Mercurial: mercurial/hgweb/webcommands.py comparison

comparison mercurial/hgweb/webcommands.py @ 15004:d06b9c55ddab stable

hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923) Before: hgweb made it possible to download file content with a content type detected from the file extension. It would serve .html files as text/html and could thus cause XSS vulnerabilities if the web site had any kind of session authorization and the repository content wasn't fully trusted. Now: all files default to "application/binary", which all important browsers will refuse to treat as text/html. See the table here: https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors

author	Matt Mackall <mpm@selenic.com>
date	Sun, 31 Jul 2011 01:46:52 +0200
parents	0cc66f13bea0
children	a84698badf0b

comparison

equal deleted inserted replaced

-:dd74cd1e5d49
+:d06b9c55ddab
 return filelog(web, req, tmpl)
 else:
 return changelog(web, req, tmpl)
 def rawfile(web, req, tmpl):
+guessmime = web.configbool('web', 'guessmime', False)
 path = webutil.cleanpath(web.repo, req.form.get('file', [''])[0])
 if not path:
 content = manifest(web, req, tmpl)
 req.respond(HTTP_OK, web.ctype)
 return content
 except ErrorResponse:
 raise inst
 path = fctx.path()
 text = fctx.data()
-mt = mimetypes.guess_type(path)[0]
+mt = 'application/binary'
-if mt is None:
+if guessmime:
-mt = binary(text) and 'application/octet-stream' or 'text/plain'
+mt = mimetypes.guess_type(path)[0]
+if mt is None:
+mt = binary(text) and 'application/binary' or 'text/plain'
 if mt.startswith('text/'):
 mt += '; charset="%s"' % encoding.encoding
 req.respond(HTTP_OK, mt, path, len(text))
 return [text]

Mercurial > hg

comparison mercurial/hgweb/webcommands.py @ 15004:d06b9c55ddab stable