Mercurial > hg
view tests/test-duplicateoptions.py @ 31290:f819aa9dbbf9
sslutil: issue warning when [hostfingerprint] is used
Mercurial 3.9 added the [hostsecurity] section, which is better
than [hostfingerprints] in every way.
One of the ways that [hostsecurity] is better is that it supports
SHA-256 and SHA-512 fingerprints, not just SHA-1 fingerprints.
The world is moving away from SHA-1 because it is borderline
secure. Mercurial should be part of that movement.
This patch adds a warning when a valid SHA-1 fingerprint from
the [hostfingerprints] section is being used. The warning informs
users to switch to [hostsecurity]. It even prints the config
option they should set. It uses the SHA-256 fingerprint because
recommending a SHA-1 fingerprint in 2017 would be ill-advised.
The warning will print itself on every connection to a server until
it is fixed. There is no way to suppress the warning. I admit this
is annoying. But given the security implications of sticking with
SHA-1, I think this is justified. If this patch is accepted,
I'll likely send a follow-up to start warning on SHA-1
certificates in [hostsecurity] as well. Then sometime down
the road, we can drop support for SHA-1 fingerprints.
Credit for this idea comes from timeless in issue 5466.
author | Gregory Szorc <gregory.szorc@gmail.com> |
---|---|
date | Thu, 09 Mar 2017 20:33:29 -0800 |
parents | d83ca854fa21 |
children | bd872f64a8ba |
line wrap: on
line source
from __future__ import absolute_import, print_function import os from mercurial import ( commands, extensions, ui as uimod, ) ignore = set(['highlight', 'win32text', 'factotum']) if os.name != 'nt': ignore.add('win32mbcs') disabled = [ext for ext in extensions.disabled().keys() if ext not in ignore] hgrc = open(os.environ["HGRCPATH"], 'w') hgrc.write('[extensions]\n') for ext in disabled: hgrc.write(ext + '=\n') hgrc.close() u = uimod.ui.load() extensions.loadall(u) globalshort = set() globallong = set() for option in commands.globalopts: option[0] and globalshort.add(option[0]) option[1] and globallong.add(option[1]) for cmd, entry in commands.table.iteritems(): seenshort = globalshort.copy() seenlong = globallong.copy() for option in entry[1]: if (option[0] and option[0] in seenshort) or \ (option[1] and option[1] in seenlong): print("command '" + cmd + "' has duplicate option " + str(option)) seenshort.add(option[0]) seenlong.add(option[1])