upstream/mercurial-mirror Commit - r13163:2fa2e644

1

# url.py - HTTP handling for mercurial

1

# url.py - HTTP handling for mercurial

2

#

2

#

3

4

5

6

#

6

#

7

# This software may be used and distributed according to the terms of the

7

# This software may be used and distributed according to the terms of the

8

# GNU General Public License version 2 or any later version.

8

# GNU General Public License version 2 or any later version.

9

10

import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO

10

import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO

11

import __builtin__

11

import __builtin__

12

from i18n import _

12

from i18n import _

13

import keepalive, util

13

import keepalive, util

14

15

def _urlunparse(scheme, netloc, path, params, query, fragment, url):

15

def _urlunparse(scheme, netloc, path, params, query, fragment, url):

16

'''Handle cases where urlunparse(urlparse(x://)) doesn't preserve the "//"'''

16

'''Handle cases where urlunparse(urlparse(x://)) doesn't preserve the "//"'''

17

result = urlparse.urlunparse((scheme, netloc, path, params, query, fragment))

17

result = urlparse.urlunparse((scheme, netloc, path, params, query, fragment))

18

if (scheme and

18

if (scheme and

19

result.startswith(scheme + ':') and

19

result.startswith(scheme + ':') and

20

not result.startswith(scheme + '://') and

20

not result.startswith(scheme + '://') and

21

url.startswith(scheme + '://')

21

url.startswith(scheme + '://')

22

):

22

):

23

result = scheme + '://' + result[len(scheme + ':'):]

23

result = scheme + '://' + result[len(scheme + ':'):]

24

return result

24

return result

25

26

def hidepassword(url):

26

def hidepassword(url):

27

'''hide user credential in a url string'''

27

'''hide user credential in a url string'''

28

scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)

28

scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)

29

netloc = re.sub('([^:]*):([^@]*)@(.*)', r'\1:***@\3', netloc)

29

netloc = re.sub('([^:]*):([^@]*)@(.*)', r'\1:***@\3', netloc)

30

return _urlunparse(scheme, netloc, path, params, query, fragment, url)

30

return _urlunparse(scheme, netloc, path, params, query, fragment, url)

31

32

def removeauth(url):

32

def removeauth(url):

33

'''remove all authentication information from a url string'''

33

'''remove all authentication information from a url string'''

34

scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)

34

scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)

35

netloc = netloc[netloc.find('@')+1:]

35

netloc = netloc[netloc.find('@')+1:]

36

return _urlunparse(scheme, netloc, path, params, query, fragment, url)

36

return _urlunparse(scheme, netloc, path, params, query, fragment, url)

37

38

def netlocsplit(netloc):

38

def netlocsplit(netloc):

39

'''split [user[:passwd]@]host[:port] into 4-tuple.'''

39

'''split [user[:passwd]@]host[:port] into 4-tuple.'''

40

41

a = netloc.find('@')

41

a = netloc.find('@')

42

if a == -1:

42

if a == -1:

43

user, passwd = None, None

43

user, passwd = None, None

44

else:

44

else:

45

userpass, netloc = netloc[:a], netloc[a + 1:]

45

userpass, netloc = netloc[:a], netloc[a + 1:]

46

c = userpass.find(':')

46

c = userpass.find(':')

47

if c == -1:

47

if c == -1:

48

user, passwd = urllib.unquote(userpass), None

48

user, passwd = urllib.unquote(userpass), None

49

else:

49

else:

50

user = urllib.unquote(userpass[:c])

50

user = urllib.unquote(userpass[:c])

51

passwd = urllib.unquote(userpass[c + 1:])

51

passwd = urllib.unquote(userpass[c + 1:])

52

c = netloc.find(':')

52

c = netloc.find(':')

53

if c == -1:

53

if c == -1:

54

host, port = netloc, None

54

host, port = netloc, None

55

else:

55

else:

56

host, port = netloc[:c], netloc[c + 1:]

56

host, port = netloc[:c], netloc[c + 1:]

57

return host, port, user, passwd

57

return host, port, user, passwd

58

59

def netlocunsplit(host, port, user=None, passwd=None):

59

def netlocunsplit(host, port, user=None, passwd=None):

60

'''turn host, port, user, passwd into [user[:passwd]@]host[:port].'''

60

'''turn host, port, user, passwd into [user[:passwd]@]host[:port].'''

61

if port:

61

if port:

62

hostport = host + ':' + port

62

hostport = host + ':' + port

63

else:

63

else:

64

hostport = host

64

hostport = host

65

if user:

65

if user:

66

quote = lambda s: urllib.quote(s, safe='')

66

quote = lambda s: urllib.quote(s, safe='')

67

if passwd:

67

if passwd:

68

userpass = quote(user) + ':' + quote(passwd)

68

userpass = quote(user) + ':' + quote(passwd)

69

else:

69

else:

70

userpass = quote(user)

70

userpass = quote(user)

71

return userpass + '@' + hostport

71

return userpass + '@' + hostport

72

return hostport

72

return hostport

73

74

_safe = ('abcdefghijklmnopqrstuvwxyz'

74

_safe = ('abcdefghijklmnopqrstuvwxyz'

75

'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

75

'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

76

'0123456789' '_.-/')

76

'0123456789' '_.-/')

77

_safeset = None

77

_safeset = None

78

_hex = None

78

_hex = None

79

def quotepath(path):

79

def quotepath(path):

80

'''quote the path part of a URL

80

'''quote the path part of a URL

81

82

This is similar to urllib.quote, but it also tries to avoid

82

This is similar to urllib.quote, but it also tries to avoid

83

quoting things twice (inspired by wget):

83

quoting things twice (inspired by wget):

84

85

>>> quotepath('abc def')

85

>>> quotepath('abc def')

86

'abc%20def'

86

'abc%20def'

87

>>> quotepath('abc%20def')

87

>>> quotepath('abc%20def')

88

'abc%20def'

88

'abc%20def'

89

>>> quotepath('abc%20 def')

89

>>> quotepath('abc%20 def')

90

'abc%20%20def'

90

'abc%20%20def'

91

>>> quotepath('abc def%20')

91

>>> quotepath('abc def%20')

92

'abc%20def%20'

92

'abc%20def%20'

93

>>> quotepath('abc def%2')

93

>>> quotepath('abc def%2')

94

'abc%20def%252'

94

'abc%20def%252'

95

>>> quotepath('abc def%')

95

>>> quotepath('abc def%')

96

'abc%20def%25'

96

'abc%20def%25'

97

'''

97

'''

98

global _safeset, _hex

98

global _safeset, _hex

99

if _safeset is None:

99

if _safeset is None:

100

_safeset = set(_safe)

100

_safeset = set(_safe)

101

_hex = set('abcdefABCDEF0123456789')

101

_hex = set('abcdefABCDEF0123456789')

102

l = list(path)

102

l = list(path)

103

for i in xrange(len(l)):

103

for i in xrange(len(l)):

104

c = l[i]

104

c = l[i]

105

if (c == '%' and i + 2 < len(l) and

105

if (c == '%' and i + 2 < len(l) and

106

l[i + 1] in _hex and l[i + 2] in _hex):

106

l[i + 1] in _hex and l[i + 2] in _hex):

107

pass

107

pass

108

elif c not in _safeset:

108

elif c not in _safeset:

109

l[i] = '%%%02X' % ord(c)

109

l[i] = '%%%02X' % ord(c)

110

return ''.join(l)

110

return ''.join(l)

111

112

class passwordmgr(urllib2.HTTPPasswordMgrWithDefaultRealm):

112

class passwordmgr(urllib2.HTTPPasswordMgrWithDefaultRealm):

113

def __init__(self, ui):

113

def __init__(self, ui):

114

urllib2.HTTPPasswordMgrWithDefaultRealm.__init__(self)

114

urllib2.HTTPPasswordMgrWithDefaultRealm.__init__(self)

115

self.ui = ui

115

self.ui = ui

116

117

def find_user_password(self, realm, authuri):

117

def find_user_password(self, realm, authuri):

118

authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm.find_user_password(

118

authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm.find_user_password(

119

self, realm, authuri)

119

self, realm, authuri)

120

user, passwd = authinfo

120

user, passwd = authinfo

121

if user and passwd:

121

if user and passwd:

122

self._writedebug(user, passwd)

122

self._writedebug(user, passwd)

123

return (user, passwd)

123

return (user, passwd)

124

125

if not user:

125

if not user:

126

auth = self.readauthtoken(authuri)

126

auth = self.readauthtoken(authuri)

127

if auth:

127

if auth:

128

user, passwd = auth.get('username'), auth.get('password')

128

user, passwd = auth.get('username'), auth.get('password')

129

if not user or not passwd:

129

if not user or not passwd:

130

if not self.ui.interactive():

130

if not self.ui.interactive():

131

raise util.Abort(_('http authorization required'))

131

raise util.Abort(_('http authorization required'))

132

133

self.ui.write(_("http authorization required\n"))

133

self.ui.write(_("http authorization required\n"))

134

self.ui.write(_("realm: %s\n") % realm)

134

self.ui.write(_("realm: %s\n") % realm)

135

if user:

135

if user:

136

self.ui.write(_("user: %s\n") % user)

136

self.ui.write(_("user: %s\n") % user)

137

else:

137

else:

138

user = self.ui.prompt(_("user:"), default=None)

138

user = self.ui.prompt(_("user:"), default=None)

139

140

if not passwd:

140

if not passwd:

141

passwd = self.ui.getpass()

141

passwd = self.ui.getpass()

142

143

self.add_password(realm, authuri, user, passwd)

143

self.add_password(realm, authuri, user, passwd)

144

self._writedebug(user, passwd)

144

self._writedebug(user, passwd)

145

return (user, passwd)

145

return (user, passwd)

146

147

def _writedebug(self, user, passwd):

147

def _writedebug(self, user, passwd):

148

msg = _('http auth: user %s, password %s\n')

148

msg = _('http auth: user %s, password %s\n')

149

self.ui.debug(msg % (user, passwd and '*' * len(passwd) or 'not set'))

149

self.ui.debug(msg % (user, passwd and '*' * len(passwd) or 'not set'))

