Details
-
Bug
-
Resolution: Fixed
-
Medium
Description
Here's some output from a push:
$ hg push
pushing to https://groks@bitbucket.org/naviserver/nsdbilite\\
real URL is http://bitbucket.org/naviserver/nsdbilite/\\
...
Notice that the 's' was dropped from 'https' at the start. hg asks for my password and the push succeeds.
I didn't try sniffing, but does this mean my password was sent in the clear?
Two bugs here: one is mercurial's – it shouldn't switch from ssl to non-ssl when sending a password without complaining loudly. The other is bitbucket's – need to be careful not to drop the https protocol when redirecting.