[Bug 6963] New: hg gets confused when receiving a https redirect while using a proxy

mercurial-bugs at mercurial-scm.org mercurial-bugs at mercurial-scm.org
Wed Apr 9 16:46:27 UTC 2025 

https://bz.mercurial-scm.org/show_bug.cgi?id=6963

            Bug ID: 6963
           Summary: hg gets confused when receiving a https redirect while
                    using a proxy
           Product: Mercurial
           Version: unspecified
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: bug
          Priority: wish
         Component: Mercurial
          Assignee: bugzilla at mercurial-scm.org
          Reporter: jcristau at debian.org
                CC: mercurial-devel at mercurial-scm.org
    Python Version: ---

Reproduced using:
- squid listening on localhost:3128
- apache httpd listening on https://localhost with a self-signed cert,
configured with `Redirect /hg https://hg-edge.mozilla.org`

```
http_proxy=http://localhost:3128  pdb3 -c 'import http.client' -c
'http.client.HTTPConnection.debuglevel=1' -c continue /usr/bin/hg clone
--insecure --config http_proxy.always=true
https://localhost/hg/hgcustom/version-control-tools
b'send:' b'CONNECT localhost:443 HTTP/1.0\r\n'
b'send:' b'\r\n'
warning: connection security to localhost is disabled per current settings;
communication is susceptible to eavesdropping and tampering
b'send:' b'GET /hg/hgcustom/version-control-tools?cmd=capabilities
HTTP/1.1\r\nAccept-Encoding: identity\r\naccept:
application/mercurial-0.1\r\nhost: localhost\r\nuser-agent: mercurial/proto-1.0
(Mercurial 6.9.4)\r\n\r\n'
reply: 'HTTP/1.1 302 Found\r\n'
header: Date: Wed, 09 Apr 2025 16:28:31 GMT
header: Server: Apache/2.4.63 (Debian)
header: Location:
https://hg-edge.mozilla.org/hgcustom/version-control-tools?cmd=capabilities
header: Content-Length: 335
header: Content-Type: text/html; charset=iso-8859-1
b'send:' b'GET /hgcustom/version-control-tools?cmd=capabilities
HTTP/1.1\r\nAccept-Encoding: identity\r\naccept:
application/mercurial-0.1\r\nhost: hg-edge.mozilla.org\r\nuser-agent:
mercurial/proto-1.0 (Mercurial 6.9.4)\r\n\r\n'
reply: 'HTTP/1.1 404 Not Found\r\n'
header: Date: Wed, 09 Apr 2025 16:28:31 GMT
header: Server: Apache/2.4.63 (Debian)
header: Content-Length: 282
header: Content-Type: text/html; charset=iso-8859-1
abort: HTTP Error 404: Not Found
The program exited via sys.exit(). Exit status: 255
The program finished and will be restarted
```

We can see there that after the redirect, hg never sends `CONNECT
hg-edge.mozilla.org:443`, and so the new request is sent to the original host
instead.

Originally reported at https://bugs.launchpad.net/launchpad/+bug/2106461 and
https://bugzilla.mozilla.org/show_bug.cgi?id=1959126.

For comparison:

```
$ https_proxy=http://localhost:3128 http_proxy=http://localhost:3128  pdb3 -c
'import http.client' -c 'http.client.HTTPConnection.debuglevel=1' -c 'import
urllib.request, ssl' -c
'urllib.request.urlopen("https://localhost/hg/hgcustom/version-control-tools",
context=ssl.SSLContext())' /dev/null
<stdin>:1: DeprecationWarning: ssl.SSLContext() without protocol argument is
deprecated.
<stdin>:1: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
send: b'CONNECT localhost:443 HTTP/1.1\r\nHost: localhost:443\r\n\r\n'
header: 

send: b'GET /hg/hgcustom/version-control-tools HTTP/1.1\r\nAccept-Encoding:
identity\r\nHost: localhost\r\nUser-Agent: Python-urllib/3.13\r\nConnection:
close\r\n\r\n'
reply: 'HTTP/1.1 302 Found\r\n'
header: Date: Wed, 09 Apr 2025 16:45:08 GMT
header: Server: Apache/2.4.63 (Debian)
header: Location: https://hg-edge.mozilla.org/hgcustom/version-control-tools
header: Content-Length: 318
header: Connection: close
header: Content-Type: text/html; charset=iso-8859-1
send: b'CONNECT hg-edge.mozilla.org:443 HTTP/1.1\r\nHost:
hg-edge.mozilla.org:443\r\n\r\n'
header: 

send: b'GET /hgcustom/version-control-tools HTTP/1.1\r\nAccept-Encoding:
identity\r\nHost: hg-edge.mozilla.org\r\nUser-Agent:
Python-urllib/3.13\r\nConnection: close\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Connection: close
header: content-type: text/html; charset=UTF-8
header: cache-control: no-cache
header: access-control-allow-origin: *
header: accept-ranges: bytes
header: server: Apache
header: content-security-policy: default-src 'none'; connect-src 'self'
https://bugzilla.mozilla.org/; img-src 'self'; script-src
https://hg.mozilla.org/static/ https://hg-edge.mozilla.org/static/
'nonce-IPD_sRD6RyeOoGXXIzA7FA'; style-src 'self' 'unsafe-inline';
upgrade-insecure-requests; frame-ancestors https:
header: via: 1.1 varnish, 1.1 varnish
header: x-content-type-options: nosniff
header: strict-transport-security: max-age=31536000
header: x-cache-info: not cacheable; response specified "Cache-Control:
no-cache"
header: Date: Wed, 09 Apr 2025 16:45:09 GMT
header: X-Served-By: cache-par-lfpg1960065-PAR, cache-par-lfpg1960074-PAR
header: X-Cache: MISS, MISS
header: X-Cache-Hits: 0, 0
header: X-Timer: S1744217109.716684,VS0,VE489
header: Vary: Accept-Encoding
header: transfer-encoding: chunked
<http.client.HTTPResponse object at 0x7fb50bcffe50>
> /dev/null(0)<module>()
(Pdb) q
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the Mercurial-devel mailing list