150

151

def readauthtoken(self, uri):

151

def readauthtoken(self, uri):

152

# Read configuration

152

# Read configuration

153

config = dict()

153

config = dict()

154

for key, val in self.ui.configitems('auth'):

154

for key, val in self.ui.configitems('auth'):

155

if '.' not in key:

155

if '.' not in key:

156

self.ui.warn(_("ignoring invalid [auth] key '%s'\n") % key)

156

self.ui.warn(_("ignoring invalid [auth] key '%s'\n") % key)

157

continue

157

continue

158

group, setting = key.split('.', 1)

158

group, setting = key.split('.', 1)

159

gdict = config.setdefault(group, dict())

159

gdict = config.setdefault(group, dict())

160

if setting in ('username', 'cert', 'key'):

160

if setting in ('username', 'cert', 'key'):

161

val = util.expandpath(val)

161

val = util.expandpath(val)

162

gdict[setting] = val

162

gdict[setting] = val

163

164

# Find the best match

164

# Find the best match

165

scheme, hostpath = uri.split('://', 1)

165

scheme, hostpath = uri.split('://', 1)

166

bestlen = 0

166

bestlen = 0

167

bestauth = None

167

bestauth = None

168

for auth in config.itervalues():

168

for auth in config.itervalues():

169

prefix = auth.get('prefix')

169

prefix = auth.get('prefix')

170

if not prefix:

170

if not prefix:

171

continue

171

continue

172

p = prefix.split('://', 1)

172

p = prefix.split('://', 1)

173

if len(p) > 1:

173

if len(p) > 1:

174

schemes, prefix = [p[0]], p[1]

174

schemes, prefix = [p[0]], p[1]

175

else:

175

else:

176

schemes = (auth.get('schemes') or 'https').split()

176

schemes = (auth.get('schemes') or 'https').split()

177

if (prefix == '*' or hostpath.startswith(prefix)) and \

177

if (prefix == '*' or hostpath.startswith(prefix)) and \

178

len(prefix) > bestlen and scheme in schemes:

178

len(prefix) > bestlen and scheme in schemes:

179

bestlen = len(prefix)

179

bestlen = len(prefix)

180

bestauth = auth

180

bestauth = auth

181

return bestauth

181

return bestauth

182

183

class proxyhandler(urllib2.ProxyHandler):

183

class proxyhandler(urllib2.ProxyHandler):

184

def __init__(self, ui):

184

def __init__(self, ui):

185

proxyurl = ui.config("http_proxy", "host") or os.getenv('http_proxy')

185

proxyurl = ui.config("http_proxy", "host") or os.getenv('http_proxy')

186

# XXX proxyauthinfo = None

186

# XXX proxyauthinfo = None

187

188

if proxyurl:

188

if proxyurl:

189

# proxy can be proper url or host[:port]

189

# proxy can be proper url or host[:port]

190

if not (proxyurl.startswith('http:') or

190

if not (proxyurl.startswith('http:') or

191

proxyurl.startswith('https:')):

191

proxyurl.startswith('https:')):

192

proxyurl = 'http://' + proxyurl + '/'

192

proxyurl = 'http://' + proxyurl + '/'

193

snpqf = urlparse.urlsplit(proxyurl)

193

snpqf = urlparse.urlsplit(proxyurl)

194

proxyscheme, proxynetloc, proxypath, proxyquery, proxyfrag = snpqf

194

proxyscheme, proxynetloc, proxypath, proxyquery, proxyfrag = snpqf

195

hpup = netlocsplit(proxynetloc)

195

hpup = netlocsplit(proxynetloc)

196

197

proxyhost, proxyport, proxyuser, proxypasswd = hpup

197

proxyhost, proxyport, proxyuser, proxypasswd = hpup

198

if not proxyuser:

198

if not proxyuser:

199

proxyuser = ui.config("http_proxy", "user")

199

proxyuser = ui.config("http_proxy", "user")

200

proxypasswd = ui.config("http_proxy", "passwd")

200

proxypasswd = ui.config("http_proxy", "passwd")

201

202

# see if we should use a proxy for this url

202

# see if we should use a proxy for this url

203

no_list = ["localhost", "127.0.0.1"]

203

no_list = ["localhost", "127.0.0.1"]

204

no_list.extend([p.lower() for

204

no_list.extend([p.lower() for

205

p in ui.configlist("http_proxy", "no")])

205

p in ui.configlist("http_proxy", "no")])

206

no_list.extend([p.strip().lower() for

206

no_list.extend([p.strip().lower() for

207

p in os.getenv("no_proxy", '').split(',')

207

p in os.getenv("no_proxy", '').split(',')

208

if p.strip()])

208

if p.strip()])

209

# "http_proxy.always" config is for running tests on localhost

209

# "http_proxy.always" config is for running tests on localhost

210

if ui.configbool("http_proxy", "always"):

210

if ui.configbool("http_proxy", "always"):

211

self.no_list = []

211

self.no_list = []

212

else:

212

else:

213

self.no_list = no_list

213

self.no_list = no_list

214

215

proxyurl = urlparse.urlunsplit((

215

proxyurl = urlparse.urlunsplit((

216

proxyscheme, netlocunsplit(proxyhost, proxyport,

216

proxyscheme, netlocunsplit(proxyhost, proxyport,

217

proxyuser, proxypasswd or ''),

217

proxyuser, proxypasswd or ''),

218

proxypath, proxyquery, proxyfrag))

218

proxypath, proxyquery, proxyfrag))

219

proxies = {'http': proxyurl, 'https': proxyurl}

219

proxies = {'http': proxyurl, 'https': proxyurl}

220

ui.debug('proxying through http://%s:%s\n' %

220

ui.debug('proxying through http://%s:%s\n' %

221

(proxyhost, proxyport))

221

(proxyhost, proxyport))

222

else:

222

else:

223

proxies = {}

223

proxies = {}

224

225

# urllib2 takes proxy values from the environment and those

225

# urllib2 takes proxy values from the environment and those

226

# will take precedence if found, so drop them

226

# will take precedence if found, so drop them

227

for env in ["HTTP_PROXY", "http_proxy", "no_proxy"]:

227

for env in ["HTTP_PROXY", "http_proxy", "no_proxy"]:

228

try:

228

try:

229

if env in os.environ:

229

if env in os.environ:

230

del os.environ[env]

230

del os.environ[env]

231

except OSError:

231

except OSError:

232

pass

232

pass

233

234

urllib2.ProxyHandler.__init__(self, proxies)

234

urllib2.ProxyHandler.__init__(self, proxies)

235

self.ui = ui

235

self.ui = ui

236

237

def proxy_open(self, req, proxy, type_):

237

def proxy_open(self, req, proxy, type_):

238

host = req.get_host().split(':')[0]

238

host = req.get_host().split(':')[0]

239

if host in self.no_list:

239

if host in self.no_list:

240

return None

240

return None

241

242

# work around a bug in Python < 2.4.2

242

# work around a bug in Python < 2.4.2

243

# (it leaves a "\n" at the end of Proxy-authorization headers)

243

# (it leaves a "\n" at the end of Proxy-authorization headers)

244

baseclass = req.__class__

244

baseclass = req.__class__

245

class _request(baseclass):

245

class _request(baseclass):

246

def add_header(self, key, val):

246

def add_header(self, key, val):

247

if key.lower() == 'proxy-authorization':

247

if key.lower() == 'proxy-authorization':

248

val = val.strip()

248

val = val.strip()

249

return baseclass.add_header(self, key, val)

249

return baseclass.add_header(self, key, val)

250

req.__class__ = _request

250

req.__class__ = _request

251

252

return urllib2.ProxyHandler.proxy_open(self, req, proxy, type_)

252

return urllib2.ProxyHandler.proxy_open(self, req, proxy, type_)

253

254

class httpsendfile(object):

254

class httpsendfile(object):

255

"""This is a wrapper around the objects returned by python's "open".

255

"""This is a wrapper around the objects returned by python's "open".

256

257

Its purpose is to send file-like objects via HTTP and, to do so, it

257

Its purpose is to send file-like objects via HTTP and, to do so, it

258

defines a __len__ attribute to feed the Content-Length header.

258

defines a __len__ attribute to feed the Content-Length header.

259

"""

259

"""

260

261

def __init__(self, *args, **kwargs):

261

def __init__(self, *args, **kwargs):

262

# We can't just "self._data = open(*args, **kwargs)" here because there

262

# We can't just "self._data = open(*args, **kwargs)" here because there

263

# is an "open" function defined in this module that shadows the global

263

# is an "open" function defined in this module that shadows the global

264

# one

264

# one

265

self._data = __builtin__.open(*args, **kwargs)

265

self._data = __builtin__.open(*args, **kwargs)

266

self.read = self._data.read

266

self.read = self._data.read

267

self.seek = self._data.seek

267

self.seek = self._data.seek

268

self.close = self._data.close

268

self.close = self._data.close

269

self.write = self._data.write

269

self.write = self._data.write

270

271

def __len__(self):

271

def __len__(self):

272

return os.fstat(self._data.fileno()).st_size

272

return os.fstat(self._data.fileno()).st_size

273

274

def _gen_sendfile(connection):

274

def _gen_sendfile(connection):

275

def _sendfile(self, data):

275

def _sendfile(self, data):

276

# send a file

276

# send a file

277

if isinstance(data, httpsendfile):

277

if isinstance(data, httpsendfile):

278

# if auth required, some data sent twice, so rewind here

278

# if auth required, some data sent twice, so rewind here

279

data.seek(0)

279

data.seek(0)

280

for chunk in util.filechunkiter(data):

280

for chunk in util.filechunkiter(data):

281

connection.send(self, chunk)

281

connection.send(self, chunk)

282

else:

282

else:

283

connection.send(self, data)

283

connection.send(self, data)

284

return _sendfile

284

return _sendfile

285

286

has_https = hasattr(urllib2, 'HTTPSHandler')

286

has_https = hasattr(urllib2, 'HTTPSHandler')

287

if has_https:

287

if has_https:

288

try:

288

try:

