diff options
author | David Karlsson <[email protected]> | 2023-07-07 13:54:06 +0200 |
---|---|---|
committer | GitHub <[email protected]> | 2023-07-07 13:54:06 +0200 |
commit | 6c9ea022a9022a281031eed75ceb00c4c03f2b5a (patch) | |
tree | 468c2912fc643681706f607e11bb16bb89f5f99b | |
parent | 12d3469dd1f5b5a2a459ccc33df6eb1b8eab6765 (diff) | |
download | hugo-6c9ea022a9022a281031eed75ceb00c4c03f2b5a.tar.gz hugo-6c9ea022a9022a281031eed75ceb00c4c03f2b5a.zip |
config: Expand default security.exec.osEnv policy
To better support private Hugo modules and automatically
launching a text editor on content creation, this change
adds the following environment variables to the default
security policy:
- HOME
- XDG_CONFIG_HOME
- USERPROFILE
- SSH_AUTH_SOCK
- DISPLAY
- LANG
Fixes #9333
-rw-r--r-- | config/security/securityConfig.go | 2 | ||||
-rw-r--r-- | config/security/securityConfig_test.go | 9 |
2 files changed, 6 insertions, 5 deletions
diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go index 3d17b7a48..16f8c23d8 100644 --- a/config/security/securityConfig.go +++ b/config/security/securityConfig.go @@ -42,7 +42,7 @@ var DefaultConfig = Config{ ), // These have been tested to work with Hugo's external programs // on Windows, Linux and MacOS. - OsEnv: MustNewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$`), + OsEnv: MustNewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG)$`), }, Funcs: Funcs{ Getenv: MustNewWhitelist("^HUGO_", "^CI$"), diff --git a/config/security/securityConfig_test.go b/config/security/securityConfig_test.go index 12ce3aae4..cdfbe6341 100644 --- a/config/security/securityConfig_test.go +++ b/config/security/securityConfig_test.go @@ -140,7 +140,7 @@ func TestToTOML(t *testing.T) { got := DefaultConfig.ToTOML() c.Assert(got, qt.Equals, - "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.goTemplates]\n AllowActionJSTmpl = false\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", + "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^(dart-)?sass(-embedded)?$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+|(XDG_CONFIG_)?HOME|USERPROFILE|SSH_AUTH_SOCK|DISPLAY|LANG)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.goTemplates]\n AllowActionJSTmpl = false\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']", ) } @@ -154,9 +154,6 @@ func TestDecodeConfigDefault(t *testing.T) { c.Assert(pc.Exec.Allow.Accept("a"), qt.IsFalse) c.Assert(pc.Exec.Allow.Accept("npx"), qt.IsTrue) c.Assert(pc.Exec.Allow.Accept("Npx"), qt.IsFalse) - c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsFalse) - c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue) - c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) c.Assert(pc.HTTP.URLs.Accept("https://example.org"), qt.IsTrue) c.Assert(pc.HTTP.Methods.Accept("POST"), qt.IsTrue) @@ -167,6 +164,10 @@ func TestDecodeConfigDefault(t *testing.T) { c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue) c.Assert(pc.Exec.OsEnv.Accept("GOROOT"), qt.IsTrue) + c.Assert(pc.Exec.OsEnv.Accept("HOME"), qt.IsTrue) + c.Assert(pc.Exec.OsEnv.Accept("SSH_AUTH_SOCK"), qt.IsTrue) + c.Assert(pc.Exec.OsEnv.Accept("a"), qt.IsFalse) + c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse) c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse) } |