Differences between revisions 331 and 343 (spanning 12 versions)
Revision 331 as of 2017-11-01 05:27:53
Size: 28874
Comment: syntax, issue links
Revision 343 as of 2018-03-06 20:00:39
Size: 41604
Editor: GregorySzorc
Comment: expand details about security vulnerabilities
Deletions are marked like this. Additions are marked like this.
Line 14: Line 14:
== Mercurial 4.4-rc (2017-10-20) == == Mercurial 4.5.1 / 4.5.2 (2018-03-06) ==

(4.5.2 was released immediately after 4.5.1 to fix a release oversight.)

This is a regularly-scheduled bugfix release.

=== Security Fixes ===

All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:

 * Perform writes on repositories that should be read-only
 * Perform reads on repositories that shouldn't allow read access

The nature of the vulnerabilities is:

 1. Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The `web.{allow-pull, allow-push, deny_read, etc}` config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands.
 1. The `batch` wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands.

The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that `web.*` config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted `batch` command could invoke commands that perform writes.

The `batch` write permissions bypass has been present since Mercurial 1.9. The flaw of not checking permissions for wire protocol commands that don't declare their needed permissions has been present since Mercurial 1.0.

Assuming you are running a server without any custom commands provided by extensions, your exposure is unauthorized data access (if relying on the `web.*` config options to limit access) and unauthorized data mutation via the `batch` command.

Server operators can detect unauthorized use of the `batch` command by looking for requests to URLs of the form `repo?cmd=batch` with arguments containing `pushkey` or `unbundle`. This may produce false positives. A more comprehensive check would decode the argument string and verify that `pushkey` or `unbundle` are command names (not values). The arguments specified via `x-hgarg-<N>`` request headers can span multiple headers. So advanced attackers could hide the vulnerability by splitting a `pushkey` or `unbundle` string across multiple headers. So the only reliable way to detect if this vulnerability is being exploited is to decode these headers like Mercurial does. The format for specifying arguments is documented at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/help/internals/wireprotocol.txt#l26. Python code for decoding headers is at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/hgweb/protocol.py#l70.

Mercurial 4.5.2 fixes these vulnerabilities by:

 * Performing permissions checking on all wire protocol commands, not just commands that list their permissions.
 * Checking permissions on sub-commands issued to the `batch` command.

Wire protocol commands not declaring wire protocol permissions will be assumed to be read-write commands and a server in its default configuration (which only allows read-only access), will refuse to execute these commands.

=== Backwards Compatibility Changes ===

 * The "batch" wire protocol command now enforces permissions of each invoked
 sub-command. Wire protocol commands must define their operation type or the
 "batch" command will assume they can write data and will prevent their
 execution on HTTP servers unless the HTTP request method is POST, the server
 is configured to allow pushes, and the (possibly authenticated) HTTP user is
 authorized to perform a push.

 * Wire protocol commands not defining their operation type in
 "wireproto.PERMISSIONS" are now assumed to be used for "push" operations and
 access control to run those commands is now enforced accordingly.

=== Bug Fixes ===

 * fileset: don't abort when running copied() on a revision with a removed file
 * date: fix parsing months
 * setup: only allow Python 3 from a source checkout (issue5804)
 * annotate: do not poorly split lines at CR (issue5798)
 * subrepo: don't attempt to share remote sources (issue5793)
 * subrepo: activate clone pooling to enable sharing with remote URLs
 * changegroup: do not delta lfs revisions
 * revlog: do not use delta for lfs revisions
 * revlog: resolve lfs rawtext to vanilla rawtext before applying delta


== Mercurial 4.5 (2018-02-01) ==

=== New Features ===

==== revert --interactive ====
The revert command now accepts the flag --interactive to allow reverting only
some of the changes to the specified files.


==== Accessing hidden changesets ====
Set config option 'experimental.directaccess = True' to access hidden
changesets from read only commands.


==== githelp extension ====
The `githelp` extension provides the `hg githelp` command. This command
attempts to convert a `git` command to its Mercurial equivalent. The extension
can be useful to Git users new to Mercurial.


==== Largefiles changes ====

 * largefiles: add a 'debuglfput' command to put largefile into the store
 * largefiles: add support for 'largefiles://' url scheme
 * largefiles: allow to run 'debugupgraderepo' on repo with largefiles
 * largefiles: convert EOL of hgrc before appending to bytes IO
 * largefiles: explicitly set the source and sink types to 'hg' for lfconvert
 * largefiles: modernize how capabilities are added to the wire protocol


=== hgweb changes ===

hgweb now shows more information about commits: phase (if it's not public), obsolescence status (with a short explanation and links to the successors) and instabilities (e.g. orphan, phase-divergent or content-divergent).

Client-side graph code has been simplified by delegating more work to the backend, so /graph page is now more in sync with /log page, visually and feature-wise. Unfortunately, this code change means that 3rd-party themes for 4.5+ are required to have `graphentry.tmpl` template available (copy it from the base theme if you don't use `%include` and then reference it in map file) and render entries in `graph.tmpl` -- look at one of the core themes to see what it needs to look like. JS functions that create graph vertices and edges are now available in `Graph.prototype`, making it possible to call the original functions from custom theme-specific functions if needed.

Graph now shows different symbols for normal, branch-closing, obsolete and unstable commits, and marks currently checked out commit with a circle around its graph node.

There's also now `json-graph` API endpoint that can be used for rendering commit graph in 3rd-party applications.