289

# avoid using deprecated/broken FakeSocket in python 2.6

289

# avoid using deprecated/broken FakeSocket in python 2.6

290

import ssl

290

import ssl

291

_ssl_wrap_socket = ssl.wrap_socket

291

_ssl_wrap_socket = ssl.wrap_socket

292

CERT_REQUIRED = ssl.CERT_REQUIRED

292

CERT_REQUIRED = ssl.CERT_REQUIRED

293

except ImportError:

293

except ImportError:

294

CERT_REQUIRED = 2

294

CERT_REQUIRED = 2

295

296

def _ssl_wrap_socket(sock, key_file, cert_file,

296

def _ssl_wrap_socket(sock, key_file, cert_file,

297

cert_reqs=CERT_REQUIRED, ca_certs=None):

297

cert_reqs=CERT_REQUIRED, ca_certs=None):

298

if ca_certs:

298

if ca_certs:

299

raise util.Abort(_(

299

raise util.Abort(_(

300

'certificate checking requires Python 2.6'))

300

'certificate checking requires Python 2.6'))

301

302

ssl = socket.ssl(sock, key_file, cert_file)

302

ssl = socket.ssl(sock, key_file, cert_file)

303

return httplib.FakeSocket(sock, ssl)

303

return httplib.FakeSocket(sock, ssl)

304

305

try:

305

try:

306

_create_connection = socket.create_connection

306

_create_connection = socket.create_connection

307

except AttributeError:

307

except AttributeError:

308

_GLOBAL_DEFAULT_TIMEOUT = object()

308

_GLOBAL_DEFAULT_TIMEOUT = object()

309

310

def _create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT,

310

def _create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT,

311

source_address=None):

311

source_address=None):

312

# lifted from Python 2.6

312

# lifted from Python 2.6

313

314

msg = "getaddrinfo returns an empty list"

314

msg = "getaddrinfo returns an empty list"

315

host, port = address

315

host, port = address

316

for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):

316

for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):

317

af, socktype, proto, canonname, sa = res

317

af, socktype, proto, canonname, sa = res

318

sock = None

318

sock = None

319

try:

319

try:

320

sock = socket.socket(af, socktype, proto)

320

sock = socket.socket(af, socktype, proto)

321

if timeout is not _GLOBAL_DEFAULT_TIMEOUT:

321

if timeout is not _GLOBAL_DEFAULT_TIMEOUT:

322

sock.settimeout(timeout)

322

sock.settimeout(timeout)

323

if source_address:

323

if source_address:

324

sock.bind(source_address)

324

sock.bind(source_address)

325

sock.connect(sa)

325

sock.connect(sa)

326

return sock

326

return sock

327

328

except socket.error, msg:

328

except socket.error, msg:

329

if sock is not None:

329

if sock is not None:

330

sock.close()

330

sock.close()

331

332

raise socket.error, msg

332

raise socket.error, msg

333

334

class httpconnection(keepalive.HTTPConnection):

334

class httpconnection(keepalive.HTTPConnection):

335

# must be able to send big bundle as stream.

335

# must be able to send big bundle as stream.

336

send = _gen_sendfile(keepalive.HTTPConnection)

336

send = _gen_sendfile(keepalive.HTTPConnection)

337

338

def connect(self):

338

def connect(self):

339

if has_https and self.realhostport: # use CONNECT proxy

339

if has_https and self.realhostport: # use CONNECT proxy

340

self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

340

self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

341

self.sock.connect((self.host, self.port))

341

self.sock.connect((self.host, self.port))

342

if _generic_proxytunnel(self):

342

if _generic_proxytunnel(self):

343

# we do not support client x509 certificates

343

# we do not support client x509 certificates

344

self.sock = _ssl_wrap_socket(self.sock, None, None)

344

self.sock = _ssl_wrap_socket(self.sock, None, None)

345

else:

345

else:

346

keepalive.HTTPConnection.connect(self)

346

keepalive.HTTPConnection.connect(self)

347

348

def getresponse(self):

348

def getresponse(self):

349

proxyres = getattr(self, 'proxyres', None)

349

proxyres = getattr(self, 'proxyres', None)

350

if proxyres:

350

if proxyres:

351

if proxyres.will_close:

351

if proxyres.will_close:

352

self.close()

352

self.close()

353

self.proxyres = None

353

self.proxyres = None

354

return proxyres

354

return proxyres

355

return keepalive.HTTPConnection.getresponse(self)

355

return keepalive.HTTPConnection.getresponse(self)

356

357

# general transaction handler to support different ways to handle

357

# general transaction handler to support different ways to handle

358

# HTTPS proxying before and after Python 2.6.3.

358

# HTTPS proxying before and after Python 2.6.3.

359

def _generic_start_transaction(handler, h, req):

359

def _generic_start_transaction(handler, h, req):

360

if hasattr(req, '_tunnel_host') and req._tunnel_host:

360

if hasattr(req, '_tunnel_host') and req._tunnel_host:

361

tunnel_host = req._tunnel_host

361

tunnel_host = req._tunnel_host

362

if tunnel_host[:7] not in ['http://', 'https:/']:

362

if tunnel_host[:7] not in ['http://', 'https:/']:

363

tunnel_host = 'https://' + tunnel_host

363

tunnel_host = 'https://' + tunnel_host

364

new_tunnel = True

364

new_tunnel = True

365

else:

365

else:

366

tunnel_host = req.get_selector()

366

tunnel_host = req.get_selector()

367

new_tunnel = False

367

new_tunnel = False

368

369

if new_tunnel or tunnel_host == req.get_full_url(): # has proxy

369

if new_tunnel or tunnel_host == req.get_full_url(): # has proxy

370

urlparts = urlparse.urlparse(tunnel_host)

370

urlparts = urlparse.urlparse(tunnel_host)

371

if new_tunnel or urlparts[0] == 'https': # only use CONNECT for HTTPS

371

if new_tunnel or urlparts[0] == 'https': # only use CONNECT for HTTPS

372

realhostport = urlparts[1]

372

realhostport = urlparts[1]

373

if realhostport[-1] == ']' or ':' not in realhostport:

373

if realhostport[-1] == ']' or ':' not in realhostport:

374

realhostport += ':443'

374

realhostport += ':443'

375

376

h.realhostport = realhostport

376

h.realhostport = realhostport

377

h.headers = req.headers.copy()

377

h.headers = req.headers.copy()

378

h.headers.update(handler.parent.addheaders)

378

h.headers.update(handler.parent.addheaders)

379

return

379

return

380

381

h.realhostport = None

381

h.realhostport = None

382

h.headers = None

382

h.headers = None

383

384

def _generic_proxytunnel(self):

384

def _generic_proxytunnel(self):

385

proxyheaders = dict(

385

proxyheaders = dict(

386

[(x, self.headers[x]) for x in self.headers

386

[(x, self.headers[x]) for x in self.headers

387

if x.lower().startswith('proxy-')])

387

if x.lower().startswith('proxy-')])

388

self._set_hostport(self.host, self.port)

388

self._set_hostport(self.host, self.port)

389

self.send('CONNECT %s HTTP/1.0\r\n' % self.realhostport)

389

self.send('CONNECT %s HTTP/1.0\r\n' % self.realhostport)

390

for header in proxyheaders.iteritems():

390

for header in proxyheaders.iteritems():

391

self.send('%s: %s\r\n' % header)

391

self.send('%s: %s\r\n' % header)

392

self.send('\r\n')

392

self.send('\r\n')

393

394

# majority of the following code is duplicated from

394

# majority of the following code is duplicated from

395

# httplib.HTTPConnection as there are no adequate places to

395

# httplib.HTTPConnection as there are no adequate places to

396

# override functions to provide the needed functionality

396

# override functions to provide the needed functionality

397

res = self.response_class(self.sock,

397

res = self.response_class(self.sock,

398

strict=self.strict,

398

strict=self.strict,

399

method=self._method)

399

method=self._method)

400

401

while True:

401

while True:

402

version, status, reason = res._read_status()

402

version, status, reason = res._read_status()

403

if status != httplib.CONTINUE:

403

if status != httplib.CONTINUE:

404

break

404

break

405

while True:

405

while True:

406

skip = res.fp.readline().strip()

406

skip = res.fp.readline().strip()

407

if not skip:

407

if not skip:

408

break

408

break

409

res.status = status

409

res.status = status

410

res.reason = reason.strip()

410

res.reason = reason.strip()

411

412

if res.status == 200:

412

if res.status == 200:

413

while True:

413

while True:

414

line = res.fp.readline()

414

line = res.fp.readline()

415

if line == '\r\n':

415

if line == '\r\n':

416

break

416

break

417

return True

417

return True

418

419

if version == 'HTTP/1.0':

419

if version == 'HTTP/1.0':

420

res.version = 10

420

res.version = 10

421

elif version.startswith('HTTP/1.'):

421

elif version.startswith('HTTP/1.'):

422

res.version = 11

422

res.version = 11

423

elif version == 'HTTP/0.9':

423

elif version == 'HTTP/0.9':

424

res.version = 9

424

res.version = 9

425

else:

425

else:

426

raise httplib.UnknownProtocol(version)

426

raise httplib.UnknownProtocol(version)

427

428

if res.version == 9:

428

if res.version == 9:

429

res.length = None

429

res.length = None

430

res.chunked = 0

430

res.chunked = 0

431

res.will_close = 1

431

res.will_close = 1

432

res.msg = httplib.HTTPMessage(cStringIO.StringIO())

432

res.msg = httplib.HTTPMessage(cStringIO.StringIO())

433

return False

433

return False

434

435

res.msg = httplib.HTTPMessage(res.fp)

435

res.msg = httplib.HTTPMessage(res.fp)

436

res.msg.fp = None

436

res.msg.fp = None

437

438

# are we using the chunked-style of transfer encoding?

438

# are we using the chunked-style of transfer encoding?

439

trenc = res.msg.getheader('transfer-encoding')

439

trenc = res.msg.getheader('transfer-encoding')

440

if trenc and trenc.lower() == "chunked":

440

if trenc and trenc.lower() == "chunked":

441

res.chunked = 1

441

res.chunked = 1

442

res.chunk_left = None

442

res.chunk_left = None

443

else:

443

else:

