[PATCH] hgweb: make raw file download configurable and disabled (BC) (issue2923)

Augie Fackler durin42 at gmail.com
Sat Jul 30 23:51:09 CDT 2011


On Jul 30, 2011, at 7:02 PM, Mads Kiilerich wrote:
> 
> # HG changeset patch
> # User Mads Kiilerich <mads at kiilerich.com>
> # Date 1312069612 -7200
> # Branch stable
> # Node ID cfa2db1db62e2602c97dff06829000dab1a0d8d8
> # Parent  192e02680d094dc22cf856e70f07348bd6de18d1
> hgweb: make raw file download configurable and disabled (BC) (issue2923)
> 
> Before: hgweb made it possible to download file content with a content type
> detected from the file extension. It would serve .html files as text/html and
> could thus cause XSS vulnerabilities if the web site had any kind of session
> authorization and the repository content wasn't fully trusted.
> 
> Now: Serving of raw file content is now made configurable with the web.allowraw
> config setting.
> 
> Note: Raw file download is now disabled by default. Sites that need this
> feature and know what they are doing must enable it in the site configuration.
> 
> The hgweb menu entries for raw is not removed.

LGTM


More information about the Mercurial-devel mailing list