Mercurial Mercurial > mercurial / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-raw.t
author Matt Mackall <mpm@selenic.com>
Sun, 31 Jul 2011 01:46:52 +0200
branchstable
changeset 15004 d06b9c55ddab
parent 13962 8b252e826c68
child 15446 c5c9ca3719f9
permissions -rw-r--r--
hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923) Before: hgweb made it possible to download file content with a content type detected from the file extension. It would serve .html files as text/html and could thus cause XSS vulnerabilities if the web site had any kind of session authorization and the repository content wasn't fully trusted. Now: all files default to "application/binary", which all important browsers will refuse to treat as text/html. See the table here: https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors

Test raw style of hgweb

  $ hg init test
  $ cd test
  $ mkdir sub
  $ cat >'sub/some "text".txt' <<ENDSOME
  > This is just some random text
  > that will go inside the file and take a few lines.
  > It is very boring to read, but computers don't
  > care about things like that.
  > ENDSOME
  $ hg add 'sub/some "text".txt'
  warning: filename contains '"', which is reserved on Windows: 'sub/some "text".txt'
  $ hg commit -d "1 0" -m "Just some text"

  $ hg serve -p $HGPORT -A access.log -E error.log -d --pid-file=hg.pid

  $ cat hg.pid >> $DAEMON_PIDS
  $ ("$TESTDIR/get-with-headers.py" localhost:$HGPORT '/?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw' content-type content-length content-disposition) >getoutput.txt &
  $ sleep 5
  $ kill `cat hg.pid`
  $ sleep 1 # wait for server to scream and die
  $ cat getoutput.txt
  200 Script output follows
  content-type: application/binary
  content-length: 157
  content-disposition: inline; filename="some \"text\".txt"
  
  This is just some random text
  that will go inside the file and take a few lines.
  It is very boring to read, but computers don't
  care about things like that.
  $ cat access.log error.log
  127.0.0.1 - - [*] "GET /?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw HTTP/1.1" 200 - (glob)

  $ rm access.log error.log
  $ hg serve -p $HGPORT -A access.log -E error.log -d --pid-file=hg.pid \
  > --config web.guessmime=True

  $ cat hg.pid >> $DAEMON_PIDS
  $ ("$TESTDIR/get-with-headers.py" localhost:$HGPORT '/?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw' content-type content-length content-disposition) >getoutput.txt &
  $ sleep 5
  $ kill `cat hg.pid`
  $ sleep 1 # wait for server to scream and die
  $ cat getoutput.txt
  200 Script output follows
  content-type: text/plain; charset="ascii"
  content-length: 157
  content-disposition: inline; filename="some \"text\".txt"
  
  This is just some random text
  that will go inside the file and take a few lines.
  It is very boring to read, but computers don't
  care about things like that.
  $ cat access.log error.log
  127.0.0.1 - - [*] "GET /?f=a23bf1310f6e;file=sub/some%20%22text%22.txt;style=raw HTTP/1.1" 200 - (glob)
mercurial