==== Other Changes ====

 * When interactive revert is run against a revision other than the working directory parent, the diff shown is the diff to <em>apply</em> to the working directory, rather than the diff to <em>discard</em> from the working copy. This is in line with related user experiences with 'git' and appears to be less confusing with 'ui.interface=curses'.
 * Let 'hg rebase' avoid content-divergence by skipping obsolete changesets (and their descendants) when they are present in the rebase set along with one of their successors but none of their successors is in destination.
 * A new experimental config flag, 'rebase.experimental.inmemory', makes rebase perform an in-memory merge instead of doing it on-disk in the working copy.
 * The `HGPLAINEXCEPT` environment variable can now include `color` to allow automatic output colorization in otherwise automated environments.
 * A new unamend command in uncommit extension which undoes the effect of the amend command by creating a new changeset which was there before amend and moving the changes that were amended to the working directory.
 * A '--abort' flag to merge command to abort the ongoing merge.
 * An experimental flag '--rev' to 'hg branch' which can be used to change branch of changesets.
 * bundle2 read I/O significantly improved
 * bundle2 memory use significantly reduced during read
 * clonebundle: it is now possible to serve the clonebundle using a git-lfs compatible server.
 * templatefilters: add slashpath() to convert path separator to slash (Bts:issue5572)
 * A new experimental config flag, 'inline-color-diff', adds within-line color diff capacity
 * histedit: add support to output nodechanges using formatter to help with editor integrations




=== Backwards Compatibility Changes ===

 * `log --follow-first -rREV`, which is deprecated, now follows the first parent of merge revisions from the specified `REV` just like `log --follow -rREV`.
 * `log --follow -rREV FILE..` now follows file history across copies and renames.
 * transaction: register summary callbacks only at start of transaction
 * hgweb's graph view no longer supports browsers that lack &lt;canvas&gt; support
 * hgweb: only include graph-related data in jsdata variable on /graph pages
 * graphlog: add another graph node type, unstable, using character `*`
 * remove: print message for each file in verbose mode only while using '-A'



=== Bug Fixes ===

 * Bookmark, whose name is longer than 255, can again be exchanged again between 4.4+ client and servers (Bts:issue5165)
 * The convert extension works with bzr &lt; 2.6.0 again (Bts:issue5733)
 * Mercurial will now attempt to use hardlinks on NTFS on Windows (Bts:issue4580)
 * The revset `x^::` is now correctly parsed as `(x^)::` instead of being an error (Bts:issue5764)
 * Setting the diff.noprefix configuration option no longer breaks the `--stat` flag on `hg diff` (Bts:issue5759)
 * `hg outgoing` now honors `:pushurl` paths from hgrc (Bts:issue5365)
 * log: translate column labels at once (Bts:issue5750)
 * patch: improve heuristics to not take the word `diff` as header (Bts:issue1879)
 * templater: look up symbols/resources as if they were separated (Bts:issue5699)
 * http and ssh: support for emitting extra debug logs about requests as they happen



=== API Changes ===

 * `bundlerepo.bundlerepository.bundle` and `bundlerepo.bundlerepository.bundlefile` are now prefixed with an underscore.
 * Rename bundlerepo.bundlerepository.bundlefilespos to _cgfilespos.
 * dirstate no longer provides a 'dirs()' method. To test for the existence of a directory in the dirstate, use 'dirstate.hasdir(dirname)'.
 * mapping does not contain all template resources. use context.resource() in template functions.
 * `text=False|True` option is dropped from the vfs interface because of Python 3 compatibility issue. Use `util.tonativeeol/fromnativeeol()` to convert EOL manually.
 * `wireproto.streamres.__init__` no longer accepts a `reader` argument. Use the `gen` argument instead.
 * exchange.getbundlechunks() now returns a 2-tuple instead of just an iterator.
 * bundle2 parts are no longer seekable by default
 * memfilectx: the changectx argument is now mandatory in constructor

== Mercurial 4.4.2 (2017-12-01) ==

This is a regularly-scheduled bugfix release.

=== Notable changes ===

==== Stricter command option parsing ====

Mercurial can now optionally parse "early" options (`-R/--repository`, `--cwd`, `--config`, `--debugger`, and `--profile`) more strictly, for more secure integration with tools that invoke 'hg' commands. Setting `HGPLAIN=+strictflags` will parse these options more strictly, which prevents them from being injected as arguments to other flags.

=== Bug fixes ===

 * 'hg amend' now correctly handles deleted and removed files, as well as subrepos. (Bts:issue5732, Bts:issue5677)
 * largefiles now correctly handles dropped standin files when updating largefiles.
 * Fixed an issue with deleting symlinks to directories when ui.origbackuppath is set. (Bts:issue5731)

=== Performance improvements ===

 * Improved performance in path conflict checking introduced in Mercurial 4.4. (Bts:issue5716)

== Mercurial 4.4.1 (2017-11-07) ==

=== Notable changes ===
 * Git and Subversion subrepos have been disabled by default to mitigate a potential security risk if files overlapping with a subrepo managed to be committed to a repository.
 * Subrepos are now more paranoid about symlink traversal.
 * The share extension handles drive letters on Windows better.

It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

== Mercurial 4.4 (2017-11-01) ==
Line 74: Line 261:
 * Add an experimental -L/--line-range FILE,FROMLINE-TOLINE option to 'hg log'  * Add an experimental -L/--line-range FILE,FROMLINE:TOLINE option to 'hg log'

Release Notes

Features and bugfixes in our latest releases. Please see the Download page for links to source and binaries.

Note that Mercurial follows a time-based release plan with major releases every three months and minor (bugfix) releases on the first of every month (see TimeBasedReleasePlan).

{i} Be sure to read the upgrade notes when upgrading.

(See the archive for older versions)

1. Mercurial 4.5.1 / 4.5.2 (2018-03-06)

(4.5.2 was released immediately after 4.5.1 to fix a release oversight.)

This is a regularly-scheduled bugfix release.

1.1. Security Fixes

All versions of Mercurial prior to 4.5.2 have vulnerabilities in the HTTP server that allow permissions bypass to:

  • Perform writes on repositories that should be read-only
  • Perform reads on repositories that shouldn't allow read access

The nature of the vulnerabilities is:

  1. Wire protocol commands that didn't explicitly declare their permissions had no permissions checking done. The web.{allow-pull, allow-push, deny_read, etc} config options governing access control were never consulted when running these commands. This allowed permissions bypass for impacted commands.

