Security issue: how to use HTTP user as Mercurial user
Benoit Boissinot
bboissin at gmail.com
Mon Jun 7 23:27:54 UTC 2010
On Mon, Jun 7, 2010 at 11:41 PM, Zeljko Trogrlic <zeljko_t at post.htnet.hr> wrote:
> Hi all,
>
> I am using Apache + mod_wsgi + mod_auth_sspi + Mercurial 1.5.4 on Windows.
>
> Authentication works fine, but there is one security issue:
> instead of user authenticated on Apache,
> username configured in user's mercurial.ini [ui] section
> is stored in repository as changeset's author.
>
> It means that users can fake their username, making traceability impossible.
>
> How can I configure Mercurial to use user authenticated by Apache as
> Mercurial user?
It is more or less against the spirit of a *distributed* VCS.
You can have a look at this thread:
http://markmail.org/thread/gbk2skeljelu26wm for more information and
potential solution (for example pushlog, like mozilla does).
Cheers,
Benoit
(it should probably go in the FAQ)
More information about the Mercurial
mailing list