rebase: refactor of error handling code path for rebaseskipobsolete This patch extracts the error handling code path to go in a separate function. In the next patch we will able to reuse this logic and avoid duplicated code.

destutil: show message and hint at updating to the closed head as warning

destutil: make messages at updating to the closed head usual form This patch makes messages at updating to the closed head usual form for Mercurial as below: one line description of the problem with no period (a suggestion about how to move forward or get more info)

py3: make test-ui-color use print_function

py3: make test-ui-config use print_function

py3: make test-ui-config use absolute_import

py3: make test-ui-verbosity use absolute_import

py3: make test-ui-verbosity use print_function

py3: make test-url use print_function

py3: make test-walkrepo use print_function

py3: make test-wireproto use print_function

py3: handle ugettext + unicode in i18n

py3: glob line numbers in test-check-py3-compat

bundle: remove obsolete (and duplicate) comment Change 1e28ec9744bf (changegroup: move chunk extraction into a getchunks method of unbundle10, 2014-04-10) extracted some code to a getchunks() method and copied a comment about the changegroup format to the new method. The copy that remains in the old place, doesn't make much sense there, so let's remove it.

convert: delete unused imports in git.py As reported by pyflakes

merge with stable

bundle: avoid crash when no good changegroup version found When using treemanifests, only changegroup3 bundles can be created. However, there is currently no way of requesting a changegroup3 bundle, so we run into an assertion in changegroup.getbundler() when trying to get a changroup2 bundler. Let's avoid the traceback and print a short error message instead.

exchange: make _pushb2ctx() look more like _getbundlechangegrouppart() The functions already have a lot in common, but were structured a little differently.

exchange: get rid of "getcgkwargs" variable This also makes the "version" argument explicit (never relies on getlocalchangegroupraw()'s default), which I think is a good thing.

bundle: move writebundle() from changegroup.py to bundle2.py (API) writebundle() writes a bundle2 bundle or a plain changegroup1. Imagine away the "2" in "bundle2.py" for a moment and this change should makes sense. The bundle wraps the changegroup, so it makes sense that it knows about it. Another sign that this is correct is that the delayed import of bundle2 in changegroup goes away. I'll leave it for another time to remove the "2" in "bundle2.py" (alternatively, extract a new bundle.py from it).

Added signature for changeset ae279d4a19e9

Added tag 3.7.3 for changeset ae279d4a19e9

convert: test for shell injection in git calls (SEC) CVE-2016-3069 (5/5) Before recent refactoring we were not escaping calls to git at all which made such injections possible. Let's have a test for that to avoid this problem in the future. Reported by Blake Burkhart.

convert: rewrite gitpipe to use common.commandline (SEC) CVE-2016-3069 (4/5)

convert: dead code removal - old git calling functions (SEC) CVE-2016-3069 (3/5)

convert: rewrite calls to Git to use the new shelling mechanism (SEC) CVE-2016-3069 (2/5) One test output changed because we were ignoring git return code in numcommits before.

convert: add new, non-clowny interface for shelling out to git (SEC) CVE-2016-3069 (1/5) To avoid shell injection and for the sake of simplicity let's use the common.commandline for calling git.

subrepo: set GIT_ALLOW_PROTOCOL to limit git clone protocols (SEC) CVE-2016-3068 (1/1) Git's git-remote-ext remote helper provides an ext:: URL scheme that allows running arbitrary shell commands. This feature allows implementing simple git smart transports with a single shell shell command. However, git submodules could clone arbitrary URLs specified in the .gitmodules file. This was reported as CVE-2015-7545 and fixed in git v2.6.1. However, if a user directly clones a malicious ext URL, the git client will still run arbitrary shell commands. Mercurial is similarly effected. Mercurial allows specifying git repositories as subrepositories. Git ext:: URLs can be specified as Mercurial subrepositories allowing arbitrary shell commands to be run on `hg clone ...`. The Mercurial community would like to thank Blake Burkhart for reporting this issue. The description of the issue is copied from Blake's report. This commit changes submodules to pass the GIT_ALLOW_PROTOCOL env variable to git commands with the same list of allowed protocols that git submodule is using. When the GIT_ALLOW_PROTOCOL env variable is already set, we just pass it to git without modifications.

