changeset 29537:5f8b36d5a6ec

sslutil: add assertion to prevent accidental CA usage on Windows Yuya suggested we add this check to ensure we don't accidentally try to load user-writable paths on Windows if we change the control flow of this function later.
author Gregory Szorc <gregory.szorc@gmail.com>
date Wed, 13 Jul 2016 19:33:52 -0700
parents b17a6e3cd2ac
children df7d8ea90695
files mercurial/sslutil.py
diffstat 1 files changed, 5 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/mercurial/sslutil.py	Wed Jul 13 16:16:18 2016 +0100
+++ b/mercurial/sslutil.py	Wed Jul 13 19:33:52 2016 -0700
@@ -499,6 +499,11 @@
                       'how to configure Mercurial to avoid this message)\n'))
         return None
 
+    # / is writable on Windows. Out of an abundance of caution make sure
+    # we're not on Windows because paths from _systemcacerts could be installed
+    # by non-admin users.
+    assert os.name != 'nt'
+
     # Try to find CA certificates in well-known locations. We print a warning
     # when using a found file because we don't want too much silent magic
     # for security settings. The expectation is that proper Mercurial