Ref T6755. In Git and Subversion, running git clone http://google.com/ or svn checkout http://google.com/ does not echo the response body.
In Mercurial, it does. Censor it from the output of hg pull and hg clone. This prevents an attacker from:
- Creating a Mercurial remote repository with URI http://10.0.0.1/secrets/; and
- reading the secrets out of the error message after the clone fails.