Page MenuHomePhabricator
Create Task
Maniphest T7959

Mercurial doesn't store HTTP passwords in config anymore
Closed, ResolvedPublic
Actions

Description

When you:

hg clone http://user:pass@domain.com/repo.hg

...Mercurial used to store the password in the paths for the repository, and (apparently) used to be able to hg pull without additional changes.

In recent versions of Mercurial, the password is not stored, so the hg pull fails. Adding the password to the file explicitly also reportedly does not work.

The easiest fix is probably to add an [auth] section to .hg/hgrc, per instructions like this:

http://stackoverflow.com/questions/2584407/how-to-save-username-and-password-with-mercurial

Revisions and Commits

rP Phabricator
ClosedD14092 Fix Mercurial unable to authenticate with HTTP when pulling

Related Objects

Event Timeline

epriestley created this task.Apr 27 2015, 4:16 PM
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Mercurial, Diffusion.
epriestley added a subscriber: epriestley.
epriestley added a comment.Apr 27 2015, 4:19 PM

Example working hgrc:

hgrc
[paths]
default = http://scm.example.com/XYZ
 
[auth]
xyz.prefix = http://scm.example.com/XYZ
xyz.username = phabricator
xyz.password = hunter2
epriestley merged a task: T8294: Cannot update mercurial repository over http.May 22 2015, 1:37 PM
epriestley added subscribers: avivey, razik.
epriestley mentioned this in T8303: Mercurial hooks.May 25 2015, 1:01 AM
epriestley merged a task: T9387: Diffusion is unable to pull updates from a Mercurial repository with HTTP authentication.Sep 10 2015, 12:27 PM
epriestley added subscribers: cspeckmim, berenm.
berenm mentioned this in D14092: Fix Mercurial unable to authenticate with HTTP when pulling .EditedSep 10 2015, 12:30 PM

D14092 is a patch that doesn't require to store the password as clear text in the hgrc.

epriestley added a comment.Sep 10 2015, 12:30 PM

@berenm suggests what is likely a simpler fix here:

https://github.com/phacility/phabricator/pull/812

Specifically, just provide a source argument to hg pull explicitly.

I think this is probably reasonable. We get into a slight amount of trouble if the remote URI changes, but not really any moreso than we otherwise would, and this is simpler and less error-prone.

epriestley mentioned this in rP738cb1fa7827: Fix Mercurial unable to authenticate with HTTP when pulling.Sep 10 2015, 12:40 PM
epriestley closed this task as Resolved.Sep 10 2015, 12:42 PM
epriestley claimed this task.
epriestley added a revision: D14092: Fix Mercurial unable to authenticate with HTTP when pulling .

This should be resolved by D14092. Thanks for the fix!

One minor issue with this approach is that adversaries on the same host can now read the password out of the process list (see T6994). This isn't a threat we aim to protect against, and this isn't the only command with this problem, but using an argument instead of a file on disk is more of a change to the threat than a strict reduction.

Phabricator · Built by Phacility