  2. The batch wire protocol command did not list its permission requirements nor did it enforce permissions on individual sub-commands.

The implication of these vulnerabilities is that no permissions checking was performed on commands and this could lead to accessing data that web.* config options were supposed to prevent access to or modifying data (via wire protocol commands that can mutate data) without authorization. A Mercurial HTTP server in its default configuration is supposed to be read-only. However, a well-crafted batch command could invoke commands that perform writes.

The batch write permissions bypass has been present since Mercurial 1.9. The flaw of not checking permissions for wire protocol commands that don't declare their needed permissions has been present since Mercurial 1.0.

Assuming you are running a server without any custom commands provided by extensions, your exposure is unauthorized data access (if relying on the web.* config options to limit access) and unauthorized data mutation via the batch command.

Server operators can detect unauthorized use of the batch command by looking for requests to URLs of the form repo?cmd=batch with arguments containing pushkey or unbundle. This may produce false positives. A more comprehensive check would decode the argument string and verify that pushkey or unbundle are command names (not values). The arguments specified via x-hgarg-<N> request headers can span multiple headers. So advanced attackers could hide the vulnerability by splitting a pushkey or unbundle` string across multiple headers. So the only reliable way to detect if this vulnerability is being exploited is to decode these headers like Mercurial does. The format for specifying arguments is documented at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/help/internals/wireprotocol.txt#l26. Python code for decoding headers is at https://www.mercurial-scm.org/repo/hg/file/4.5/mercurial/hgweb/protocol.py#l70.

Mercurial 4.5.2 fixes these vulnerabilities by:

  • Performing permissions checking on all wire protocol commands, not just commands that list their permissions.
  • Checking permissions on sub-commands issued to the batch command.

Wire protocol commands not declaring wire protocol permissions will be assumed to be read-write commands and a server in its default configuration (which only allows read-only access), will refuse to execute these commands.

1.2. Backwards Compatibility Changes

  • The "batch" wire protocol command now enforces permissions of each invoked sub-command. Wire protocol commands must define their operation type or the "batch" command will assume they can write data and will prevent their execution on HTTP servers unless the HTTP request method is POST, the server is configured to allow pushes, and the (possibly authenticated) HTTP user is authorized to perform a push.
  • Wire protocol commands not defining their operation type in "wireproto.PERMISSIONS" are now assumed to be used for "push" operations and access control to run those commands is now enforced accordingly.

1.3. Bug Fixes

  • fileset: don't abort when running copied() on a revision with a removed file
  • date: fix parsing months
  • setup: only allow Python 3 from a source checkout (issue5804)
  • annotate: do not poorly split lines at CR (issue5798)
  • subrepo: don't attempt to share remote sources (issue5793)
  • subrepo: activate clone pooling to enable sharing with remote URLs
  • changegroup: do not delta lfs revisions
  • revlog: do not use delta for lfs revisions
  • revlog: resolve lfs rawtext to vanilla rawtext before applying delta

2. Mercurial 4.5 (2018-02-01)

2.1. New Features

2.1.1. revert --interactive

The revert command now accepts the flag --interactive to allow reverting only some of the changes to the specified files.

2.1.2. Accessing hidden changesets

Set config option 'experimental.directaccess = True' to access hidden changesets from read only commands.

2.1.3. githelp extension

The githelp extension provides the hg githelp command. This command attempts to convert a git command to its Mercurial equivalent. The extension can be useful to Git users new to Mercurial.

2.1.4. Largefiles changes

  • largefiles: add a 'debuglfput' command to put largefile into the store
  • largefiles: add support for 'largefiles://' url scheme
  • largefiles: allow to run 'debugupgraderepo' on repo with largefiles
  • largefiles: convert EOL of hgrc before appending to bytes IO
  • largefiles: explicitly set the source and sink types to 'hg' for lfconvert
  • largefiles: modernize how capabilities are added to the wire protocol

2.2. hgweb changes

hgweb now shows more information about commits: phase (if it's not public), obsolescence status (with a short explanation and links to the successors) and instabilities (e.g. orphan, phase-divergent or content-divergent).

Client-side graph code has been simplified by delegating more work to the backend, so /graph page is now more in sync with /log page, visually and feature-wise. Unfortunately, this code change means that 3rd-party themes for 4.5+ are required to have graphentry.tmpl template available (copy it from the base theme if you don't use %include and then reference it in map file) and render entries in graph.tmpl -- look at one of the core themes to see what it needs to look like. JS functions that create graph vertices and edges are now available in Graph.prototype, making it possible to call the original functions from custom theme-specific functions if needed.

Graph now shows different symbols for normal, branch-closing, obsolete and unstable commits, and marks currently checked out commit with a circle around its graph node.

There's also now json-graph API endpoint that can be used for rendering commit graph in 3rd-party applications.

2.2.1. Other Changes

  • When interactive revert is run against a revision other than the working directory parent, the diff shown is the diff to <em>apply</em> to the working directory, rather than the diff to <em>discard</em> from the working copy. This is in line with related user experiences with 'git' and appears to be less confusing with 'ui.interface=curses'.

  • Let 'hg rebase' avoid content-divergence by skipping obsolete changesets (and their descendants) when they are present in the rebase set along with one of their successors but none of their successors is in destination.
  • A new experimental config flag, 'rebase.experimental.inmemory', makes rebase perform an in-memory merge instead of doing it on-disk in the working copy.
  • The HGPLAINEXCEPT environment variable can now include color to allow automatic output colorization in otherwise automated environments.

