changeset 50341:698ffff7024b stable

configitems: make devel.serverexactprotocol look dangerous Because it is.
author pacien <pacien.trangirard@pacien.net>
date Thu, 13 Apr 2023 11:28:48 +0200
parents 9f33d12f6f48
children c54e9bb5737e
files i18n/ja.po i18n/pt_BR.po mercurial/configitems.py mercurial/sslutil.py tests/test-https.t
diffstat 5 files changed, 16 insertions(+), 12 deletions(-) [+]
line wrap: on
line diff
--- a/i18n/ja.po	Thu Apr 13 04:12:31 2023 +0200
+++ b/i18n/ja.po	Thu Apr 13 11:28:48 2023 +0200
@@ -37064,8 +37064,8 @@
 msgstr "利用中の Python では TLS 1.2 が未サポートです"
 
 #, python-format
-msgid "invalid value for serverexactprotocol: %s"
-msgstr "不正な serverexactprotocol 指定値: %s"
+msgid "invalid value for server-insecure-exact-protocol: %s"
+msgstr "不正な server-insecure-exact-protocol 指定値: %s"
 
 #, python-format
 msgid "too many wildcards in certificate DNS name: %s"
--- a/i18n/pt_BR.po	Thu Apr 13 04:12:31 2023 +0200
+++ b/i18n/pt_BR.po	Thu Apr 13 11:28:48 2023 +0200
@@ -38342,8 +38342,8 @@
 msgstr "TLS 1.2 não é suportado por esta versão do Python"
 
 #, python-format
-msgid "invalid value for serverexactprotocol: %s"
-msgstr "valor inválido para serverexactprotocol: %s"
+msgid "invalid value for server-insecure-exact-protocol: %s"
+msgstr "valor inválido para server-insecure-exact-protocol: %s"
 
 #, python-format
 msgid "too many wildcards in certificate DNS name: %s"
--- a/mercurial/configitems.py	Thu Apr 13 04:12:31 2023 +0200
+++ b/mercurial/configitems.py	Thu Apr 13 11:28:48 2023 +0200
@@ -688,9 +688,11 @@
     b'servercafile',
     default=b'',
 )
+# This config option is intended for use in tests only. It is a giant
+# footgun to kill security. Don't define it.
 coreconfigitem(
     b'devel',
-    b'serverexactprotocol',
+    b'server-insecure-exact-protocol',
     default=b'',
 )
 coreconfigitem(
--- a/mercurial/sslutil.py	Thu Apr 13 04:12:31 2023 +0200
+++ b/mercurial/sslutil.py	Thu Apr 13 11:28:48 2023 +0200
@@ -553,7 +553,7 @@
 
         # This config option is intended for use in tests only. It is a giant
         # footgun to kill security. Don't define it.
-        exactprotocol = ui.config(b'devel', b'serverexactprotocol')
+        exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
         if exactprotocol == b'tls1.0':
             if b'tls1.0' not in supportedprotocols:
                 raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
@@ -583,7 +583,8 @@
             sslcontext.maximum_version = ssl.TLSVersion.TLSv1_2
         elif exactprotocol:
             raise error.Abort(
-                _(b'invalid value for serverexactprotocol: %s') % exactprotocol
+                _(b'invalid value for server-insecure-exact-protocol: %s')
+                % exactprotocol
             )
     else:
         # Despite its name, PROTOCOL_SSLv23 selects the highest protocol that both
@@ -594,7 +595,7 @@
 
         # This config option is intended for use in tests only. It is a giant
         # footgun to kill security. Don't define it.
-        exactprotocol = ui.config(b'devel', b'serverexactprotocol')
+        exactprotocol = ui.config(b'devel', b'server-insecure-exact-protocol')
         if exactprotocol == b'tls1.0':
             if b'tls1.0' not in supportedprotocols:
                 raise error.Abort(_(b'TLS 1.0 not supported by this Python'))
@@ -609,7 +610,8 @@
             protocol = ssl.PROTOCOL_TLSv1_2
         elif exactprotocol:
             raise error.Abort(
-                _(b'invalid value for serverexactprotocol: %s') % exactprotocol
+                _(b'invalid value for server-insecure-exact-protocol: %s')
+                % exactprotocol
             )
 
         # We /could/ use create_default_context() here since it doesn't load
--- a/tests/test-https.t	Thu Apr 13 04:12:31 2023 +0200
+++ b/tests/test-https.t	Thu Apr 13 11:28:48 2023 +0200
@@ -344,13 +344,13 @@
 
   $ cd test
   $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
-  > --config devel.serverexactprotocol=tls1.0
+  > --config devel.server-insecure-exact-protocol=tls1.0
   $ cat ../hg0.pid >> $DAEMON_PIDS
   $ hg serve -p $HGPORT1 -d --pid-file=../hg1.pid --certificate=$PRIV \
-  > --config devel.serverexactprotocol=tls1.1
+  > --config devel.server-insecure-exact-protocol=tls1.1
   $ cat ../hg1.pid >> $DAEMON_PIDS
   $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
-  > --config devel.serverexactprotocol=tls1.2
+  > --config devel.server-insecure-exact-protocol=tls1.2
   $ cat ../hg2.pid >> $DAEMON_PIDS
   $ cd ..