Mercurial > hg

diff mercurial/help/config.txt @ 15004:d06b9c55ddab stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923) Before: hgweb made it possible to download file content with a content type detected from the file extension. It would serve .html files as text/html and could thus cause XSS vulnerabilities if the web site had any kind of session authorization and the repository content wasn't fully trusted. Now: all files default to "application/binary", which all important browsers will refuse to treat as text/html. See the table here: https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
author Matt Mackall <mpm@selenic.com>
date Sun, 31 Jul 2011 01:46:52 +0200
parents b1efd75cdafe
children 4a43e23b8c55
line wrap: on
line diff
--- a/mercurial/help/config.txt	Mon Aug 01 09:48:10 2011 +0200
+++ b/mercurial/help/config.txt	Sun Jul 31 01:46:52 2011 +0200
@@ -1154,6 +1154,13 @@
     be present in this list. The contents of the allow_push list are
     examined after the deny_push list.
 
+``guessmime``
+    Control MIME types for raw download of file content.
+    Set to True to let hgweb guess the content type from the file
+    extension. This will serve HTML files as ``text/html`` and might
+    allow cross-site scripting attacks when serving untrusted
+    repositories. Default is False.
+   
 ``allow_read``
     If the user has not already been denied repository access due to
     the contents of deny_read, this list determines whether to grant