  • A new unamend command in uncommit extension which undoes the effect of the amend command by creating a new changeset which was there before amend and moving the changes that were amended to the working directory.
  • A '--abort' flag to merge command to abort the ongoing merge.
  • An experimental flag '--rev' to 'hg branch' which can be used to change branch of changesets.
  • bundle2 read I/O significantly improved
  • bundle2 memory use significantly reduced during read
  • clonebundle: it is now possible to serve the clonebundle using a git-lfs compatible server.
  • templatefilters: add slashpath() to convert path separator to slash (issue5572)

  • A new experimental config flag, 'inline-color-diff', adds within-line color diff capacity
  • histedit: add support to output nodechanges using formatter to help with editor integrations

2.3. Backwards Compatibility Changes

  • log --follow-first -rREV, which is deprecated, now follows the first parent of merge revisions from the specified REV just like log --follow -rREV.

  • log --follow -rREV FILE.. now follows file history across copies and renames.

  • transaction: register summary callbacks only at start of transaction
  • hgweb's graph view no longer supports browsers that lack <canvas> support

  • hgweb: only include graph-related data in jsdata variable on /graph pages
  • graphlog: add another graph node type, unstable, using character *

  • remove: print message for each file in verbose mode only while using '-A'

2.4. Bug Fixes

  • Bookmark, whose name is longer than 255, can again be exchanged again between 4.4+ client and servers (issue5165)

  • The convert extension works with bzr < 2.6.0 again (issue5733)

  • Mercurial will now attempt to use hardlinks on NTFS on Windows (issue4580)

  • The revset x^:: is now correctly parsed as (x^):: instead of being an error (issue5764)

  • Setting the diff.noprefix configuration option no longer breaks the --stat flag on hg diff (issue5759)

  • hg outgoing now honors :pushurl paths from hgrc (issue5365)

  • log: translate column labels at once (issue5750)

  • patch: improve heuristics to not take the word diff as header (issue1879)

  • templater: look up symbols/resources as if they were separated (issue5699)

  • http and ssh: support for emitting extra debug logs about requests as they happen

2.5. API Changes

  • bundlerepo.bundlerepository.bundle and bundlerepo.bundlerepository.bundlefile are now prefixed with an underscore.

  • Rename bundlerepo.bundlerepository.bundlefilespos to _cgfilespos.
  • dirstate no longer provides a 'dirs()' method. To test for the existence of a directory in the dirstate, use 'dirstate.hasdir(dirname)'.
  • mapping does not contain all template resources. use context.resource() in template functions.
  • text=False|True option is dropped from the vfs interface because of Python 3 compatibility issue. Use util.tonativeeol/fromnativeeol() to convert EOL manually.

  • wireproto.streamres.__init__ no longer accepts a reader argument. Use the gen argument instead.

  • exchange.getbundlechunks() now returns a 2-tuple instead of just an iterator.
  • bundle2 parts are no longer seekable by default
  • memfilectx: the changectx argument is now mandatory in constructor

3. Mercurial 4.4.2 (2017-12-01)

This is a regularly-scheduled bugfix release.

3.1. Notable changes

3.1.1. Stricter command option parsing

Mercurial can now optionally parse "early" options (-R/--repository, --cwd, --config, --debugger, and --profile) more strictly, for more secure integration with tools that invoke 'hg' commands. Setting HGPLAIN=+strictflags will parse these options more strictly, which prevents them from being injected as arguments to other flags.

3.2. Bug fixes

  • 'hg amend' now correctly handles deleted and removed files, as well as subrepos. (issue5732, issue5677)

  • largefiles now correctly handles dropped standin files when updating largefiles.
  • Fixed an issue with deleting symlinks to directories when ui.origbackuppath is set. (issue5731)

3.3. Performance improvements

  • Improved performance in path conflict checking introduced in Mercurial 4.4. (issue5716)

4. Mercurial 4.4.1 (2017-11-07)

4.1. Notable changes

  • Git and Subversion subrepos have been disabled by default to mitigate a potential security risk if files overlapping with a subrepo managed to be committed to a repository.
  • Subrepos are now more paranoid about symlink traversal.
  • The share extension handles drive letters on Windows better.

It is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked in to the repository in Mercurial 4.4 and earlier. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically.

5. Mercurial 4.4 (2017-11-01)

5.1. Notable changes

5.1.1. Control whitespace settings for annotation on hgweb

/annotate URLs on hgweb now accept query string arguments to influence how whitespace changes impact results.

The arguments "ignorews," "ignorewsamount," "ignorewseol," and "ignoreblanklines" now have the same meaning as their [annotate] config section counterparts. Any provided setting overrides the server default.

HTML checkboxes have been added to the paper and gitweb themes to expose current whitespace settings and to easily modify the current view.

5.1.2. Fast, heuristic copy-tracing

A new fast heuristic algorithm for copytracing which assumes that the files moves are either:

  1. renames in the same directory
  2. moves in other directories with same names

You can use this algorithm by setting 'experimental.copytrace=heuristics'. This setting performs full copytracing if both source and destination branches contains non-public changesets only.

5.1.3. Other changes

  • Estimated time is more accurate with non-linear progress
  • "hg status -v" can now show unfinished state. For example, when in an unfinished rebase state, "hg status -v" might show:
     # The repository is in an unfinished *rebase* state.
     # No unresolved merge conflicts.
     # To continue:                hg rebase --continue
     # To abort:                   hg rebase --abort
  • Added '--ignore-space-at-eol' diff option to ignore whitespace differences at line endings.
  • show: use consistent node length in views
  • show: decrease minimum displayed hash length from 5 to 4
  • A new uncommit extension which provides 'hg uncommit' using which one can uncommit part or all of the changeset. This command undoes the effect of a local commit, returning the affected files to their uncommitted state.
  • 'hg clone --uncompressed' uses clone bundles when possible
  • 'hg annotate --skip' now prints a '*' on lines with skipped revisions
  • New 'commands.update.check' feature to adjust constraints on when 'hg update' will allow updates with a dirty working copy.
  • Add an experimental -L/--line-range FILE,FROMLINE:TOLINE option to 'hg log' command to follow the history of files by line range. In combination with -p/--patch option, only diff hunks within specified line range will be displayed. Feedback, especially on UX aspects, is welcome.

