hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
Before: hgweb made it possible to download file content with a content type
detected from the file extension. It would serve .html files as text/html and
could thus cause XSS vulnerabilities if the web site had any kind of session
authorization and the repository content wasn't fully trusted.
Now: all files default to "application/binary", which all important
browsers will refuse to treat as text/html. See the table here:
https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
#!/usr/bin/env python
# Dump revlogs as raw data stream
# $ find .hg/store/ -name "*.i" | xargs dumprevlog > repo.dump
import sys
from mercurial import revlog, node, util
for fp in (sys.stdin, sys.stdout, sys.stderr):
util.setbinary(fp)
for f in sys.argv[1:]:
binopen = lambda fn: open(fn, 'rb')
r = revlog.revlog(binopen, f)
print "file:", f
for i in r:
n = r.node(i)
p = r.parents(n)
d = r.revision(n)
print "node:", node.hex(n)
print "linkrev:", r.linkrev(i)
print "parents:", node.hex(p[0]), node.hex(p[1])
print "length:", len(d)
print "-start-"
print d
print "-end-"