HTTP transport does not use authentication.conf unless you supply a user name.
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Bazaar |
Fix Released
|
Medium
|
Vincent Ladeuil | ||
Bug Description
If you add a section to authentication.conf for an http server, the information is not used unless you state the user name in the URL.
The user reference states otherwise.
http://
"Once the relevant credentials are declared in this file you may use branch urls without embedding passwords (security hazard) or even users (enabling sharing of your urls with others)."
Explicitly stating the user name in the URL picks up the password from the section. Tracing filesystem access during a bzr session using a plain URL with no user name reveals that authentication.conf is not even accessed.
I had a look at the code but the transport constructors are a fairly complex area and I'm not confident of my ability to both grok it and produce a patch that will satisfy all concerned.
My naive implementation (without tests) is attached.
Related branches
| Adrian Wilkins (adrian-wilkins) wrote | #1 |
| Adrian Wilkins (adrian-wilkins) wrote | #2 |
| Vincent Ladeuil (vila) wrote | #3 |
| Changed in bzr: | |
| assignee: | nobody → vila |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Changed in bzr: | |
| status: | Confirmed → Fix Committed |
| Changed in bzr: | |
| milestone: | none → 1.11rc1 |
| status: | Fix Committed → Fix Released |
Attached log
Sections are seperated with
<<< comments like this >>>