Mercurial > hg-stable
comparison tests/test-hgweb-raw.t @ 15004:d06b9c55ddab stable
hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
Before: hgweb made it possible to download file content with a content type
detected from the file extension. It would serve .html files as text/html and
could thus cause XSS vulnerabilities if the web site had any kind of session
authorization and the repository content wasn't fully trusted.
Now: all files default to "application/binary", which all important
browsers will refuse to treat as text/html. See the table here:
https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
| author | Matt Mackall <mpm@selenic.com> |
|---|---|
| date | Sun, 31 Jul 2011 01:46:52 +0200 |
| parents | 8b252e826c68 |
| children | c5c9ca3719f9 |
comparison
equal
deleted
inserted
replaced
| 15001:dd74cd1e5d49 | 15004:d06b9c55ddab |
|---|---|
| 20 $ sleep 5 | 20 $ sleep 5 |
| 21 $ kill `cat hg.pid` | 21 $ kill `cat hg.pid` |
| 22 $ sleep 1 # wait for server to scream and die | 22 $ sleep 1 # wait for server to scream and die |
| 23 $ cat getoutput.txt | 23 $ cat getoutput.txt |
| 24 200 Script output follows | 24 200 Script output follows |
| 25 content-type: application/binary | |
| 26 content-length: 157 | |
| 27 content-disposition: inline; filename="some \"text\".txt" | |
| 28 | |
| 29 This is just some random text | |
| 30 that will go inside the file and take a few lines. | |
| 31 It is very boring to read, but computers don't | |
| 32 care about things like that. | |
| 33 $ cat access.log error.log | |
| 34 127.0.0.1 - - [*] "GET /?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw HTTP/1.1" 200 - (glob) | |
| 35 | |
| 36 $ rm access.log error.log | |
| 37 $ hg serve -p $HGPORT -A access.log -E error.log -d --pid-file=hg.pid \ | |
| 38 > --config web.guessmime=True | |
| 39 | |
| 40 $ cat hg.pid >> $DAEMON_PIDS | |
| 41 $ ("$TESTDIR/get-with-headers.py" localhost:$HGPORT '/?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw' content-type content-length content-disposition) >getoutput.txt & | |
| 42 $ sleep 5 | |
| 43 $ kill `cat hg.pid` | |
| 44 $ sleep 1 # wait for server to scream and die | |
| 45 $ cat getoutput.txt | |
| 46 200 Script output follows | |
| 25 content-type: text/plain; charset="ascii" | 47 content-type: text/plain; charset="ascii" |
| 26 content-length: 157 | 48 content-length: 157 |
| 27 content-disposition: inline; filename="some \"text\".txt" | 49 content-disposition: inline; filename="some \"text\".txt" |
| 28 | 50 |
| 29 This is just some random text | 51 This is just some random text |