  • Print warning when fsmonitor isn't being used on a large repository

5.2. Backwards Compatibility Changes

  • The config option for copytrace 'experimental.disablecopytrace' is now replaced with 'experimental.copytrace' which defaults to 'on'. If you need to turn off copytracing, add '[experimental] copytrace = off' to your config.
  • 'hg clone --stream' should now be used instead of --uncompressed. --uncompressed is marked as deprecated and is an alias for --stream. There is no schedule for elimination of --uncompressed.
  • The 'experimental.updatecheck' name for the new 'commands.update.check' feature is now deprecated, and will be removed after this release.
  • Mercurial subrepositories are now shared instead of cloned when the parent repository is shared. This prevents dangling subrepository references in the share source. Previously shared repositories with cloned subrepositories will continue to function unchanged.
  • Push no longer triggers a pushkey hook when updating phases. Use the new 'txnclose-phase' and 'txnclose-phase' hooks instead. (Applies when both server and client use version 4.4 or above).

5.3. Bug Fixes

  • Core rebase algorithm has been rewritten to be more robust (issue5578, issue5630)

  • Creating a share of a repository with a Mercurial subrepository will now share the subrepository (issue5675)

5.4. Performance Improvements

  • improved performance when many aliases are defined

5.5. API Changes

5.5.1. remove peer.batch()

Replace with peer.iterbatch().

5.5.2. Other Changes

  • @peer.batchable can no longer emit local values
  • @peer.batchable functions must now yield exactly 2 values
  • Rename attributes on sshpeer to reflect peer API
  • peer.peerrepository has been removed. Use repository.peer abstract base class to represent a peer repository.
  • revset.stringset() now takes 'order' as the last argument.

6. Mercurial 4.3.3 (2017-10-01)

  • Prevent crashes when clearing progress bar. (issue5684)

  • rebase: move bookmarks with --keep (issue5682)

7. Mercurial 4.3.2 (2017-09-18)

  • restore compatibility with older versions of Python 2.7 by not using a bytearray with struct.unpack_from()
  • restore mingw compatibility for setup.py
  • hgwebdir: read 'web.template' untrusted (plugs potential security issue)
  • repair: preserve phase when not using generaldelta (issue5678)

  • ssh: fix flakey ssh errors on BSD systems
  • restore error handling behavior around certain I/O errors; the regressed behavior could result in transactions not being properly rolled back if stdio handles encountered errors (issue5658)

  • templatekw: choose {latesttag} by len(changes), not date (issue5659)

  • record: fix revert -i for lines without newline (issue5651)

  • mq: create non-lossy patches, also with custom global diff configuration

8. Mercurial 4.3 / 4.3.1 (2017-08-10)

(4.3.1 was released immediately after 4.3 to fix a release oversight.)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

8.1. Notable changes

  • experimental amend extension providing the amend command
  • experimental sparse extension
  • Support for Python 2.6 has been dropped.
  • Bundles created by the strip extension now store phase information. It will be restored when unbundling.
  • The strip extension now removes relevant obsmarkers. If a backup requested (the default), the obsmarkers are stored in the backup bundle and will be restored when unbundling.
  • hg show work (from the experimental show extension) now displays more info

  • hg show stack is a new view for the current, in-progress changeset and others around it

  • Mitigation for two security vulnerabilities

8.2. CVE-2017-1000115

Mercurial's symlink auditing was incomplete prior to 4.3, and could be abused to write to files outside the repository.

8.3. CVE-2017-1000116

Mercurial was not sanitizing hostnames passed to ssh, allowing shell injection attacks on clients by specifying a hostname starting with -oProxyCommand. This is also present in Git (CVE-2017-1000117) and Subversion (CVE-2017-9800), so please patch those tools as well if you have them installed.

9. Mercurial 4.2.3 (2017-08-10)

This was an out-of-cycle backport of security fixes from 4.3 for users stuck on Python 2.6.

10. Mercurial 4.2.2 (2017-07-05)

This is a regularly-scheduled bugfix release.

  • largefiles: avoid a crash when archiving a subrepo with largefiles disabled
  • rebase: also test abort from pretxnclose error
  • rebase: backed out changes 2519994d25ca and cf8ad0e6c0e4 (issue5610)

  • rebase: reinforce testing around precommit hook interrupting a rebase

11. Mercurial 4.2.1 (2017-6-4)

This is a regularly-scheduled bugfix release.

  • hg graft now works when grafting across merges that were problematic before (b4e1e30528c7).

  • A race condition in hg status was partially fixed (issue5584).

  • The message about deprecated SHA-1 hashes in the [hostfingerprints] config section now references the correct syntax for replacing them with SHA-256 hashes (issue5559).

12. Mercurial 4.2 (2017-5-2)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

12.1. Notable changes

  • Pager support has been moved into core and is now enabled by default. This is now controlled with the ui.paginate setting.
    • Note that in 4.2-rc, the ui.paginate option was named pager.enable. The old name has been dropped in the final release. If you had turned pagination off using pager.enable=False, please update your config.
  • Color support has also been moved into core and is now enabled by default (the ui.color setting now defaults to 'auto').
  • The new experimental 'show' extension provides a way to view various information about your repository in an ergonomic way. It is deliberately designed for human consumption and not for scripting, so it doesn't carry the same backward compatibility guarantees as other commands. See 'hg help -e show' for more information.

  • Mercurial now requires setuptools on Windows.

