Mercurial > hg
comparison mercurial/help/config.txt @ 15004:d06b9c55ddab stable
hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
Before: hgweb made it possible to download file content with a content type
detected from the file extension. It would serve .html files as text/html and
could thus cause XSS vulnerabilities if the web site had any kind of session
authorization and the repository content wasn't fully trusted.
Now: all files default to "application/binary", which all important
browsers will refuse to treat as text/html. See the table here:
https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
| author | Matt Mackall <mpm@selenic.com> |
|---|---|
| date | Sun, 31 Jul 2011 01:46:52 +0200 |
| parents | b1efd75cdafe |
| children | 4a43e23b8c55 |
comparison
equal
deleted
inserted
replaced
| 15001:dd74cd1e5d49 | 15004:d06b9c55ddab |
|---|---|
| 1152 push, including unauthenticated users. Otherwise, the remote user | 1152 push, including unauthenticated users. Otherwise, the remote user |
| 1153 must have been authenticated, and the authenticated user name must | 1153 must have been authenticated, and the authenticated user name must |
| 1154 be present in this list. The contents of the allow_push list are | 1154 be present in this list. The contents of the allow_push list are |
| 1155 examined after the deny_push list. | 1155 examined after the deny_push list. |
| 1156 | 1156 |
| 1157 ``guessmime`` | |
| 1158 Control MIME types for raw download of file content. | |
| 1159 Set to True to let hgweb guess the content type from the file | |
| 1160 extension. This will serve HTML files as ``text/html`` and might | |
| 1161 allow cross-site scripting attacks when serving untrusted | |
| 1162 repositories. Default is False. | |
| 1163 | |
| 1157 ``allow_read`` | 1164 ``allow_read`` |
| 1158 If the user has not already been denied repository access due to | 1165 If the user has not already been denied repository access due to |
| 1159 the contents of deny_read, this list determines whether to grant | 1166 the contents of deny_read, this list determines whether to grant |
| 1160 repository access to the user. If this list is not empty, and the | 1167 repository access to the user. If this list is not empty, and the |
| 1161 user is unauthenticated or not present in the list, then access is | 1168 user is unauthenticated or not present in the list, then access is |