444

res.chunked = 0

444

res.chunked = 0

445

446

# will the connection close at the end of the response?

446

# will the connection close at the end of the response?

447

res.will_close = res._check_close()

447

res.will_close = res._check_close()

448

449

# do we have a Content-Length?

449

# do we have a Content-Length?

450

# NOTE: RFC 2616, S4.4, #3 says we ignore this if tr_enc is "chunked"

450

# NOTE: RFC 2616, S4.4, #3 says we ignore this if tr_enc is "chunked"

451

length = res.msg.getheader('content-length')

451

length = res.msg.getheader('content-length')

452

if length and not res.chunked:

452

if length and not res.chunked:

453

try:

453

try:

454

res.length = int(length)

454

res.length = int(length)

455

except ValueError:

455

except ValueError:

456

res.length = None

456

res.length = None

457

else:

457

else:

458

if res.length < 0: # ignore nonsensical negative lengths

458

if res.length < 0: # ignore nonsensical negative lengths

459

res.length = None

459

res.length = None

460

else:

460

else:

461

res.length = None

461

res.length = None

462

463

# does the body have a fixed length? (of zero)

463

# does the body have a fixed length? (of zero)

464

if (status == httplib.NO_CONTENT or status == httplib.NOT_MODIFIED or

464

if (status == httplib.NO_CONTENT or status == httplib.NOT_MODIFIED or

465

100 <= status < 200 or # 1xx codes

465

100 <= status < 200 or # 1xx codes

466

res._method == 'HEAD'):

466

res._method == 'HEAD'):

467

res.length = 0

467

res.length = 0

468

469

# if the connection remains open, and we aren't using chunked, and

469

# if the connection remains open, and we aren't using chunked, and

470

# a content-length was not provided, then assume that the connection

470

# a content-length was not provided, then assume that the connection

471

# WILL close.

471

# WILL close.

472

if (not res.will_close and

472

if (not res.will_close and

473

not res.chunked and

473

not res.chunked and

474

res.length is None):

474

res.length is None):

475

res.will_close = 1

475

res.will_close = 1

476

477

self.proxyres = res

477

self.proxyres = res

478

479

return False

479

return False

480

481

class httphandler(keepalive.HTTPHandler):

481

class httphandler(keepalive.HTTPHandler):

482

def http_open(self, req):

482

def http_open(self, req):

483

return self.do_open(httpconnection, req)

483

return self.do_open(httpconnection, req)

484

485

def _start_transaction(self, h, req):

485

def _start_transaction(self, h, req):

486

_generic_start_transaction(self, h, req)

486

_generic_start_transaction(self, h, req)

487

return keepalive.HTTPHandler._start_transaction(self, h, req)

487

return keepalive.HTTPHandler._start_transaction(self, h, req)

488

489

def _verifycert(cert, hostname):

489

def _verifycert(cert, hostname):

490

'''Verify that cert (in socket.getpeercert() format) matches hostname.

490

'''Verify that cert (in socket.getpeercert() format) matches hostname.

491

CRLs and subjectAltName are not handled.

491

CRLs and subjectAltName are not handled.

492

493

Returns error message if any problems are found and None on success.

493

Returns error message if any problems are found and None on success.

494

'''

494

'''

495

if not cert:

495

if not cert:

496

return _('no certificate received')

496

return _('no certificate received')

497

dnsname = hostname.lower()

497

dnsname = hostname.lower()

498

for s in cert.get('subject', []):

498

for s in cert.get('subject', []):

499

key, value = s[0]

499

key, value = s[0]

500

if key == 'commonName':

500

if key == 'commonName':

501

certname = value.lower()

501

certname = value.lower()

502

if (certname == dnsname or

502

if (certname == dnsname or

503

'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):

503

'.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):

504

return None

504

return None

505

return _('certificate is for %s') % certname

505

return _('certificate is for %s') % certname

506

return _('no commonName found in certificate')

506

return _('no commonName found in certificate')

507

508

if has_https:

508

if has_https:

509

class BetterHTTPS(httplib.HTTPSConnection):

509

class BetterHTTPS(httplib.HTTPSConnection):

510

send = keepalive.safesend

510

send = keepalive.safesend

511

512

def connect(self):

512

def connect(self):

513

if hasattr(self, 'ui'):

513

if hasattr(self, 'ui'):

514

cacerts = self.ui.config('web', 'cacerts')

514

cacerts = self.ui.config('web', 'cacerts')

515

else:

515

else:

516

cacerts = None

516

cacerts = None

517

518

if cacerts:

518

if cacerts:

519

sock = _create_connection((self.host, self.port))

519

sock = _create_connection((self.host, self.port))

520

self.sock = _ssl_wrap_socket(sock, self.key_file,

520

self.sock = _ssl_wrap_socket(sock, self.key_file,

521

self.cert_file, cert_reqs=CERT_REQUIRED,

521

self.cert_file, cert_reqs=CERT_REQUIRED,

522

ca_certs=cacerts)

522

ca_certs=cacerts)

523

msg = _verifycert(self.sock.getpeercert(), self.host)

523

msg = _verifycert(self.sock.getpeercert(), self.host)

524

if msg:

524

if msg:

525

raise util.Abort(_('%s certificate error: %s') %

525

raise util.Abort(_('%s certificate error: %s') %

526

(self.host, msg))

526

(self.host, msg))

527

self.ui.debug('%s certificate successfully verified\n' %

527

self.ui.debug('%s certificate successfully verified\n' %

528

self.host)

528

self.host)

529

else:

529

else:

530

self.ui.warn(_("warning: %s certificate not verified "

531

"(check web.cacerts config setting)\n") %

532

self.host)

530

httplib.HTTPSConnection.connect(self)

533

httplib.HTTPSConnection.connect(self)

531

534

532

class httpsconnection(BetterHTTPS):

535

class httpsconnection(BetterHTTPS):

533

response_class = keepalive.HTTPResponse

536

response_class = keepalive.HTTPResponse

534

# must be able to send big bundle as stream.

537

# must be able to send big bundle as stream.

535

send = _gen_sendfile(BetterHTTPS)

538

send = _gen_sendfile(BetterHTTPS)

536

getresponse = keepalive.wrapgetresponse(httplib.HTTPSConnection)

539

getresponse = keepalive.wrapgetresponse(httplib.HTTPSConnection)

537

540

538

def connect(self):

541

def connect(self):

539

if self.realhostport: # use CONNECT proxy

542

if self.realhostport: # use CONNECT proxy

540

self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

543

self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

541

self.sock.connect((self.host, self.port))

544

self.sock.connect((self.host, self.port))

542

if _generic_proxytunnel(self):

545

if _generic_proxytunnel(self):

543

self.sock = _ssl_wrap_socket(self.sock, self.key_file,

546

self.sock = _ssl_wrap_socket(self.sock, self.key_file,

544

self.cert_file)

547

self.cert_file)

545

else:

548

else:

546

BetterHTTPS.connect(self)

549

BetterHTTPS.connect(self)

547

550

548

class httpshandler(keepalive.KeepAliveHandler, urllib2.HTTPSHandler):

551

class httpshandler(keepalive.KeepAliveHandler, urllib2.HTTPSHandler):

549

def __init__(self, ui):

552

def __init__(self, ui):

550

keepalive.KeepAliveHandler.__init__(self)

553

keepalive.KeepAliveHandler.__init__(self)

551

urllib2.HTTPSHandler.__init__(self)

554

urllib2.HTTPSHandler.__init__(self)

552

self.ui = ui

555

self.ui = ui

553

self.pwmgr = passwordmgr(self.ui)

556

self.pwmgr = passwordmgr(self.ui)

554

557

555

def _start_transaction(self, h, req):

558

def _start_transaction(self, h, req):

556

_generic_start_transaction(self, h, req)

559

_generic_start_transaction(self, h, req)

557

return keepalive.KeepAliveHandler._start_transaction(self, h, req)

560

return keepalive.KeepAliveHandler._start_transaction(self, h, req)

558

561

559

def https_open(self, req):

562

def https_open(self, req):

560

self.auth = self.pwmgr.readauthtoken(req.get_full_url())

563

self.auth = self.pwmgr.readauthtoken(req.get_full_url())

561

return self.do_open(self._makeconnection, req)

564

return self.do_open(self._makeconnection, req)

562

565

563

def _makeconnection(self, host, port=None, *args, **kwargs):

566

def _makeconnection(self, host, port=None, *args, **kwargs):

564

keyfile = None

567

keyfile = None

565

certfile = None

568

certfile = None

566

569

567

if len(args) >= 1: # key_file

570

if len(args) >= 1: # key_file

568

keyfile = args[0]

571

keyfile = args[0]

569

if len(args) >= 2: # cert_file

572

if len(args) >= 2: # cert_file

570

certfile = args[1]

573

certfile = args[1]

571

args = args[2:]

574

args = args[2:]

572

575

573

# if the user has specified different key/cert files in

576

# if the user has specified different key/cert files in

574

# hgrc, we prefer these

577

# hgrc, we prefer these

575

if self.auth and 'key' in self.auth and 'cert' in self.auth:

578

if self.auth and 'key' in self.auth and 'cert' in self.auth:

576

keyfile = self.auth['key']

579

keyfile = self.auth['key']

577

certfile = self.auth['cert']

580

certfile = self.auth['cert']

578

581

579

conn = httpsconnection(host, port, keyfile, certfile, *args, **kwargs)

582

conn = httpsconnection(host, port, keyfile, certfile, *args, **kwargs)

580

conn.ui = self.ui

583

conn.ui = self.ui

581

return conn

584

return conn

582

585

583

class httpdigestauthhandler(urllib2.HTTPDigestAuthHandler):

586

class httpdigestauthhandler(urllib2.HTTPDigestAuthHandler):

584

def __init__(self, *args, **kwargs):

587

def __init__(self, *args, **kwargs):

585

urllib2.HTTPDigestAuthHandler.__init__(self, *args, **kwargs)

588

urllib2.HTTPDigestAuthHandler.__init__(self, *args, **kwargs)

586

self.retried_req = None

589

self.retried_req = None

587

590

588

def reset_retry_count(self):

591

def reset_retry_count(self):