12.2. commands

  • Pager support has been added to the 'log', 'diff', 'branches', 'files', 'status', 'summary', and 'tags' commands, as well as the '--patch', '--list', and '--stat' options of hg shelve.
  • bisect: set a blockedtag when running the check command
  • bookmarks: check HG_PENDING strictly
  • branches: populate all template keywords in formatter
  • commandserver: handle backlog before exiting
  • commandserver: prevent unlinking socket twice
  • commit: optionally strip quotes from commit template (BC)
  • diff: add --binary option for git mode diffs
  • help: add pointer how to narrow list of resolved/unresolved files (issue5469)

  • pager: advertise the config option in the default hgrc
  • pager: avoid shell=True on subprocess.Popen for better errors (issue5491)

  • pager: don't terminate with extreme prejudice on SIGPIPE (BC)
  • pager: exit cleanly on SIGPIPE (BC)
  • pager: improve support for various flavors of 'more' on Windows
  • pager: use less as a fallback on Unix
  • pull: abort pull --update if config requires destination (issue5528)

  • serve: add support for Mercurial subrepositories
  • status: handle more node indicators in buildstatus
  • status: support commands.status.relative config
  • update: accept --merge to allow merging across topo branches (issue5125)

  • verify: fix length check

12.3. core

  • bundle2: ignore errors seeking a bundle after an exception (issue4784)

  • checkheads: upgrade the obsolescence postprocessing logic (issue4354)

  • color: insert color code after every "\e[0m" (issue5413)

  • color: sync text attributes and buffered text output on Windows (issue5508)

  • config: use "churn" as an example extension
  • config: drop pager from the recommended extension
  • context: optimize linkrev adjustment in blockancestors() (issue5538)

  • crecord: avoid setting non-existing SIGTSTP signal on windows (issue5512)

  • debian: configure editor and pager to sensible-editor and sensible-pager by default
  • dispatch: ignore further SIGPIPE while handling KeyboardInterrupt

  • dispatch: protect against malicious 'hg serve --stdio' invocations (SEC)
  • dispatch: start profiling earlier
  • filemerge: optionally strip quotes from merge marker template (BC)
  • formatter: add support for changeset templating
  • formatter: support json formatting of long type
  • graphlog: draw multiple edges towards null node (issue5440)

  • graphlog: optionally strip quotes from graphnode template (BC)
  • localrepo: deprecate 'repo.join' in favor of 'repo.vfs.join'
  • localrepo: deprecate 'repo.opener' (API)
  • localrepo: deprecate 'wfile'
  • localrepo: deprecated 'repo.wopener' (API)
  • match: adding support for matching files inside a directory
  • packaging: add make target for linux wheels
  • patch: make diff in git mode respect --text option (issue5510)

  • plain: ignore [commands] config
  • profiling: add statprof support for Chrome trace viewer rendering
  • progress: retry ferr.flush() and .write() on EINTR (issue5532)

  • py3: stop exporting urlparse from pycompat and util (API)
  • rcutil: let environ override system configs (BC)
  • rcutil: let rccomponents return different types of configs (API)
  • rcutil: move scmutil.*rcpath to rcutil (API)
  • rcutil: rename rcpath to rccomponents (API)
  • rcutil: split osrcpath to return default.d paths (API)
  • record: update help message to use operation instead of "record" (issue5432)

  • revlog: avoid applying delta chain on cache hit
  • revset: split language services to revsetlang module (API)
  • revset: stop supporting plain list as input set (API)
  • revset: stop supporting predicate that returns plain list (API)
  • setup: use setuptools on Windows (issue5400)

  • smartset: move set classes and related functions from revset module (API)
  • sshpeer: try harder to snag stderr when stdout closes unexpectedly
  • templatefilter: add support for 'long' to json()
  • templatekw: have showlist() take mapping dict with no **kwargs expansion (API)
  • templatekw: make join() escape values of extras (BC) (issue5504)

  • templater: make pad() strip color codes before computing width (issue5416)

  • test-profile: allow negative time in JSON output (issue5542)
  • track-tags: write all tag changes to a file
  • util: always force line buffered stdout when stdout is a tty (BC)
  • vfs: extract 'vfs' class and related code to a new 'vfs' module (API)

12.4. extensions

  • histedit: log the time taken to read in the commands list
  • histedit: make check for unresolved conflicts explicit (issue5545)

  • histedit: modify rollup to discard date from the rollup commit (issue4820)

  • histedit: use safecleanupnode in _aborthistedit (issue5500)

  • largefiles: add copytostore() fstandin argument to replace readstandin() (API)
  • largefiles: add lfile argument to updatestandin() for efficiency (API)
  • largefiles: make copytostore() accept only changectx as the 2nd argument (API)
  • largefiles: omit updating newly added standin at linear merging
  • largefiles: remove unused keyword argument of copytostore() (API)
  • largefiles: replace hashrepofile by hashfile (API)
  • largefiles: set the extension as enabled locally after a share requiring it
  • patchbomb: add config knob to generate flags by template (issue5354)

  • patchbomb: drop internal option for pbranch extension (API)
  • patchbomb: use modern pager to display -n/--test result (BC)
  • rebase: abort hg pull --rebase if rebase.requiredest is set (issue5514)

  • rebase: abort if *any* commit in rebase set is public
  • rebase: add flag to require destination
  • rebase: allow aborting if last-message.txt is missing
  • rebase: allow destination-free continue and abort (issue5513)

  • rebase: allow rebasing children of wd to wd if a new branch has been set (BC)
  • rebase: unhide original working directory node as well (issue5219)

  • shelve: add -n/--name option to unshelve (issue5475)

  • shelve: add logic to preserve active bookmarks
  • show: new extension for displaying various repository data

12.5. hgweb

  • hgweb: add a "patch" query parameter to filelog command
  • hgweb: do not show "descending" link in followlines UI for filelog heads
  • hgweb: handle a "descend" query parameter in filelog command
  • hgweb: handle a "linerange" request parameter in filelog command
  • hgwebdir: add support for explicit index files

