paper: don't register click handlers with inline javascript (
issue5812)
The use of inline href="javascript:" undermines CSP policies that
don't allow inline javascript.
This commit changes the registering of the diffstat and line wrapping
toggle handlers to the the global DOMContentLoaded handler, thus
eliminating all inline javascript from the paper template.
Differential Revision: https://phab.mercurial-scm.org/D3437
$ hg init empty-repo
$ cd empty-repo
Flags on revlog version 0 are rejected
>>> with open('.hg/store/00changelog.i', 'wb') as fh:
... fh.write(b'\x00\x01\x00\x00')
$ hg log
abort: unknown flags (0x01) in version 0 revlog 00changelog.i!
[255]
Unknown flags on revlog version 1 are rejected
>>> with open('.hg/store/00changelog.i', 'wb') as fh:
... fh.write(b'\x00\x04\x00\x01')
$ hg log
abort: unknown flags (0x04) in version 1 revlog 00changelog.i!
[255]
Unknown version is rejected
>>> with open('.hg/store/00changelog.i', 'wb') as fh:
... fh.write(b'\x00\x00\x00\x02')
$ hg log
abort: unknown version (2) in revlog 00changelog.i!
[255]
$ cd ..
Test for CVE-2016-3630
$ hg init
>>> open("a.i", "wb").write(
... b"""eJxjYGZgZIAAYQYGxhgom+k/FMx8YKx9ZUaKSOyqo4cnuKb8mbqHV5cBCVTMWb1Cwqkhe4Gsg9AD
... Joa3dYtcYYYBAQ8Qr4OqZAYRICPTSr5WKd/42rV36d+8/VmrNpv7NP1jQAXrQE4BqQUARngwVA=="""
... .decode("base64").decode("zlib"))
$ hg debugindex a.i
rev linkrev nodeid p1 p2
0 2 99e0332bd498 000000000000 000000000000
1 3 6674f57a23d8 99e0332bd498 000000000000
$ hg debugdata a.i 1 2>&1 | egrep 'Error:.*decoded'
(mercurial\.\w+\.mpatch\.)?mpatchError: patch cannot be decoded (re)