589

# Python 2.6.5 will call this on 401 or 407 errors and thus loop

592

# Python 2.6.5 will call this on 401 or 407 errors and thus loop

590

# forever. We disable reset_retry_count completely and reset in

593

# forever. We disable reset_retry_count completely and reset in

591

# http_error_auth_reqed instead.

594

# http_error_auth_reqed instead.

592

pass

595

pass

593

596

594

def http_error_auth_reqed(self, auth_header, host, req, headers):

597

def http_error_auth_reqed(self, auth_header, host, req, headers):

595

# Reset the retry counter once for each request.

598

# Reset the retry counter once for each request.

596

if req is not self.retried_req:

599

if req is not self.retried_req:

597

self.retried_req = req

600

self.retried_req = req

598

self.retried = 0

601

self.retried = 0

599

# In python < 2.5 AbstractDigestAuthHandler raises a ValueError if

602

# In python < 2.5 AbstractDigestAuthHandler raises a ValueError if

600

# it doesn't know about the auth type requested. This can happen if

603

# it doesn't know about the auth type requested. This can happen if

601

# somebody is using BasicAuth and types a bad password.

604

# somebody is using BasicAuth and types a bad password.

602

try:

605

try:

603

return urllib2.HTTPDigestAuthHandler.http_error_auth_reqed(

606

return urllib2.HTTPDigestAuthHandler.http_error_auth_reqed(

604

self, auth_header, host, req, headers)

607

self, auth_header, host, req, headers)

605

except ValueError, inst:

608

except ValueError, inst:

606

arg = inst.args[0]

609

arg = inst.args[0]

607

if arg.startswith("AbstractDigestAuthHandler doesn't know "):

610

if arg.startswith("AbstractDigestAuthHandler doesn't know "):

608

return

611

return

609

raise

612

raise

610

613

611

class httpbasicauthhandler(urllib2.HTTPBasicAuthHandler):

614

class httpbasicauthhandler(urllib2.HTTPBasicAuthHandler):

612

def __init__(self, *args, **kwargs):

615

def __init__(self, *args, **kwargs):

613

urllib2.HTTPBasicAuthHandler.__init__(self, *args, **kwargs)

616

urllib2.HTTPBasicAuthHandler.__init__(self, *args, **kwargs)

614

self.retried_req = None

617

self.retried_req = None

615

618

616

def reset_retry_count(self):

619

def reset_retry_count(self):

617

# Python 2.6.5 will call this on 401 or 407 errors and thus loop

620

# Python 2.6.5 will call this on 401 or 407 errors and thus loop

618

# forever. We disable reset_retry_count completely and reset in

621

# forever. We disable reset_retry_count completely and reset in

619

# http_error_auth_reqed instead.

622

# http_error_auth_reqed instead.

620

pass

623

pass

621

624

622

def http_error_auth_reqed(self, auth_header, host, req, headers):

625

def http_error_auth_reqed(self, auth_header, host, req, headers):

623

# Reset the retry counter once for each request.

626

# Reset the retry counter once for each request.

624

if req is not self.retried_req:

627

if req is not self.retried_req:

625

self.retried_req = req

628

self.retried_req = req

626

self.retried = 0

629

self.retried = 0

627

return urllib2.HTTPBasicAuthHandler.http_error_auth_reqed(

630

return urllib2.HTTPBasicAuthHandler.http_error_auth_reqed(

628

self, auth_header, host, req, headers)

631

self, auth_header, host, req, headers)

629

632

630

def getauthinfo(path):

633

def getauthinfo(path):

631

scheme, netloc, urlpath, query, frag = urlparse.urlsplit(path)

634

scheme, netloc, urlpath, query, frag = urlparse.urlsplit(path)

632

if not urlpath:

635

if not urlpath:

633

urlpath = '/'

636

urlpath = '/'

634

if scheme != 'file':

637

if scheme != 'file':

635

# XXX: why are we quoting the path again with some smart

638

# XXX: why are we quoting the path again with some smart

636

# heuristic here? Anyway, it cannot be done with file://

639

# heuristic here? Anyway, it cannot be done with file://

637

# urls since path encoding is os/fs dependent (see

640

# urls since path encoding is os/fs dependent (see

638

# urllib.pathname2url() for details).

641

# urllib.pathname2url() for details).

639

urlpath = quotepath(urlpath)

642

urlpath = quotepath(urlpath)

640

host, port, user, passwd = netlocsplit(netloc)

643

host, port, user, passwd = netlocsplit(netloc)

641

644

642

# urllib cannot handle URLs with embedded user or passwd

645

# urllib cannot handle URLs with embedded user or passwd

643

url = urlparse.urlunsplit((scheme, netlocunsplit(host, port),

646

url = urlparse.urlunsplit((scheme, netlocunsplit(host, port),

644

urlpath, query, frag))

647

urlpath, query, frag))

645

if user:

648

if user:

646

netloc = host

649

netloc = host

647

if port:

650

if port:

648

netloc += ':' + port

651

netloc += ':' + port

649

# Python < 2.4.3 uses only the netloc to search for a password

652

# Python < 2.4.3 uses only the netloc to search for a password

650

authinfo = (None, (url, netloc), user, passwd or '')

653

authinfo = (None, (url, netloc), user, passwd or '')

651

else:

654

else:

652

authinfo = None

655

authinfo = None

653

return url, authinfo

656

return url, authinfo

654

657

655

handlerfuncs = []

658

handlerfuncs = []

656

659

657

def opener(ui, authinfo=None):

660

def opener(ui, authinfo=None):

658

'''

661

'''

659

construct an opener suitable for urllib2

662

construct an opener suitable for urllib2

660

authinfo will be added to the password manager

663

authinfo will be added to the password manager

661

'''

664

'''

662

handlers = [httphandler()]

665

handlers = [httphandler()]

663

if has_https:

666

if has_https:

664

handlers.append(httpshandler(ui))

667

handlers.append(httpshandler(ui))

665

668

666

handlers.append(proxyhandler(ui))

669

handlers.append(proxyhandler(ui))

667

670

668

passmgr = passwordmgr(ui)

671

passmgr = passwordmgr(ui)

669

if authinfo is not None:

672

if authinfo is not None:

670

passmgr.add_password(*authinfo)

673

passmgr.add_password(*authinfo)

671

user, passwd = authinfo[2:4]

674

user, passwd = authinfo[2:4]

672

ui.debug('http auth: user %s, password %s\n' %

675

ui.debug('http auth: user %s, password %s\n' %

673

(user, passwd and '*' * len(passwd) or 'not set'))

676

(user, passwd and '*' * len(passwd) or 'not set'))

674

677

675

handlers.extend((httpbasicauthhandler(passmgr),

678

handlers.extend((httpbasicauthhandler(passmgr),

676

httpdigestauthhandler(passmgr)))

679

httpdigestauthhandler(passmgr)))

677

handlers.extend([h(ui, passmgr) for h in handlerfuncs])

680

handlers.extend([h(ui, passmgr) for h in handlerfuncs])

678

opener = urllib2.build_opener(*handlers)

681

opener = urllib2.build_opener(*handlers)

679

682

680

# 1.0 here is the _protocol_ version

683

# 1.0 here is the _protocol_ version

681

opener.addheaders = [('User-agent', 'mercurial/proto-1.0')]

684

opener.addheaders = [('User-agent', 'mercurial/proto-1.0')]

682

opener.addheaders.append(('Accept', 'application/mercurial-0.1'))

685

opener.addheaders.append(('Accept', 'application/mercurial-0.1'))

683

return opener

686

return opener

684

687

685

scheme_re = re.compile(r'^([a-zA-Z0-9+-.]+)://')

688

scheme_re = re.compile(r'^([a-zA-Z0-9+-.]+)://')

686

689

687

def open(ui, url, data=None):

690

def open(ui, url, data=None):

688

scheme = None

691

scheme = None

689

m = scheme_re.search(url)

692

m = scheme_re.search(url)

690

if m:

693

if m:

691

scheme = m.group(1).lower()

694

scheme = m.group(1).lower()

692

if not scheme:

695

if not scheme:

693

path = util.normpath(os.path.abspath(url))

696

path = util.normpath(os.path.abspath(url))

694

url = 'file://' + urllib.pathname2url(path)

697

url = 'file://' + urllib.pathname2url(path)

695

authinfo = None

698

authinfo = None

696

else:

699

else:

697

url, authinfo = getauthinfo(url)

700

url, authinfo = getauthinfo(url)

698

return opener(ui, authinfo).open(url, data)

701

return opener(ui, authinfo).open(url, data)