12.6. Behavior changes

  • commit: optionally strip quotes from commit template (BC)
  • filemerge: optionally strip quotes from merge marker template (BC)
  • graphlog: optionally strip quotes from graphnode template (BC)
  • pager: don't terminate with extreme prejudice on SIGPIPE (BC)
  • pager: exit cleanly on SIGPIPE (BC)
  • patchbomb: use modern pager to display -n/--test result (BC)
  • rcutil: let environ override system configs (BC)
  • rebase: allow rebasing children of wd to wd if a new branch has been set (BC)
  • templatekw: make join() escape values of extras (BC) (issue5504)

  • util: always force line buffered stdout when stdout is a tty (BC)

12.7. Internal API changes

  • largefiles: add copytostore() fstandin argument to replace readstandin() (API)
  • largefiles: add lfile argument to updatestandin() for efficiency (API)
  • largefiles: make copytostore() accept only changectx as the 2nd argument (API)
  • largefiles: remove unused keyword argument of copytostore() (API)
  • largefiles: replace hashrepofile by hashfile (API)
  • localrepo: deprecate 'repo.opener' (API)
  • localrepo: deprecated 'repo.wopener' (API)
  • patchbomb: drop internal option for pbranch extension (API)
  • py3: stop exporting urlparse from pycompat and util (API)
  • rcutil: let rccomponents return different types of configs (API)
  • rcutil: move scmutil.*rcpath to rcutil (API)
  • rcutil: rename rcpath to rccomponents (API)
  • rcutil: split osrcpath to return default.d paths (API)
  • revset: split language services to revsetlang module (API)
  • revset: stop supporting plain list as input set (API)
  • revset: stop supporting predicate that returns plain list (API)
  • smartset: move set classes and related functions from revset module (API)
  • templatekw: have showlist() take mapping dict with no **kwargs expansion (API)
  • vfs: extract 'vfs' class and related code to a new 'vfs' module (API)

13. Mercurial 4.1.3 (2017-4-18)

This is an out of cycle release to address a security issue:

  • hg serve --stdio could be tricked into granting authorized users access to the Python debugger. Thanks to Jonathan Claudius of Mozilla for reporting this issue. This issue is only a security issue for repositories served using --stdio, which includes ssh but *not* http. This is CVE-2017-9462.

14. Mercurial 4.1.2 (2017-4-3)

This is a regularly-scheduled bugfix release.

  • Mercurial should work inside IIS on Windows again. (issue5493)

  • zstd support now refuses to work on old bundle formats. (issue5506)

  • Merges involving subrepositories no longer crash in some cases. (issue5505)

  • Checking for new heads during push is no longer accidentally quadratic

15. Mercurial 4.1.1 (2017-3-2)

This is a regularly-scheduled bugfix release.

  • Several incorrect mailing list addresses have been corrected.
  • Various error cases have been corrected during push and pull.
  • Minor issues that happened when Mercurial spawned worker processes have been fixed.

16. Mercurial 4.1 (2017-2-1)

An overview of new features available. This is a regularly-scheduled quarterly feature release.

16.1. commands

  • commands: config option to control bundle compression level
  • crecord: add an experimental option for space key to move cursor down
  • crecord: rewrite status line text (BC)
  • diff: add experimental support for more git-diff extended diff features
  • graft: support grafting changes to new file in renamed directory (issue5436)

  • help: show help for disabled extensions (issue5228)

  • help: update help for 'hg update' which was misleading (issue5427)

  • merge: fix crash on criss cross merge with dir move and delete (issue5020)

  • summary: add evolution "troubles" information to summary output
  • summary: use the same labels as log command in "parent: " line
  • templates: display evolution "troubles" in command line style

16.2. core

  • changelog: keep track of file end in appender (issue5444)

  • dispatch: stop supporting non-use of @command (API)
  • hook: do not redirect stdout/err/in to ui while running in-process hooks (BC)
  • httppeer: advertise and support application/mercurial-0.2
  • localrepo: experimental support for non-zlib revlog compression
  • manifest: add bundlemanifestlog support
  • manifest: add unionmanifestlog support
  • manifest: make revlog verification optional
  • patch: add experimental config knob for displaying the index header
  • patch: add similarity config knob in experimental section
  • patch: add label for coloring the index extended header
  • patch: add label for coloring the similarity extended header
  • profiling: make statprof the default profiler (BC)
  • profiling: use vendored statprof and upstream enhancements (BC)
  • revlog: REVIDX_EXTSTORED flag
  • revlog: add clone method
  • revlog: ensure that flags do not overflow 2 bytes
  • revlog: flag processor
  • revlog: inline start() and end() for perf reasons
  • revlog: make compressed size comparisons consistent
  • revlog: merge hash checking subfunctions
  • revlog: move decompress() from module to revlog class (API)
  • revlog: optimize _chunkraw when startrev==endrev
  • revlog: pass revlog flags to addrevision
  • revlog: reorder index accessors to match data structure order
  • revlog: use compression engine API for compression
  • revlog: use compression engine APIs for decompression
  • revset: add regular expression support to 'desc'
  • revset: make children() not look at p2 if null (issue5439)

  • run-tests: forward Python USER_BASE from site (issue5425)

  • server: move cmdutil.service() to new module (API)
  • templatekw: force noprefix=False to insure diffstat consistency (issue4755)

  • ui: check EOF of getpass() response read from command-server channel
  • ui: do not translate empty configsource() to 'none' (API)
  • ui: factor out ui.load() to create a ui without loading configs (API)
  • util: compression APIs to support revlog compression and decompression
  • util: declare wire protocol support of compression engines
  • wireproto: advertise supported media types and compression formats
  • wireproto: only advertise HTTP-specific capabilities to HTTP peers (BC)
  • wireproto: perform chunking and compression at protocol layer (API)

16.3. extensions

  • convert: add config option to control storing original revision
  • convert: add config option to copy extra keys from Git commits
  • convert: config option for git rename limit
  • convert: config option to control Git committer actions
  • rebase: calculate ancestors for --base separately (issue5420)

