Issue #361 resolved

redirects from secure https to http when pushing

NaviServer
created an issue

Here's some output from a push:

$ hg push pushing to https://groks@bitbucket.org/naviserver/nsdbilite real URL is http://bitbucket.org/naviserver/nsdbilite/ ...

Notice that the 's' was dropped from 'https' at the start. hg asks for my password and the push succeeds.

I didn't try sniffing, but does this mean my password was sent in the clear?

Two bugs here: one is mercurial's -- it shouldn't switch from ssl to non-ssl when sending a password without complaining loudly. The other is bitbucket's -- need to be careful not to drop the https protocol when redirecting.

Comments (3)

  1. Jesper Nøhr
    [cantor/jespern] /tmp > hg clone https://bitbucket.org/naviserver/nsdbilite
    destination directory: nsdbilite
    real URL is https://bitbucket.org/naviserver/nsdbilite/
    requesting all changes
    adding changesets
    adding manifests
    adding file changes
    added 13 changesets with 22 changes to 10 files
    updating working directory
    10 files updated, 0 files merged, 0 files removed, 0 files unresolved
    

    Seems to work, yes?

  2. Log in to comment