Mercurial > public > mercurial-scm > hg-stable

diff mercurial/hgweb/webcommands.py @ 15004:d06b9c55ddab stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923) Before: hgweb made it possible to download file content with a content type detected from the file extension. It would serve .html files as text/html and could thus cause XSS vulnerabilities if the web site had any kind of session authorization and the repository content wasn't fully trusted. Now: all files default to "application/binary", which all important browsers will refuse to treat as text/html. See the table here: https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
author Matt Mackall <mpm@selenic.com>
date Sun, 31 Jul 2011 01:46:52 +0200
parents 0cc66f13bea0
children a84698badf0b
line wrap: on
line diff
--- a/mercurial/hgweb/webcommands.py	Mon Aug 01 09:48:10 2011 +0200
+++ b/mercurial/hgweb/webcommands.py	Sun Jul 31 01:46:52 2011 +0200
@@ -32,6 +32,8 @@
         return changelog(web, req, tmpl)
 
 def rawfile(web, req, tmpl):
+    guessmime = web.configbool('web', 'guessmime', False)
+
     path = webutil.cleanpath(web.repo, req.form.get('file', [''])[0])
     if not path:
         content = manifest(web, req, tmpl)
@@ -50,9 +52,11 @@
 
     path = fctx.path()
     text = fctx.data()
-    mt = mimetypes.guess_type(path)[0]
-    if mt is None:
-        mt = binary(text) and 'application/octet-stream' or 'text/plain'
+    mt = 'application/binary'
+    if guessmime:
+        mt = mimetypes.guess_type(path)[0]
+        if mt is None:
+            mt = binary(text) and 'application/binary' or 'text/plain'
     if mt.startswith('text/'):
         mt += '; charset="%s"' % encoding.encoding