Issue 909: [fetch] HTTPS password displayed in automated merge log message - Mercurial issue tracker

Title	[fetch] HTTPS password displayed in automated merge log message
Priority	critical	Status	resolved
Superseder		Nosy List	bos, jglick
Assigned To		Topics	security

Created on 2008-01-03.18:07:21 by jglick, last changed 2008-02-05.15:28:36 by mpm.

Messages
msg4816 (view)	Author: jglick	Date: 2008-01-04.21:43:44
Nice. BTW the two new params in hidepassword seem to be unused - mistake?
msg4815 (view)	Author: bos	Date: 2008-01-04.20:04:13
Fixed in crew, 86f5d8f608b7
msg4801 (view)	Author: jglick	Date: 2008-01-03.18:07:21
fetch.py has: message = (cmdutil.logmessage(opts) or (_('Automated merge with %s') % other.url())) If you are using HTTPS authentication and have put your username and password in the URL in .hg/hgrc for convenience, hg fetch when doing a merge will produce a commit with a message such as Automated merge with https://jhacker:supersecret@hg.nowhere.net/repo/ If you are not paying close attention and then push to the remote repository, your password will then become a matter of permanent public record! Probably should be using util.hidepassword here at least. Better would perhaps be to remove the username as well, since it is not really relevant in this context, and just use e.g. Automated merge with https://hg.nowhere.net/repo/

History
Date	User	Action	Args
2008-02-05 15:28:36	mpm	set	status: testing -> resolved nosy: bos, jglick
2008-01-04 21:43:45	jglick	set	nosy: bos, jglick messages: + msg4816
2008-01-04 20:04:14	bos	set	status: unread -> testing nosy: + bos messages: + msg4815
2008-01-03 18:07:21	jglick	create