server: ensure the incoming request falls under the prefix value
Prior to this, the first test asserted in wsgiref.validate.check_environ()
saying PATH didn't start with '/', but the second test served up the repo. The
assertion was just added in this cycle (though the value of PATH is still wrong
without the assertion). Allowing access to the repo at any URL outside of the
prefix is a long standing bug. This also affected hgwebdir, at least when used
via --subrepo.
Paths are not being canonicalized, so accesses to things like 'foo/../bar' will
get tossed out here, unless the prefix also matches.
{
// Enforcing
"eqeqeq" : true, // true: Require triple equals (===) for comparison
"forin" : true, // true: Require filtering for..in loops with obj.hasOwnProperty()
"freeze" : true, // true: prohibits overwriting prototypes of native objects such as Array, Date etc.
"nonbsp" : true, // true: Prohibit "non-breaking whitespace" characters.
"undef" : true, // true: Require all non-global variables to be declared (prevents global leaks)
// Environments
"browser" : true // Web Browser (window, document, etc)
}