hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
Before: hgweb made it possible to download file content with a content type
detected from the file extension. It would serve .html files as text/html and
could thus cause XSS vulnerabilities if the web site had any kind of session
authorization and the repository content wasn't fully trusted.
Now: all files default to "application/binary", which all important
browsers will refuse to treat as text/html. See the table here:
https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
import sys, os, __builtin__
from mercurial import util
def lowerwrap(scope, funcname):
f = getattr(scope, funcname)
def wrap(fname, *args, **kwargs):
d, base = os.path.split(fname)
try:
files = os.listdir(d or '.')
except OSError, inst:
files = []
if base in files:
return f(fname, *args, **kwargs)
for fn in files:
if fn.lower() == base.lower():
return f(os.path.join(d, fn), *args, **kwargs)
return f(fname, *args, **kwargs)
scope.__dict__[funcname] = wrap
def normcase(path):
return path.lower()
os.path.normcase = normcase
for f in 'file open'.split():
lowerwrap(__builtin__, f)
for f in "chmod chown open lstat stat remove unlink".split():
lowerwrap(os, f)
for f in "exists lexists".split():
lowerwrap(os.path, f)
lowerwrap(util, 'posixfile')