upstream/mercurial-mirror Files · mercurial/py3kcompat.py

sslutil: config option to specify TLS protocol version...

sslutil: config option to specify TLS protocol version Currently, Mercurial will use TLS 1.0 or newer when connecting to remote servers, selecting the highest TLS version supported by both peers. On older Pythons, only TLS 1.0 is available. On newer Pythons, TLS 1.1 and 1.2 should be available. Security-minded people may want to not take any risks running TLS 1.0 (or even TLS 1.1). This patch gives those people a config option to explicitly control which TLS versions Mercurial should use. By providing this option, one can require newer TLS versions before they are formally deprecated by Mercurial/Python/OpenSSL/etc and lower their security exposure. This option also provides an easy mechanism to change protocol policies in Mercurial. If there is a 0-day and TLS 1.0 is completely broken, we can act quickly without changing much code. Because setting the minimum TLS protocol is something you'll likely want to do globally, this patch introduces a global config option under [hostsecurity] for that purpose. wrapserversocket() has been taught a hidden config option to define the explicit protocol to use. This is queried in this function and not passed as an argument because I don't want to expose this dangerous option as part of the Python API. There is a risk someone could footgun themselves. But the config option is a devel option, has a warning comment, and I doubt most people are using `hg serve` to run a production HTTPS server (I would have something not Mercurial/Python handle TLS). If this is problematic, we can go back to using a custom extension in tests to coerce the server into bad behavior.

Gregory Szorc - - Load All Authors

File last commit:

r27486:5bfd01a3 default


                r29559:7dec5e44

default

Download file

             py3kcompat.py
        
                    68 lines
            
             | 2.1 KiB
            
                | text/x-python
            
             |
                PythonLexer
            
             / mercurial / py3kcompat.py
          
                    History
                
                 |
                  Annotation
                 | Raw
                 |Copy content
                 |Copy permalink

      # py3kcompat.py - compatibility definitions for running hg in py3k

      #

      # Copyright 2010 Renato Cunha <renatoc@gmail.com>

      #

      # This software may be used and distributed according to the terms of the

      # GNU General Public License version 2 or any later version.

      from __future__ import absolute_import

      import builtins

      import numbers

      Number = numbers.Number

      def bytesformatter(format, args):

          '''Custom implementation of a formatter for bytestrings.

          This function currently relies on the string formatter to do the

          formatting and always returns bytes objects.

          >>> bytesformatter(20, 10)

          0

          >>> bytesformatter('unicode %s, %s!', ('string', 'foo'))

          b'unicode string, foo!'

          >>> bytesformatter(b'test %s', 'me')

          b'test me'

          >>> bytesformatter('test %s', 'me')

          b'test me'

          >>> bytesformatter(b'test %s', b'me')

          b'test me'

          >>> bytesformatter('test %s', b'me')

          b'test me'

          >>> bytesformatter('test %d: %s', (1, b'result'))

          b'test 1: result'

          '''

          # The current implementation just converts from bytes to unicode, do

          # what's needed and then convert the results back to bytes.

          # Another alternative is to use the Python C API implementation.

          if isinstance(format, Number):

              # If the fixer erroneously passes a number remainder operation to

              # bytesformatter, we just return the correct operation

              return format % args

          if isinstance(format, bytes):

              format = format.decode('utf-8', 'surrogateescape')

          if isinstance(args, bytes):

              args = args.decode('utf-8', 'surrogateescape')

          if isinstance(args, tuple):

              newargs = []

              for arg in args:

                  if isinstance(arg, bytes):

                      arg = arg.decode('utf-8', 'surrogateescape')

                  newargs.append(arg)

              args = tuple(newargs)

          ret = format % args

          return ret.encode('utf-8', 'surrogateescape')

      builtins.bytesformatter = bytesformatter

      origord = builtins.ord

      def fakeord(char):

          if isinstance(char, int):

              return char

          return origord(char)

      builtins.ord = fakeord

      if __name__ == '__main__':

          import doctest

          doctest.testmod()

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

				# py3kcompat.py - compatibility definitions for running hg in py3k
				#
				# Copyright 2010 Renato Cunha <renatoc@gmail.com>
				#
				# This software may be used and distributed according to the terms of the
				# GNU General Public License version 2 or any later version.

				from __future__ import absolute_import

				import builtins
				import numbers

				Number = numbers.Number

				def bytesformatter(format, args):
				'''Custom implementation of a formatter for bytestrings.

				This function currently relies on the string formatter to do the
				formatting and always returns bytes objects.

				>>> bytesformatter(20, 10)
				0
				>>> bytesformatter('unicode %s, %s!', ('string', 'foo'))
				b'unicode string, foo!'
				>>> bytesformatter(b'test %s', 'me')
				b'test me'
				>>> bytesformatter('test %s', 'me')
				b'test me'
				>>> bytesformatter(b'test %s', b'me')
				b'test me'
				>>> bytesformatter('test %s', b'me')
				b'test me'
				>>> bytesformatter('test %d: %s', (1, b'result'))
				b'test 1: result'
				'''
				# The current implementation just converts from bytes to unicode, do
				# what's needed and then convert the results back to bytes.
				# Another alternative is to use the Python C API implementation.
				if isinstance(format, Number):
				# If the fixer erroneously passes a number remainder operation to
				# bytesformatter, we just return the correct operation
				return format % args
				if isinstance(format, bytes):
				format = format.decode('utf-8', 'surrogateescape')
				if isinstance(args, bytes):
				args = args.decode('utf-8', 'surrogateescape')
				if isinstance(args, tuple):
				newargs = []
				for arg in args:
				if isinstance(arg, bytes):
				arg = arg.decode('utf-8', 'surrogateescape')
				newargs.append(arg)
				args = tuple(newargs)
				ret = format % args
				return ret.encode('utf-8', 'surrogateescape')
				builtins.bytesformatter = bytesformatter

				origord = builtins.ord
				def fakeord(char):
				if isinstance(char, int):
				return char
				return origord(char)
				builtins.ord = fakeord

				if __name__ == '__main__':
				import doctest
				doctest.testmod()