Mercurial > hg

annotate hgweb.cgi @ 30766:d7bf7d2bd5ab

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: support Content Security Policy Content-Security-Policy (CSP) is a web security feature that allows servers to declare what loaded content is allowed to do. For example, a policy can prevent loading of images, JavaScript, CSS, etc unless the source of that content is whitelisted (by hostname, URI scheme, hashes of content, etc). It's a nifty security feature that provides extra mitigation against some attacks, notably XSS. Mitigation against these attacks is important for Mercurial because hgweb renders repository data, which is commonly untrusted. While we make attempts to escape things, etc, there's the possibility that malicious data could be injected into the site content. If this happens today, the full power of the web browser is available to that malicious content. A restrictive CSP policy (defined by the server operator and sent in an HTTP header which is outside the control of malicious content), could restrict browser capabilities and mitigate security problems posed by malicious data. CSP works by emitting an HTTP header declaring the policy that browsers should apply. Ideally, this header would be emitted by a layer above Mercurial (likely the HTTP server doing the WSGI "proxying"). This works for some CSP policies, but not all. For example, policies to allow inline JavaScript may require setting a "nonce" attribute on <script>. This attribute value must be unique and non-guessable. And, the value must be present in the HTTP header and the HTML body. This means that coordinating the value between Mercurial and another HTTP server could be difficult: it is much easier to generate and emit the nonce in a central location. This commit introduces support for emitting a Content-Security-Policy header from hgweb. A config option defines the header value. If present, the header is emitted. A special "%nonce%" syntax in the value triggers generation of a nonce and inclusion in <script> elements in templates. The inclusion of a nonce does not occur unless "%nonce%" is present. This makes this commit completely backwards compatible and the feature opt-in. The nonce is a type 4 UUID, which is the flavor that is randomly generated. It has 122 random bits, which should be plenty to satisfy the guarantees of a nonce.
author Gregory Szorc <gregory.szorc@gmail.com>
date Tue, 10 Jan 2017 23:37:08 -0800
parents 4b0fc75f9403
children 47ef023d0165
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
202
e875a0cf7f3a Call python via env in hgweb.cgi
mpm@selenic.com
parents: 159
diff changeset
1 #!/usr/bin/env python
159
f9d8620ef469 Add example CGI script
mpm@selenic.com
parents:
diff changeset
2 #
11000
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
3 # An example hgweb CGI script, edit as necessary
26421
4b0fc75f9403 urls: bulk-change primary website URLs
Matt Mackall <mpm@selenic.com>
parents: 15475
diff changeset
4 # See also https://mercurial-scm.org/wiki/PublishingRepositories
159
f9d8620ef469 Add example CGI script
mpm@selenic.com
parents:
diff changeset
5
11000
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
6 # Path to repo or hgweb config to serve (see 'hg help hgweb')
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
7 config = "/path/to/repo/or/config"
5244
79279b5583c6 cgi: sys.path.insert should be before importing mercurial
Benoit Boissinot <benoit.boissinot@ens-lyon.org>
parents: 5197
diff changeset
8
15475
85cba926cb59 hgweb: add hint about finding library path with debuginstall
Matt Mackall <mpm@selenic.com>
parents: 11503
diff changeset
9 # Uncomment and adjust if Mercurial is not installed system-wide
85cba926cb59 hgweb: add hint about finding library path with debuginstall
Matt Mackall <mpm@selenic.com>
parents: 11503
diff changeset
10 # (consult "installed modules" path from 'hg debuginstall'):
11000
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
11 #import sys; sys.path.insert(0, "/path/to/python/lib")
5197
55860a45bbf2 Enable demandimport only in scripts, not in importable modules (issue605)
Thomas Arendsen Hein <thomas@intevation.de>
parents: 3868
diff changeset
12
6080
4baad19c4801 hgweb: disable cgitb by default
Maxim Dounin <mdounin@mdounin.ru>
parents: 5995
diff changeset
13 # Uncomment to send python tracebacks to the browser if an error occurs:
11000
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
14 #import cgitb; cgitb.enable()
391
5f65a108a559 hgweb: pull cgitb into CGI script example, where it can easily be disabled
mpm@selenic.com
parents: 202
diff changeset
15
11000
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
16 from mercurial import demandimport; demandimport.enable()
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
17 from mercurial.hgweb import hgweb, wsgicgi
338167735124 hgweb: simplify hgweb.cgi, add help pointer
Matt Mackall <mpm@selenic.com>
parents: 6142
diff changeset
18 application = hgweb(config)
6141
90e5c82a3859 Backed out changeset b913d3aacddc (see issue971/msg5317)
Thomas Arendsen Hein <thomas@intevation.de>
parents: 5995
diff changeset
19 wsgicgi.launch(application)