  • rebase: check for conflicts before continuing
  • rebase: fail-fast the pull if working dir is not clean (BC)
  • shelve: allow multiple shelves with --patch and --stat
  • shelve: choose a legal shelve name when no name is passed (issue5112)

  • shelve: make --keep option survive user intervention (issue5431)

  • shelve: make unshelve not crash when there are missing files (issue4176)

16.4. hgweb

  • hgweb: link to raw-file on annotation page (BC)
  • hgweb: make log streams compatible with command server
  • hgweb: restore ascending iteration on revs in filelog web command
  • hgweb: support Content Security Policy

16.5. chg

  • chg: send type information via S channel (BC)
  • chg: support long socket path
  • chgserver: make S channel support pager request
  • chgserver: override runcommand

16.6. Behavior Changes

  • chg: send type information via S channel (BC)
  • crecord: rewrite status line text (BC)
  • hgweb: link to raw-file on annotation page (BC)
  • hook: do not redirect stdout/err/in to ui while running in-process hooks (BC)
  • profiling: make statprof the default profiler (BC)
  • profiling: use vendored statprof and upstream enhancements (BC)
  • rebase: fail-fast the pull if working dir is not clean (BC)
  • wireproto: only advertise HTTP-specific capabilities to HTTP peers (BC)

16.7. Internal API Changes

  • bookmarks: make bookmarks.comparebookmarks accept binary nodes (API)
  • bookmarks: rename 'compare()' to 'comparebookmarks()' (API)
  • revlog: move decompress() from module to revlog class (API)
  • server: move cmdutil.service() to new module (API)
  • ui: do not translate empty configsource() to 'none' (API)
  • ui: factor out ui.load() to create a ui without loading configs (API)
  • util: remove compressors dict (API)
  • util: remove decompressors dict (API)
  • wireproto: perform chunking and compression at protocol layer (API)
  • dispatch: stop supporting non-use of @command (API)

17. Mercurial 4.0.2 (2017-01-04)

This is a regularly-scheduled bugfix release.

  • demandimport: do not raise ImportError for unknown item in fromlist

  • posix: make poll() restart on interruption by signal (issue5452)

  • hgweb: add missing slash to file log url in rss style

18. Mercurial 4.0.1 (2016-12-1)

This is a regularly-scheduled bugfix release.

  • hgweb: cache fctx.parents() in annotate command (issue5414)

  • vfs, scmutil: ignore EPERM at os.utime, which avoids ambiguity (issue5418)

19. Mercurial 4.0 (2016-11-1)

An overview of new features available. This is a regularly-scheduled quarterly feature release. Unlike other 4.0 software releases, this is simply 3.9 + .1, so it should be the usual pain-free upgrade.

19.1. commands

  • annotate: calculate line count correctly
  • branchmap: acquires lock before writting the rev branch cache
  • clone: set default path correctly when doing a clone+share (issue5378)

  • copy: distinguish "file exists" cases and add a hint (BC)
  • commit: return 1 for interactive commit with no changes (issue5397)

  • config: add template support
  • debugobsolete: add formatter support (issue5134)

  • files: change documentation to match its behaviour (issue5276)

  • grep: add formatter support
  • help: show content for explicitly disabled extension (issue5228)

  • import: abort instead of crashing when copy source does not exist (issue5375)

  • import: report directory-relative paths in error messages (issue5224)

  • log: copy the way of ancestor traversal to --follow matcher (issue5376)

  • log: preserve topo sort in graph even if additional filter options specified
  • merge: add conflict labels to merge command
  • merge: avoid superfluous filemerges when grafting through renames (issue5407)

  • strip: report both bundle files in case of exception (issue5368)

  • tag: clarify warning about making a tag on a branch head
  • version: add formatter support
  • flags: allow specifying --no-boolean-flag on the command line (BC)

19.2. core

  • changelog: disable delta chains
  • copies: make _checkcopies handle copy sequences spanning the TCA (issue4028)

  • formatter: add function to convert list to appropriate format (issue5217)

  • lock: show more detail for new-style locks in lock waiting message (issue4752)

  • revset: do not rewrite ':y' to '0:y' (issue5385)

  • revset: fix order of nested '_(|int|hex)list' expression (BC)
  • revset: fix order of nested 'or' expression (BC)
  • revset: fix order of nested 'range' expression (BC)
  • revset: make reverse() and sort() no-ops when ordering requirement allows (BC)
  • revset: support "follow(renamed.py, e22f4f3f06c3)" (issue5334)

  • templater: provide a termwidth keyword (issue5395)

  • templater: add inheritance support to style maps
  • templater: add relpath() to convert repo path to relative path (issue5394)

  • templater: make pad() evaluate boolean argument (BC)
  • wireproto: unescape argument names in batch command (BC)

19.3. extensions

  • journal: properly check for held lock (issue5349)

  • journal: use fm.formatdate() to pass date tuple in appropriate type (BC)
  • journal: use fm.formatlist() to pass hashes in appropriate type (BC)
  • journal: use fm.hexfunc() to get full hash in JSON/template output (BC)
  • largefiles: fix 'deleted' files sometimes persistently appearing with R status
  • largefiles: handle that a found standin file doesn't exist when removing it
  • largefiles: more safe handling of interruptions while updating modifications
  • largefiles: when setting/clearing x bit on largefiles, don't change other bits
  • mq: release lock after transaction in qrefresh
  • mq: take wlock when 'qqueue' is doing write operations
  • rebase: properly calculate total commits to rebase (issue5347)

  • rebase: rebase changesets in topo order (issue5370) (BC)

19.4. hgweb

  • hgweb: avoid line wrap between revision and annotate-info (issue5398)

  • hgweb: config option to control zlib compression level

WhatsNew (last edited 2024-10-28 15:33:56 by RaphaelGomes)