Patrick Mezard <pmezard@gmail.com> [Mon, 01 Aug 2011 23:58:50 +0200] rev 15005
hgweb: do not ignore [auth] if url has a username (issue2822)
The [auth] section was ignored when handling URLs like:
http://user@example.com/foo
Instead, we look in [auth] for an entry matching the URL and supplied user
name. Entries without username can match URL with a username. Prefix length
ties are resolved in favor of entries matching the username. With:
foo.prefix = http://example.org
foo.username = user
foo.password = password
bar.prefix = http://example.org/bar
and the input URL:
http://user@example.org/bar
the 'bar' entry will be selected because of prefix length, therefore prompting
for a password. This behaviour ensure that entries selection is consistent when
looking for credentials or for certificates, and that certificates can be
picked even if their entries do no define usernames while the URL does.
Additionally, entries without a username matched against a username are
returned as if they did have requested username set to avoid prompting again
for a username if the password is not set.
v2: reparse the URL in readauthforuri() to handle HTTP and HTTPS similarly.
v3: allow unset usernames to match URL usernames to pick certificates. Resolve
prefix length ties in favor of entries with usernames.
Matt Mackall <mpm@selenic.com> [Sun, 31 Jul 2011 01:46:52 +0200] rev 15004
hgweb: raw file mimetype guessing configurable, off by default (BC) (issue2923)
Before: hgweb made it possible to download file content with a content type
detected from the file extension. It would serve .html files as text/html and
could thus cause XSS vulnerabilities if the web site had any kind of session
authorization and the repository content wasn't fully trusted.
Now: all files default to "application/binary", which all important
browsers will refuse to treat as text/html. See the table here:
https://code.google.com/p/browsersec/wiki/Part2#Survey_of_content_sniffing_behaviors
Matt Mackall <mpm@selenic.com> [Mon, 01 Aug 2011 14:53:10 -0500] rev 15003
hgweb: extract the path logic from updatereqenv and add doctests
Matt Mackall <mpm@selenic.com> [Mon, 01 Aug 2011 14:52:11 -0500] rev 15002
merge with stable
wujek [Mon, 01 Aug 2011 09:48:10 +0200] rev 15001
hgweb: handle 'baseurl' configurations with leading slash (issue2934)
Idan Kamara <idankk86@gmail.com> [Mon, 01 Aug 2011 19:53:00 +0300] rev 15000
ui: call write() so the prompt string goes through subclassed implementation
Matt Mackall <mpm@selenic.com> [Mon, 01 Aug 2011 10:54:34 -0500] rev 14999
merge with stable
Matt Mackall <mpm@selenic.com> [Mon, 01 Aug 2011 10:54:10 -0500] rev 14998
merge with i18n
FUJIWARA Katsunori <foozy@lares.dti.ne.jp> [Sun, 31 Jul 2011 23:42:40 +0900] rev 14997
i18n-ja: synchronized with 4fdab926e111
Jens Bäckman <jens.backman@gmail.com> [Sat, 30 Jul 2011 09:42:07 +0200] rev 14996
i18n-sv: synchronized with 192e02680d09