hgweb: do not ignore [auth] if url has a username (issue2822) The [auth] section was ignored when handling URLs like: http://user@example.com/foo Instead, we look in [auth] for an entry matching the URL and supplied user name. Entries without username can match URL with a username. Prefix length ties are resolved in favor of entries matching the username. With: foo.prefix = http://example.org foo.username = user foo.password = password bar.prefix = http://example.org/bar and the input URL: http://user@example.org/bar the 'bar' entry will be selected because of prefix length, therefore prompting for a password. This behaviour ensure that entries selection is consistent when looking for credentials or for certificates, and that certificates can be picked even if their entries do no define usernames while the URL does. Additionally, entries without a username matched against a username are returned as if they did have requested username set to avoid prompting again for a username if the password is not set. v2: reparse the URL in readauthforuri() to handle HTTP and HTTPS similarly. v3: allow unset usernames to match URL usernames to pick certificates. Resolve prefix length ties in favor of entries with usernames.

hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923) Before: hgweb made it possible to download file content with a content type detected from the file extension. It would serve .html files as text/html and could thus cause XSS vulnerabilities if the web site had any kind of session authorization and the repository content wasn't fully trusted. Now: all files default to "application/binary", which all important browsers will refuse to treat as text/html. See the table here: https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors

hgweb: extract the path logic from updatereqenv and add doctests

merge with stable

hgweb: handle 'baseurl' configurations with leading slash (issue2934)

ui: call write() so the prompt string goes through subclassed implementation

merge with stable

merge with i18n

i18n-ja: synchronized with 4fdab926e111

i18n-sv: synchronized with 192e02680d09

parsers: remove redundant 'n' variable in parsers.parse_index2() (issue2935)

subrepo: handle adding svn subrepo with a svn:external file in it (issue2931)

hook: be prepared for __stdout/err__ not having fileno() it may have been replaced, see https://bitbucket.org/tortoisehg/thg/issue/937

dispatch: make sure global options on the command line take precedence So if a user has verbose=True somewhere in his .hgrc files, giving -q on the command line will override that. This basically reverts 1b8c70c9f47c.

http2: send an extra header to signal a non-broken client Some proxies strip the expect header because they forward requests in a non-compliant way or as a way to defend against bogus clients.

httpclient: import ca33b88d143c from py-nonblocking-http (issue2932)

color.py - clear _terminfo_params in win32 mode

url: store and assume the query part of an url is in escaped form (issue2921)

mq/qqueue: print current queue name Add an option to qqueue to print only the name of the current queue. Signed-off-by: "Yann E. MORIN" <yann.morin.1998@anciens.enib.fr>

export: add %m to file format string (first line of the commit message) $ hg commit -m "Initial commit" $ hg export -o %m.patch tip #It creates Initial_commit.patch file.

windows: eliminate win32 wildcard import

merge with stable

merge with crew

test-filecache: change for python 2.4 compatibility

setdiscovery: return anyincoming=False when remote's only head is nullid This fixes (issue2907) a crash when using 'hg incoming --bundle' with an empty remote repo and a non-empty local repo. This also fixes an unreported bug that 'hg summary --remote' erroneously reports incoming changes when the remote repo is empty and the local is not. Also, add a test to make sure issue2907 stays fixed

i18n: use UTF-8 string to lower filename for case collision check Some character sets, cp932 (known as Shift-JIS for Japanese) for example, use 0x41('A') - 0x5A('Z') and 0x61('a') - 0x7A('z') as second or later character. In such character set, case collision checking recognizes different files as CASEFOLDED same file, if filenames are treated as byte sequence. win32mbcs extension is not appropriate to handle this problem, because this problem can occur on other than Windows platform only if problematic character set is used. Callers of util.checkcase() use known ASCII filenames as last component of path, and string.lower() is not applied to directory part of path. So, util.checkcase() is kept intact, even though it applies string.lower() to filenames.

merge with crew

check-code: disallow use of hasattr() The hasattr() builtin from Python < 3.2 [1] has slightly surprising behavior: it catches all exceptions, even KeyboardInterrupt. This causes it to have several surprising side effects, such as hiding warnings that occur during attribute load and causing mysterious failure modes when ^Cing an application. In later versions of Python 2.x [0], exception classes which do not inherit from Exception (such as SystemExit and KeyboardInterrupt) are not caught, but other types of exceptions may still silently cause returning False instead of getting a reasonable exception. [0] http://bugs.python.org/issue2196 [1] http://docs.python.org/dev/whatsnew/3.2.html