Page MenuHomePhabricator

Mercurial doesn't store HTTP passwords in config anymore
Closed, ResolvedPublic

Description

When you:

hg clone http://user:pass@domain.com/repo.hg

...Mercurial used to store the password in the paths for the repository, and (apparently) used to be able to hg pull without additional changes.

In recent versions of Mercurial, the password is not stored, so the hg pull fails. Adding the password to the file explicitly also reportedly does not work.

The easiest fix is probably to add an [auth] section to .hg/hgrc, per instructions like this:

http://stackoverflow.com/questions/2584407/how-to-save-username-and-password-with-mercurial

Event Timeline

epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Mercurial, Diffusion.
epriestley added a subscriber: epriestley.

Example working hgrc:

hgrc
[paths]
default = http://scm.example.com/XYZ
 
[auth]
xyz.prefix = http://scm.example.com/XYZ
xyz.username = phabricator
xyz.password = hunter2

D14092 is a patch that doesn't require to store the password as clear text in the hgrc.

@berenm suggests what is likely a simpler fix here:

https://github.com/phacility/phabricator/pull/812

Specifically, just provide a source argument to hg pull explicitly.

I think this is probably reasonable. We get into a slight amount of trouble if the remote URI changes, but not really any moreso than we otherwise would, and this is simpler and less error-prone.

epriestley closed this task as Resolved.Sep 10 2015, 12:42 PM
epriestley claimed this task.

This should be resolved by D14092. Thanks for the fix!

One minor issue with this approach is that adversaries on the same host can now read the password out of the process list (see T6994). This isn't a threat we aim to protect against, and this isn't the only command with this problem, but using an argument instead of a file on disk is more of a change to the threat than a strict reduction.