redirects from secure https to http when pushing

Issue #361 resolved
created an issue

Here's some output from a push:

$ hg push pushing to real URL is ...

Notice that the 's' was dropped from 'https' at the start. hg asks for my password and the push succeeds.

I didn't try sniffing, but does this mean my password was sent in the clear?

Two bugs here: one is mercurial's -- it shouldn't switch from ssl to non-ssl when sending a password without complaining loudly. The other is bitbucket's -- need to be careful not to drop the https protocol when redirecting.

Comments (3)

  1. Jesper Noehr
    [cantor/jespern] /tmp > hg clone
    destination directory: nsdbilite
    real URL is
    requesting all changes
    adding changesets
    adding manifests
    adding file changes
    added 13 changesets with 22 changes to 10 files
    updating working directory
    10 files updated, 0 files merged, 0 files removed, 0 files unresolved

    Seems to work, yes?

  2. Log in to comment