[PATCH] hgweb: make raw file download configurable and disabled (BC) (issue2923)

Augie Fackler lists at durin42.com
Mon Aug 1 15:43:23 CDT 2011 

On Mon, Aug 1, 2011 at 3:39 PM, Matt Mackall <mpm at selenic.com> wrote:
> On Sun, 2011-07-31 at 02:02 +0200, Mads Kiilerich wrote:
>> # HG changeset patch
>> # User Mads Kiilerich <mads at kiilerich.com>
>> # Date 1312069612 -7200
>> # Branch stable
>> # Node ID cfa2db1db62e2602c97dff06829000dab1a0d8d8
>> # Parent  192e02680d094dc22cf856e70f07348bd6de18d1
>> hgweb: make raw file download configurable and disabled (BC) (issue2923)
>>
>
> Here's my rewrite of this based on my earlier comments:
>
> # HG changeset patch
> # User Matt Mackall <mpm at selenic.com>
> # Date 1312069612 -7200
> # Branch stable
> # Node ID d06b9c55ddabed66f7e1b5f4193534957232de95
> # Parent  dd74cd1e5d49cdedfd2a0cf142a9ce1178e4b748
> hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
>
> Before: hgweb made it possible to download file content with a content type
> detected from the file extension. It would serve .html files as text/html and
> could thus cause XSS vulnerabilities if the web site had any kind of session
> authorization and the repository content wasn't fully trusted.
>
> Now: all files default to "application/binary", which all important
> browsers will refuse to treat as text/html. See the table here:
>
> https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors

LGTM, seems like it should be plenty safe based on the table in the link.

>
> diff -r dd74cd1e5d49 -r d06b9c55ddab mercurial/help/config.txt
> --- a/mercurial/help/config.txt Mon Aug 01 09:48:10 2011 +0200
> +++ b/mercurial/help/config.txt Sun Jul 31 01:46:52 2011 +0200
> @@ -1154,6 +1154,13 @@
>     be present in this list. The contents of the allow_push list are
>     examined after the deny_push list.
>
> +``guessmime``
> +    Control MIME types for raw download of file content.
> +    Set to True to let hgweb guess the content type from the file
> +    extension. This will serve HTML files as ``text/html`` and might
> +    allow cross-site scripting attacks when serving untrusted
> +    repositories. Default is False.
> +
>  ``allow_read``
>     If the user has not already been denied repository access due to
>     the contents of deny_read, this list determines whether to grant
> diff -r dd74cd1e5d49 -r d06b9c55ddab mercurial/hgweb/webcommands.py
> --- a/mercurial/hgweb/webcommands.py    Mon Aug 01 09:48:10 2011 +0200
> +++ b/mercurial/hgweb/webcommands.py    Sun Jul 31 01:46:52 2011 +0200
> @@ -32,6 +32,8 @@
>         return changelog(web, req, tmpl)
>
>  def rawfile(web, req, tmpl):
> +    guessmime = web.configbool('web', 'guessmime', False)
> +
>     path = webutil.cleanpath(web.repo, req.form.get('file', [''])[0])
>     if not path:
>         content = manifest(web, req, tmpl)
> @@ -50,9 +52,11 @@
>
>     path = fctx.path()
>     text = fctx.data()
> -    mt = mimetypes.guess_type(path)[0]
> -    if mt is None:
> -        mt = binary(text) and 'application/octet-stream' or 'text/plain'
> +    mt = 'application/binary'
> +    if guessmime:
> +        mt = mimetypes.guess_type(path)[0]
> +        if mt is None:
> +            mt = binary(text) and 'application/binary' or 'text/plain'
>     if mt.startswith('text/'):
>         mt += '; charset="%s"' % encoding.encoding
>
> diff -r dd74cd1e5d49 -r d06b9c55ddab tests/test-hgweb-raw.t
> --- a/tests/test-hgweb-raw.t    Mon Aug 01 09:48:10 2011 +0200
> +++ b/tests/test-hgweb-raw.t    Sun Jul 31 01:46:52 2011 +0200
> @@ -22,6 +22,28 @@
>   $ sleep 1 # wait for server to scream and die
>   $ cat getoutput.txt
>   200 Script output follows
> +  content-type: application/binary
> +  content-length: 157
> +  content-disposition: inline; filename="some \"text\".txt"
> +
> +  This is just some random text
> +  that will go inside the file and take a few lines.
> +  It is very boring to read, but computers don't
> +  care about things like that.
> +  $ cat access.log error.log
> +  127.0.0.1 - - [*] "GET /?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw HTTP/1.1" 200 - (glob)
> +
> +  $ rm access.log error.log
> +  $ hg serve -p $HGPORT -A access.log -E error.log -d --pid-file=hg.pid \
> +  > --config web.guessmime=True
> +
> +  $ cat hg.pid >> $DAEMON_PIDS
> +  $ ("$TESTDIR/get-with-headers.py" localhost:$HGPORT '/?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw' content-type content-length content-disposition) >getoutput.txt &
> +  $ sleep 5
> +  $ kill `cat hg.pid`
> +  $ sleep 1 # wait for server to scream and die
> +  $ cat getoutput.txt
> +  200 Script output follows
>   content-type: text/plain; charset="ascii"
>   content-length: 157
>   content-disposition: inline; filename="some \"text\".txt"
>
>
>
> --
> Mathematics is the supreme nostalgia of our time.
>
>
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at selenic.com
> http://selenic.com/mailman/listinfo/mercurial-devel
>

More information about the Mercurial-devel mailing list