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

             # url.py - HTTP handling for mercurial
             #
             # Copyright 2005, 2006, 2007, 2008 Matt Mackall <mpm@selenic.com>
             # Copyright 2006, 2007 Alexis S. L. Carvalho <alexis@cecm.usp.br>
             # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com>
             #
             # This software may be used and distributed according to the terms of the
             # GNU General Public License version 2 or any later version.
             import urllib, urllib2, urlparse, httplib, os, re, socket, cStringIO
             import __builtin__
             from i18n import _
             import keepalive, util
             def _urlunparse(scheme, netloc, path, params, query, fragment, url):
                 '''Handle cases where urlunparse(urlparse(x://)) doesn't preserve the "//"'''
                 result = urlparse.urlunparse((scheme, netloc, path, params, query, fragment))
                 if (scheme and
                     result.startswith(scheme + ':') and
                     not result.startswith(scheme + '://') and
                     url.startswith(scheme + '://')
                    ):
                     result = scheme + '://' + result[len(scheme + ':'):]
                 return result
             def hidepassword(url):
                 '''hide user credential in a url string'''
                 scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)
                 netloc = re.sub('([^:]*):([^@]*)@(.*)', r'\1:***@\3', netloc)
                 return _urlunparse(scheme, netloc, path, params, query, fragment, url)
             def removeauth(url):
                 '''remove all authentication information from a url string'''
                 scheme, netloc, path, params, query, fragment = urlparse.urlparse(url)
                 netloc = netloc[netloc.find('@')+1:]
                 return _urlunparse(scheme, netloc, path, params, query, fragment, url)
             def netlocsplit(netloc):
                 '''split [user[:passwd]@]host[:port] into 4-tuple.'''
                 a = netloc.find('@')
                 if a == -1:
                     user, passwd = None, None
                 else:
                     userpass, netloc = netloc[:a], netloc[a + 1:]
                     c = userpass.find(':')
                     if c == -1:
                         user, passwd = urllib.unquote(userpass), None
                     else:
                         user = urllib.unquote(userpass[:c])
                         passwd = urllib.unquote(userpass[c + 1:])
                 c = netloc.find(':')
                 if c == -1:
                     host, port = netloc, None
                 else:
                     host, port = netloc[:c], netloc[c + 1:]
                 return host, port, user, passwd
             def netlocunsplit(host, port, user=None, passwd=None):
                 '''turn host, port, user, passwd into [user[:passwd]@]host[:port].'''
                 if port:
                     hostport = host + ':' + port
                 else:
                     hostport = host
                 if user:
                     quote = lambda s: urllib.quote(s, safe='')
                     if passwd:
                         userpass = quote(user) + ':' + quote(passwd)
                     else:
                         userpass = quote(user)
                     return userpass + '@' + hostport
                 return hostport
             _safe = ('abcdefghijklmnopqrstuvwxyz'
                      'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
                      '0123456789' '_.-/')
             _safeset = None
             _hex = None
             def quotepath(path):
                 '''quote the path part of a URL
                 This is similar to urllib.quote, but it also tries to avoid
                 quoting things twice (inspired by wget):
                 >>> quotepath('abc def')
                 'abc%20def'
                 >>> quotepath('abc%20def')
                 'abc%20def'
                 >>> quotepath('abc%20 def')
                 'abc%20%20def'
                 >>> quotepath('abc def%20')
                 'abc%20def%20'
                 >>> quotepath('abc def%2')
                 'abc%20def%252'
                 >>> quotepath('abc def%')
                 'abc%20def%25'
                 '''
                 global _safeset, _hex
                 if _safeset is None:
                     _safeset = set(_safe)
                     _hex = set('abcdefABCDEF0123456789')
                 l = list(path)
                 for i in xrange(len(l)):
                     c = l[i]
                     if (c == '%' and i + 2 < len(l) and
                         l[i + 1] in _hex and l[i + 2] in _hex):
                         pass
                     elif c not in _safeset:
                         l[i] = '%%%02X' % ord(c)
                 return ''.join(l)
             class passwordmgr(urllib2.HTTPPasswordMgrWithDefaultRealm):
                 def __init__(self, ui):
                     urllib2.HTTPPasswordMgrWithDefaultRealm.__init__(self)
                     self.ui = ui
                 def find_user_password(self, realm, authuri):
                     authinfo = urllib2.HTTPPasswordMgrWithDefaultRealm.find_user_password(
                         self, realm, authuri)
                     user, passwd = authinfo
                     if user and passwd:
                         self._writedebug(user, passwd)
                         return (user, passwd)
                     if not user:
                         auth = self.readauthtoken(authuri)
                         if auth:
                             user, passwd = auth.get('username'), auth.get('password')
                     if not user or not passwd:
                         if not self.ui.interactive():
                             raise util.Abort(_('http authorization required'))
                         self.ui.write(_("http authorization required\n"))
                         self.ui.write(_("realm: %s\n") % realm)
                         if user:
                             self.ui.write(_("user: %s\n") % user)
                         else:
                             user = self.ui.prompt(_("user:"), default=None)
                         if not passwd:
                             passwd = self.ui.getpass()
                     self.add_password(realm, authuri, user, passwd)
                     self._writedebug(user, passwd)
                     return (user, passwd)
                 def _writedebug(self, user, passwd):
                     msg = _('http auth: user %s, password %s\n')
                     self.ui.debug(msg % (user, passwd and '*' * len(passwd) or 'not set'))
                 def readauthtoken(self, uri):
                     # Read configuration
                     config = dict()
                     for key, val in self.ui.configitems('auth'):
                         if '.' not in key:
                             self.ui.warn(_("ignoring invalid [auth] key '%s'\n") % key)
                             continue
                         group, setting = key.split('.', 1)
                         gdict = config.setdefault(group, dict())
                         if setting in ('username', 'cert', 'key'):
                             val = util.expandpath(val)
                         gdict[setting] = val
                     # Find the best match
                     scheme, hostpath = uri.split('://', 1)
                     bestlen = 0
                     bestauth = None
                     for auth in config.itervalues():
                         prefix = auth.get('prefix')
                         if not prefix:
                             continue
                         p = prefix.split('://', 1)
                         if len(p) > 1:
                             schemes, prefix = [p[0]], p[1]
                         else:
                             schemes = (auth.get('schemes') or 'https').split()
                         if (prefix == '*' or hostpath.startswith(prefix)) and \
                             len(prefix) > bestlen and scheme in schemes:
                             bestlen = len(prefix)
                             bestauth = auth
                     return bestauth
             class proxyhandler(urllib2.ProxyHandler):
                 def __init__(self, ui):
                     proxyurl = ui.config("http_proxy", "host") or os.getenv('http_proxy')
                     # XXX proxyauthinfo = None
                     if proxyurl:
                         # proxy can be proper url or host[:port]
                         if not (proxyurl.startswith('http:') or
                                 proxyurl.startswith('https:')):
                             proxyurl = 'http://' + proxyurl + '/'
                         snpqf = urlparse.urlsplit(proxyurl)
                         proxyscheme, proxynetloc, proxypath, proxyquery, proxyfrag = snpqf
                         hpup = netlocsplit(proxynetloc)
                         proxyhost, proxyport, proxyuser, proxypasswd = hpup
                         if not proxyuser:
                             proxyuser = ui.config("http_proxy", "user")
                             proxypasswd = ui.config("http_proxy", "passwd")
                         # see if we should use a proxy for this url
                         no_list = ["localhost", "127.0.0.1"]
                         no_list.extend([p.lower() for
                                         p in ui.configlist("http_proxy", "no")])
                         no_list.extend([p.strip().lower() for
                                         p in os.getenv("no_proxy", '').split(',')
                                         if p.strip()])
                         # "http_proxy.always" config is for running tests on localhost
                         if ui.configbool("http_proxy", "always"):
                             self.no_list = []
                         else:
                             self.no_list = no_list
                         proxyurl = urlparse.urlunsplit((
                             proxyscheme, netlocunsplit(proxyhost, proxyport,
                                                             proxyuser, proxypasswd or ''),
                             proxypath, proxyquery, proxyfrag))
                         proxies = {'http': proxyurl, 'https': proxyurl}
                         ui.debug('proxying through http://%s:%s\n' %
                                   (proxyhost, proxyport))
                     else:
                         proxies = {}
                     # urllib2 takes proxy values from the environment and those
                     # will take precedence if found, so drop them
                     for env in ["HTTP_PROXY", "http_proxy", "no_proxy"]:
                         try:
                             if env in os.environ:
                                 del os.environ[env]
                         except OSError:
                             pass
                     urllib2.ProxyHandler.__init__(self, proxies)
                     self.ui = ui
                 def proxy_open(self, req, proxy, type_):
                     host = req.get_host().split(':')[0]
                     if host in self.no_list:
                         return None
                     # work around a bug in Python < 2.4.2
                     # (it leaves a "\n" at the end of Proxy-authorization headers)
                     baseclass = req.__class__
                     class _request(baseclass):
                         def add_header(self, key, val):
                             if key.lower() == 'proxy-authorization':
                                 val = val.strip()
                             return baseclass.add_header(self, key, val)
                     req.__class__ = _request
                     return urllib2.ProxyHandler.proxy_open(self, req, proxy, type_)
             class httpsendfile(object):
                 """This is a wrapper around the objects returned by python's "open".
                 Its purpose is to send file-like objects via HTTP and, to do so, it
                 defines a __len__ attribute to feed the Content-Length header.
                 """
                 def __init__(self, *args, **kwargs):
                     # We can't just "self._data = open(*args, **kwargs)" here because there
                     # is an "open" function defined in this module that shadows the global
                     # one
                     self._data = __builtin__.open(*args, **kwargs)
                     self.read = self._data.read
                     self.seek = self._data.seek
                     self.close = self._data.close
                     self.write = self._data.write
                 def __len__(self):
                     return os.fstat(self._data.fileno()).st_size
             def _gen_sendfile(connection):
                 def _sendfile(self, data):
                     # send a file
                     if isinstance(data, httpsendfile):
                         # if auth required, some data sent twice, so rewind here
                         data.seek(0)
                         for chunk in util.filechunkiter(data):
                             connection.send(self, chunk)
                     else:
                         connection.send(self, data)
                 return _sendfile
             has_https = hasattr(urllib2, 'HTTPSHandler')
             if has_https:
                 try:
                     # avoid using deprecated/broken FakeSocket in python 2.6
                     import ssl
                     _ssl_wrap_socket = ssl.wrap_socket
                     CERT_REQUIRED = ssl.CERT_REQUIRED
                 except ImportError:
                     CERT_REQUIRED = 2
                     def _ssl_wrap_socket(sock, key_file, cert_file,
                                          cert_reqs=CERT_REQUIRED, ca_certs=None):
                         if ca_certs:
                             raise util.Abort(_(
                                 'certificate checking requires Python 2.6'))
                         ssl = socket.ssl(sock, key_file, cert_file)
                         return httplib.FakeSocket(sock, ssl)
                 try:
                     _create_connection = socket.create_connection
                 except AttributeError:
                     _GLOBAL_DEFAULT_TIMEOUT = object()
                     def _create_connection(address, timeout=_GLOBAL_DEFAULT_TIMEOUT,
                                            source_address=None):
                         # lifted from Python 2.6
                         msg = "getaddrinfo returns an empty list"
                         host, port = address
                         for res in socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM):
                             af, socktype, proto, canonname, sa = res
                             sock = None
                             try:
                                 sock = socket.socket(af, socktype, proto)
                                 if timeout is not _GLOBAL_DEFAULT_TIMEOUT:
                                     sock.settimeout(timeout)
                                 if source_address:
                                     sock.bind(source_address)
                                 sock.connect(sa)
                                 return sock
                             except socket.error, msg:
                                 if sock is not None:
                                     sock.close()
                         raise socket.error, msg
             class httpconnection(keepalive.HTTPConnection):
                 # must be able to send big bundle as stream.
                 send = _gen_sendfile(keepalive.HTTPConnection)
                 def connect(self):
                     if has_https and self.realhostport: # use CONNECT proxy
                         self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                         self.sock.connect((self.host, self.port))
                         if _generic_proxytunnel(self):
