hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
Before: hgweb made it possible to download file content with a content type
detected from the file extension. It would serve .html files as text/html and
could thus cause XSS vulnerabilities if the web site had any kind of session
authorization and the repository content wasn't fully trusted.
Now: all files default to "application/binary", which all important
browsers will refuse to treat as text/html. See the table here:
https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
syntax: glob
*.elc
*.orig
*.rej
*~
*.mergebackup
*.o
*.so
*.dll
*.pyd
*.pyc
*.pyo
*$py.class
*.swp
*.prof
\#*\#
.\#*
tests/.coverage*
tests/annotated
tests/*.err
build
contrib/hgsh/hgsh
dist
doc/*.[0-9]
doc/*.[0-9].gendoc.txt
doc/*.[0-9].{x,ht}ml
MANIFEST
MANIFEST.in
patches
mercurial/__version__.py
mercurial.egg-info
Output/Mercurial-*.exe
.DS_Store
tags
cscope.*
i18n/hg.pot
locale/*/LC_MESSAGES/hg.mo
hgext/__index__.py
# files installed with a local --pure build
mercurial/base85.py
mercurial/bdiff.py
mercurial/diffhelpers.py
mercurial/mpatch.py
mercurial/osutil.py
mercurial/parsers.py
syntax: regexp
^\.pc/
^\.(pydev)?project