url: limit expansion to safe auth keys (Issue2328)

Mads Kiilerich pointed out that 1e4ade283b02 was too eager since the
prefix and password keys may contain $-signs. So this only add the
username to the list of keys that are expanded.

This also updates the documentation to match.

doc/hgrc.5.txt

@@ -232,16 +232,19 @@ Supported arguments:
     argument, q.v., is then subsequently consulted.
 ``username``
     Optional. Username to authenticate with. If not given, and the
-    remote site requires basic or digest authentication, the user
-    will be prompted for it.
+    remote site requires basic or digest authentication, the user will
+    be prompted for it. Environment variables are expanded in the
+    username letting you do ``foo.username = $USER``.
 ``password``
     Optional. Password to authenticate with. If not given, and the
     remote site requires basic or digest authentication, the user
     will be prompted for it.
 ``key``
-    Optional. PEM encoded client certificate key file.
+    Optional. PEM encoded client certificate key file. Environment
+    variables are expanded in the filename.
 ``cert``
-    Optional. PEM encoded client certificate chain file.
+    Optional. PEM encoded client certificate chain file. Environment
+    variables are expanded in the filename.
 ``schemes``
     Optional. Space separated list of URI schemes to use this
     authentication entry with. Only used if the prefix doesn't include

mercurial/url.py

@@ -156,7 +156,8 @@ class passwordmgr(urllib2.HTTPPasswordMgrWithDefaultRealm):
                 continue
             group, setting = key.split('.', 1)
             gdict = config.setdefault(group, dict())
-            val = util.expandpath(val)
+            if setting in ('username', 'cert', 'key'):
+                val = util.expandpath(val)
             gdict[setting] = val
 
         # Find the best match