                             # we do not support client x509 certificates
                             self.sock = _ssl_wrap_socket(self.sock, None, None)
                     else:
                         keepalive.HTTPConnection.connect(self)
                 def getresponse(self):
                     proxyres = getattr(self, 'proxyres', None)
                     if proxyres:
                         if proxyres.will_close:
                             self.close()
                         self.proxyres = None
                         return proxyres
                     return keepalive.HTTPConnection.getresponse(self)
             # general transaction handler to support different ways to handle
             # HTTPS proxying before and after Python 2.6.3.
             def _generic_start_transaction(handler, h, req):
                 if hasattr(req, '_tunnel_host') and req._tunnel_host:
                     tunnel_host = req._tunnel_host
                     if tunnel_host[:7] not in ['http://', 'https:/']:
                         tunnel_host = 'https://' + tunnel_host
                     new_tunnel = True
                 else:
                     tunnel_host = req.get_selector()
                     new_tunnel = False
                 if new_tunnel or tunnel_host == req.get_full_url(): # has proxy
                     urlparts = urlparse.urlparse(tunnel_host)
                     if new_tunnel or urlparts[0] == 'https': # only use CONNECT for HTTPS
                         realhostport = urlparts[1]
                         if realhostport[-1] == ']' or ':' not in realhostport:
                             realhostport += ':443'
                         h.realhostport = realhostport
                         h.headers = req.headers.copy()
                         h.headers.update(handler.parent.addheaders)
                         return
                 h.realhostport = None
                 h.headers = None
             def _generic_proxytunnel(self):
                 proxyheaders = dict(
                         [(x, self.headers[x]) for x in self.headers
                          if x.lower().startswith('proxy-')])
                 self._set_hostport(self.host, self.port)
                 self.send('CONNECT %s HTTP/1.0\r\n' % self.realhostport)
                 for header in proxyheaders.iteritems():
                     self.send('%s: %s\r\n' % header)
                 self.send('\r\n')
                 # majority of the following code is duplicated from
                 # httplib.HTTPConnection as there are no adequate places to
                 # override functions to provide the needed functionality
                 res = self.response_class(self.sock,
                                           strict=self.strict,
                                           method=self._method)
                 while True:
                     version, status, reason = res._read_status()
                     if status != httplib.CONTINUE:
                         break
                     while True:
                         skip = res.fp.readline().strip()
                         if not skip:
                             break
                 res.status = status
                 res.reason = reason.strip()
                 if res.status == 200:
                     while True:
                         line = res.fp.readline()
                         if line == '\r\n':
                             break
                     return True
                 if version == 'HTTP/1.0':
                     res.version = 10
                 elif version.startswith('HTTP/1.'):
                     res.version = 11
                 elif version == 'HTTP/0.9':
                     res.version = 9
                 else:
                     raise httplib.UnknownProtocol(version)
                 if res.version == 9:
                     res.length = None
                     res.chunked = 0
                     res.will_close = 1
                     res.msg = httplib.HTTPMessage(cStringIO.StringIO())
                     return False
                 res.msg = httplib.HTTPMessage(res.fp)
                 res.msg.fp = None
                 # are we using the chunked-style of transfer encoding?
                 trenc = res.msg.getheader('transfer-encoding')
                 if trenc and trenc.lower() == "chunked":
                     res.chunked = 1
                     res.chunk_left = None
                 else:
                     res.chunked = 0
                 # will the connection close at the end of the response?
                 res.will_close = res._check_close()
                 # do we have a Content-Length?
                 # NOTE: RFC 2616, S4.4, #3 says we ignore this if tr_enc is "chunked"
                 length = res.msg.getheader('content-length')
                 if length and not res.chunked:
                     try:
                         res.length = int(length)
                     except ValueError:
                         res.length = None
                     else:
                         if res.length < 0:  # ignore nonsensical negative lengths
                             res.length = None
                 else:
                     res.length = None
                 # does the body have a fixed length? (of zero)
                 if (status == httplib.NO_CONTENT or status == httplib.NOT_MODIFIED or
 <= status < 200 or # 1xx codes
                     res._method == 'HEAD'):
                     res.length = 0
                 # if the connection remains open, and we aren't using chunked, and
                 # a content-length was not provided, then assume that the connection
                 # WILL close.
                 if (not res.will_close and
                    not res.chunked and
                    res.length is None):
                     res.will_close = 1
                 self.proxyres = res
                 return False
             class httphandler(keepalive.HTTPHandler):
                 def http_open(self, req):
                     return self.do_open(httpconnection, req)
                 def _start_transaction(self, h, req):
                     _generic_start_transaction(self, h, req)
                     return keepalive.HTTPHandler._start_transaction(self, h, req)
             def _verifycert(cert, hostname):
                 '''Verify that cert (in socket.getpeercert() format) matches hostname.
                 CRLs and subjectAltName are not handled.
                 Returns error message if any problems are found and None on success.
                 '''
                 if not cert:
                     return _('no certificate received')
                 dnsname = hostname.lower()
                 for s in cert.get('subject', []):
                     key, value = s[0]
                     if key == 'commonName':
                         certname = value.lower()
                         if (certname == dnsname or
                             '.' in dnsname and certname == '*.' + dnsname.split('.', 1)[1]):
                             return None
                         return _('certificate is for %s') % certname
                 return _('no commonName found in certificate')
             if has_https:
                 class BetterHTTPS(httplib.HTTPSConnection):
                     send = keepalive.safesend
                     def connect(self):
                         if hasattr(self, 'ui'):
                             cacerts = self.ui.config('web', 'cacerts')
                         else:
                             cacerts = None
                         if cacerts:
                             sock = _create_connection((self.host, self.port))
                             self.sock = _ssl_wrap_socket(sock, self.key_file,
                                     self.cert_file, cert_reqs=CERT_REQUIRED,
                                     ca_certs=cacerts)
                             msg = _verifycert(self.sock.getpeercert(), self.host)
                             if msg:
                                 raise util.Abort(_('%s certificate error: %s') %
                                                  (self.host, msg))
                             self.ui.debug('%s certificate successfully verified\n' %
                                           self.host)
                         else:
+                            self.ui.warn(_("warning: %s certificate not verified "
+                                           "(check web.cacerts config setting)\n") %
+                                         self.host)
                             httplib.HTTPSConnection.connect(self)
                 class httpsconnection(BetterHTTPS):
                     response_class = keepalive.HTTPResponse
                     # must be able to send big bundle as stream.
                     send = _gen_sendfile(BetterHTTPS)
                     getresponse = keepalive.wrapgetresponse(httplib.HTTPSConnection)
                     def connect(self):
                         if self.realhostport: # use CONNECT proxy
                             self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                             self.sock.connect((self.host, self.port))
                             if _generic_proxytunnel(self):
                                 self.sock = _ssl_wrap_socket(self.sock, self.key_file,
                                         self.cert_file)
                         else:
                             BetterHTTPS.connect(self)
                 class httpshandler(keepalive.KeepAliveHandler, urllib2.HTTPSHandler):
                     def __init__(self, ui):
                         keepalive.KeepAliveHandler.__init__(self)
                         urllib2.HTTPSHandler.__init__(self)
                         self.ui = ui
                         self.pwmgr = passwordmgr(self.ui)
                     def _start_transaction(self, h, req):
                         _generic_start_transaction(self, h, req)
                         return keepalive.KeepAliveHandler._start_transaction(self, h, req)
                     def https_open(self, req):
                         self.auth = self.pwmgr.readauthtoken(req.get_full_url())
                         return self.do_open(self._makeconnection, req)
                     def _makeconnection(self, host, port=None, *args, **kwargs):
                         keyfile = None
                         certfile = None
                         if len(args) >= 1: # key_file
                             keyfile = args[0]
                         if len(args) >= 2: # cert_file
                             certfile = args[1]
                         args = args[2:]
                         # if the user has specified different key/cert files in
                         # hgrc, we prefer these
                         if self.auth and 'key' in self.auth and 'cert' in self.auth:
                             keyfile = self.auth['key']
                             certfile = self.auth['cert']
                         conn = httpsconnection(host, port, keyfile, certfile, *args, **kwargs)
                         conn.ui = self.ui
                         return conn
             class httpdigestauthhandler(urllib2.HTTPDigestAuthHandler):
                 def __init__(self, *args, **kwargs):
                     urllib2.HTTPDigestAuthHandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     # In python < 2.5 AbstractDigestAuthHandler raises a ValueError if
                     # it doesn't know about the auth type requested. This can happen if
                     # somebody is using BasicAuth and types a bad password.
                     try:
                         return urllib2.HTTPDigestAuthHandler.http_error_auth_reqed(
                                     self, auth_header, host, req, headers)
                     except ValueError, inst:
                         arg = inst.args[0]
                         if arg.startswith("AbstractDigestAuthHandler doesn't know "):
                             return
                         raise
             class httpbasicauthhandler(urllib2.HTTPBasicAuthHandler):
                 def __init__(self, *args, **kwargs):
                     urllib2.HTTPBasicAuthHandler.__init__(self, *args, **kwargs)
                     self.retried_req = None
                 def reset_retry_count(self):
                     # Python 2.6.5 will call this on 401 or 407 errors and thus loop
                     # forever. We disable reset_retry_count completely and reset in
                     # http_error_auth_reqed instead.
                     pass
                 def http_error_auth_reqed(self, auth_header, host, req, headers):
                     # Reset the retry counter once for each request.
                     if req is not self.retried_req:
                         self.retried_req = req
                         self.retried = 0
                     return urllib2.HTTPBasicAuthHandler.http_error_auth_reqed(
                                     self, auth_header, host, req, headers)
             def getauthinfo(path):
                 scheme, netloc, urlpath, query, frag = urlparse.urlsplit(path)
                 if not urlpath:
                     urlpath = '/'
                 if scheme != 'file':
                     # XXX: why are we quoting the path again with some smart
                     # heuristic here? Anyway, it cannot be done with file://
                     # urls since path encoding is os/fs dependent (see
                     # urllib.pathname2url() for details).
                     urlpath = quotepath(urlpath)
                 host, port, user, passwd = netlocsplit(netloc)
                 # urllib cannot handle URLs with embedded user or passwd
                 url = urlparse.urlunsplit((scheme, netlocunsplit(host, port),
                                           urlpath, query, frag))
                 if user:
                     netloc = host
                     if port:
                         netloc += ':' + port
                     # Python < 2.4.3 uses only the netloc to search for a password
                     authinfo = (None, (url, netloc), user, passwd or '')
                 else:
                     authinfo = None
                 return url, authinfo
             handlerfuncs = []
             def opener(ui, authinfo=None):
                 '''
                 construct an opener suitable for urllib2
                 authinfo will be added to the password manager
                 '''
                 handlers = [httphandler()]
                 if has_https:
                     handlers.append(httpshandler(ui))
                 handlers.append(proxyhandler(ui))
                 passmgr = passwordmgr(ui)
                 if authinfo is not None:
                     passmgr.add_password(*authinfo)
                     user, passwd = authinfo[2:4]
                     ui.debug('http auth: user %s, password %s\n' %
                              (user, passwd and '*' * len(passwd) or 'not set'))
                 handlers.extend((httpbasicauthhandler(passmgr),
                                  httpdigestauthhandler(passmgr)))
                 handlers.extend([h(ui, passmgr) for h in handlerfuncs])
                 opener = urllib2.build_opener(*handlers)
                 # 1.0 here is the _protocol_ version
                 opener.addheaders = [('User-agent', 'mercurial/proto-1.0')]
                 opener.addheaders.append(('Accept', 'application/mercurial-0.1'))
                 return opener
             scheme_re = re.compile(r'^([a-zA-Z0-9+-.]+)://')
             def open(ui, url, data=None):
                 scheme = None
                 m = scheme_re.search(url)
                 if m:
                     scheme = m.group(1).lower()
                 if not scheme:
                     path = util.normpath(os.path.abspath(url))
                     url = 'file://' + urllib.pathname2url(path)
                     authinfo = None
                 else:
                     url, authinfo = getauthinfo(url)
                 return opener(ui, authinfo).open(url, data)

