Mercurial > hg
view mercurial/repo.py @ 15004:d06b9c55ddab stable
hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
Before: hgweb made it possible to download file content with a content type
detected from the file extension. It would serve .html files as text/html and
could thus cause XSS vulnerabilities if the web site had any kind of session
authorization and the repository content wasn't fully trusted.
Now: all files default to "application/binary", which all important
browsers will refuse to treat as text/html. See the table here:
https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
| author | Matt Mackall <mpm@selenic.com> |
|---|---|
| date | Sun, 31 Jul 2011 01:46:52 +0200 |
| parents | d747774ca9da |
| children | 5884812686f7 |
line wrap: on
line source
# repo.py - repository base classes for mercurial # # Copyright 2005, 2006 Matt Mackall <mpm@selenic.com> # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. from i18n import _ import error class repository(object): def capable(self, name): '''tell whether repo supports named capability. return False if not supported. if boolean capability, return True. if string capability, return string.''' if name in self.capabilities: return True name_eq = name + '=' for cap in self.capabilities: if cap.startswith(name_eq): return cap[len(name_eq):] return False def requirecap(self, name, purpose): '''raise an exception if the given capability is not present''' if not self.capable(name): raise error.CapabilityError( _('cannot %s; remote repository does not ' 'support the %r capability') % (purpose, name)) def local(self): return False def cancopy(self): return self.local() def close(self): pass