100
@@ -15,6 +15,7 @@ from i18n import _
from i18n import _
import cStringIO, errno, getpass, popen2, re, shutil, sys, tempfile,
strutil
import os, stat, threading, time, calendar, ConfigParser, locale,
glob, osutil
+import re, urlparse
try:
set = set
@@ -1688,3 +1689,23 @@ def uirepr(s):
def uirepr(s):
# Avoid double backslash in Windows path repr()
return repr(s).replace('\\\\', '\\')
+
+def hide_password_in_url(url_str):
+ '''replaces the password in the url string by three asterisks (***)
+
+ >>> hide_password_in_url('http://www.example.com/some/
path#fragment')
+ 'http://www.example.com/some/path#fragment'
+ >>> hide_password_in_url('http://me@www.example.com/some/
path#fragment')
+ 'http://me@www.example.com/some/path#fragment'
+ >>> hide_password_in_url('http://me:simplepw@www.example.com/
path#frag')
+ 'http://me:***@www.example.com/path#frag'
+ >>> hide_password_in_url('http://me:complex:pw@www.example.com/
path#frag')
+ 'http://me:***@www.example.com/path#frag'
+ '''
+ url_parts = list(urlparse.urlparse(url_str))
+ host_with_pw_pattern = re.compile('^([^:]*):([^@]*)@(.*)$')
+ if host_with_pw_pattern.match(url_parts[1]):
+ url_parts[1] = re.sub(host_with_pw_pattern, r'\1:***@\3',
+ url_parts[1])
+ return urlparse.urlunparse(url_parts)
+
diff -r 3aa5c45874c6 -r bcf5049c5a97 tests/test-doctest.py
--- a/tests/test-doctest.py Sat Oct 20 03:04:34 2007 +0200
+++ b/tests/test-doctest.py Mon Nov 05 20:29:32 2007 +0100
@@ -7,3 +7,6 @@ doctest.testmod(mercurial.changelog)
import mercurial.httprepo
doctest.testmod(mercurial.httprepo)
+
+import mercurial.util
+doctest.testmod(mercurial.util)
\ No newline at end of file
More information about the Mercurial-devel
mailing list