             Proper https client requires the built-in ssl from Python 2.6.
               $ "$TESTDIR/hghave" ssl || exit 80
             Certificates created with:
              printf '.\n.\n.\n.\n.\nlocalhost\nhg@localhost\n' | \
              openssl req -newkey rsa:512 -keyout priv.pem -nodes -x509 -days 9000 -out pub.pem
             Can be dumped with:
              openssl x509 -in pub.pem -text
               $ cat << EOT > priv.pem
               > -----BEGIN PRIVATE KEY-----
               > MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEApjCWeYGrIa/Vo7LH
               > aRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8
               > j/xgSwIDAQABAkBxHC6+Qlf0VJXGlb6NL16yEVVTQxqDS6hA9zqu6TZjrr0YMfzc
               > EGNIiZGt7HCBL0zO+cPDg/LeCZc6HQhf0KrhAiEAzlJq4hWWzvguWFIJWSoBeBUG
               > MF1ACazQO7PYE8M0qfECIQDONHHP0SKZzz/ZwBZcAveC5K61f/v9hONFwbeYulzR
               > +wIgc9SvbtgB/5Yzpp//4ZAEnR7oh5SClCvyB+KSx52K3nECICbhQphhoXmI10wy
               > aMTellaq0bpNMHFDziqH9RsqAHhjAiEAgYGxfzkftt5IUUn/iFK89aaIpyrpuaAh
               > HY8gUVkVRVs=
               > -----END PRIVATE KEY-----
               > EOT
               $ cat << EOT > pub.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwMzAxNFoXDTM1MDYwNTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnKEUm34rDaXQd4lxxX
               > 6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA+amm
               > r24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAFArvQFiAZJgQczRsbYlG1xl
               > t+truk37w5B3m3Ick1ntRcQrqs+hf0CO1q6Squ144geYaQ8CDirSR92fICELI1c=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub.pem >> server.pem
               $ PRIV=`pwd`/server.pem
               $ cat << EOT > pub-other.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJALwZS731c/ORMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNV
               > BAMMCWxvY2FsaG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEw
               > MTAxNDIwNDUxNloXDTM1MDYwNTIwNDUxNlowMTESMBAGA1UEAwwJbG9jYWxob3N0
               > MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhvc3QwXDANBgkqhkiG9w0BAQEFAANL
               > ADBIAkEAsxsapLbHrqqUKuQBxdpK4G3m2LjtyrTSdpzzzFlecxd5yhNP6AyWrufo
               > K4VMGo2xlu9xOo88nDSUNSKPuD09MwIDAQABo1AwTjAdBgNVHQ4EFgQUoIB1iMhN
               > y868rpQ2qk9dHnU6ebswHwYDVR0jBBgwFoAUoIB1iMhNy868rpQ2qk9dHnU6ebsw
               > DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJ544f125CsE7J2t55PdFaF6
               > bBlNBb91FCywBgSjhBjf+GG3TNPwrPdc3yqeq+hzJiuInqbOBv9abmMyq8Wsoig=
               > -----END CERTIFICATE-----
               > EOT
             pub.pem patched with other notBefore / notAfter:
               $ cat << EOT > pub-not-yet.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTM1MDYwNTIwMzAxNFoXDTM1MDYw
               > NTIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJXV41gWnkgC7jcpPpFRSUSZaxyzrXmD1CIqQf0WgVDb
               > /12E0vR2DuZitgzUYtBaofM81aTtc0a2/YsrmqePGm0=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-not-yet.pem > server-not-yet.pem
               $ cat << EOT > pub-expired.pem
               > -----BEGIN CERTIFICATE-----
               > MIIBqzCCAVWgAwIBAgIJANAXFFyWjGnRMA0GCSqGSIb3DQEBBQUAMDExEjAQBgNVBAMMCWxvY2Fs
               > aG9zdDEbMBkGCSqGSIb3DQEJARYMaGdAbG9jYWxob3N0MB4XDTEwMTAxNDIwMzAxNFoXDTEwMTAx
               > NDIwMzAxNFowMTESMBAGA1UEAwwJbG9jYWxob3N0MRswGQYJKoZIhvcNAQkBFgxoZ0Bsb2NhbGhv
               > c3QwXDANBgkqhkiG9w0BAQEFAANLADBIAkEApjCWeYGrIa/Vo7LHaRF8ou0tbgHKE33Use/whCnK
               > EUm34rDaXQd4lxxX6aDWg06n9tiVStAKTgQAHJY8j/xgSwIDAQABo1AwTjAdBgNVHQ4EFgQUE6sA
               > +ammr24dGX0kpjxOgO45hzQwHwYDVR0jBBgwFoAUE6sA+ammr24dGX0kpjxOgO45hzQwDAYDVR0T
               > BAUwAwEB/zANBgkqhkiG9w0BAQUFAANBAJfk57DTRf2nUbYaMSlVAARxMNbFGOjQhAUtY400GhKt
               > 2uiKCNGKXVXD3AHWe13yHc5KttzbHQStE5Nm/DlWBWQ=
               > -----END CERTIFICATE-----
               > EOT
               $ cat priv.pem pub-expired.pem > server-expired.pem
               $ hg init test
               $ cd test
               $ echo foo>foo
               $ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
               $ echo foo>foo.d/foo
               $ echo bar>foo.d/bAr.hg.d/BaR
               $ echo bar>foo.d/baR.d.hg/bAR
               $ hg commit -A -m 1
               adding foo
               adding foo.d/bAr.hg.d/BaR
               adding foo.d/baR.d.hg/bAR
               adding foo.d/foo
               $ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
               $ cat ../hg0.pid >> $DAEMON_PIDS
             Test server address cannot be reused
               $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
               abort: cannot start server at ':$HGPORT': Address already in use
               [255]
               $ cd ..
             clone via pull
               $ hg clone https://localhost:$HGPORT/ copy-pull
+              warning: localhost certificate not verified (check web.cacerts config setting)
               requesting all changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 4 changes to 4 files
               updating to branch default
 files updated, 0 files merged, 0 files removed, 0 files unresolved
               $ hg verify -R copy-pull
               checking changesets
               checking manifests
               crosschecking files in changesets and manifests
               checking files
 files, 1 changesets, 4 total revisions
               $ cd test
               $ echo bar > bar
               $ hg commit -A -d '1 0' -m 2
               adding bar
               $ cd ..
             pull
               $ cd copy-pull
               $ echo '[hooks]' >> .hg/hgrc
               $ echo "changegroup = python '$TESTDIR'/printenv.py changegroup" >> .hg/hgrc
               $ hg pull
+              warning: localhost certificate not verified (check web.cacerts config setting)
               changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_URL=https://localhost:$HGPORT/
               pulling from https://localhost:$HGPORT/
               searching for changes
               adding changesets
               adding manifests
               adding file changes
               added 1 changesets with 1 changes to 1 files
               (run 'hg update' to get a working copy)
               $ cd ..
             cacert
               $ hg -R copy-pull pull --config web.cacerts=pub.pem
               pulling from https://localhost:$HGPORT/
               searching for changes
               no changes found
               $ hg -R copy-pull pull --config web.cacerts=pub.pem https://127.0.0.1:$HGPORT/
               abort: 127.0.0.1 certificate error: certificate is for localhost
               [255]
               $ hg -R copy-pull pull --config web.cacerts=pub-other.pem
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which isn't valid yet
               $ hg -R test serve -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
               $ cat hg1.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-not-yet.pem https://localhost:$HGPORT1/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]
             Test server cert which no longer is valid
               $ hg -R test serve -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
               $ cat hg2.pid >> $DAEMON_PIDS
               $ hg -R copy-pull pull --config web.cacerts=pub-expired.pem https://localhost:$HGPORT2/
               abort: error: *:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (glob)
               [255]