parsers: detect short records (SEC) CVE-2016-3630 (2/2) This addresses part of a vulnerability in binary delta application.

parsers: fix list sizing rounding error (SEC) CVE-2016-3630 (1/2) This addresses part of a vulnerability in application of binary deltas.

merge with stable

debugsetparents: remove redundant invocations of begin/endparentchange Method localrepo.setparents invokes begin/endparentchange internally, so there is no need to invoke it explicitly in debugsetparents.

sslutil: add docstring to wrapsocket() Security should not be opaque.

sslutil: remove indentation in wrapsocket declaration It is no longer needed because we have a single code path.

sslutil: always use SSLContext Now that we have a fake SSLContext instance, we can unify the code paths for wrapping sockets to always use the SSLContext APIs. Because this is security code, I've retained the try..except to make the diff easier to read. It will be removed in the next patch. I took the liberty of updating the inline docs about supported protocols and how the constants work because this stuff is important and needs to be explicitly documented.

sslutil: move _canloaddefaultcerts logic We now have a newer block accessing SSLContext. Let's move this code to make subsequent refactorings of the former block easier.

sslutil: implement SSLContext class Python <2.7.9 doesn't have a ssl.SSLContext class. In this patch, we implement the interface to the class so we can have a unified code path for all supported versions of Python. This is similar to the approach that urllib3 takes.

sslutil: store OP_NO_SSL* constants in module scope An upcoming patch will introduce a global SSLContext type so we have a single function used to wrap sockets. Prepare for that by introducing module level constants for disabling SSLv2 and SSLv3.

sslutil: better document state of security/ssl module Pythons older than 2.7.9 are lacking the modern ssl module and have horrible security. Let's document this explicitly.

tests: make tinyproxy.py use print_function

run-tests: use canonpath for with-python3

run-tests: add canonpath function consistently use realpath+expanduser

tests: glob py3 line numbers Since not everyone is running py3.5 and code changes periodically, avoid pinning line numbers for invalid syntax errors.

tests: update py3.5 output 6d7da0901a28 removed one item...

summary: move mergemod before parents to give access to ms

filemerge: use revset notation for p1/p2 of local/other descriptions

tests: fix for failure of test-convert-p4-filetypes.t Before this patch, test-convert-p4-filetypes.t fails (at least with 2015.2/1366233 version of p4/p4d), because some files below are omitted in expected output for revision 1. - file_tempobj - file_xtempobj These files are: - add-ed at revision 0, and - edit-ed at revision 1 According to perforce command reference below, file type 'tempobj' and 'xtempobj' imply '+S' modifier, which indicates that "Only the head revision is stored". This means that these files should appear only in the most recent revision (= revision 1). https://www.perforce.com/perforce/doc.current/manuals/cmdref/file.types.html BTW, test-convert-p4-filetypes.t with 2015.2/1366233 version of p4/p4d fails similarly also at recent revisions for hgext/convert/p4.py in 2015. Therefore, this patch should be reviewed by perforce guru, to examine whether this failure depends on version (and/or configuration) of p4/p4d or not.

crecord: re-enable reviewing a patch before comitting it The "r" option for this feature was copied into Mercurial from crecord, but the actual implementation never made it into hg until now. It's a moderately useful feature that allows the user to edit the patch in a text editor before comitting it for good. This requires a test, so we must also enable a corresponding testing 'R' option that skips the confirmation dialogue. In addition, we also need a help text for the editor when reviewing the final patch. As for why this is a useful feature if we can already edit hunks in an editor, I would like to offer the following points: * editing hunks does not show the entire patch all at once ** furthermore, the hunk "tree" in the TUI has no root that could be selected for edition * it is helpful to be able to see the entire final patch for confirmation ** within this view, the unselected hunks are hidden, which is visusally cleaner ** this works as a final review of the complete result, which is a bit more difficult to do conceptually via hunk editing * this feature was already in crecord, so it was an oversight to not bring it to core * it works and is consistent with editing hunks